4.5.3.8 sshd_config: IgnoreRhosts is 'yes' or 'shosts-only'

Information

The IgnoreRhosts parameter controls whether .rhosts and .shosts files will be used in RhostsRSAAuthentication or HostbasedAuthentication.

Rationale:

A user can logon to a remote system without authenticating themselves if .rhosts or .shosts files exist in the remote home directory and if the client machine name and user name are present in these files.

This method presents a risk as the system could be exploited by IP, DNS (Domain Name Server) and routing spoofing attacks. Additionally, this authentication method relies on the integrity of the client machine.

These weaknesses are well known and have been exploited. Since this authentication method entails a risk the primary recommendation is to disable the method (setting is yes). Only with documented cases - including steps to mitigate the accepted risk - may shosts mechanism be activated.

Impact:

The title of this recommendation implies acceptance of shosts-only. This is only expected for particular hosts.

Further, the addition of shosts-only requires OpenSSH 8.2 and later.

Since AIX is currently operating with OpenSSH 8.1 the audit and remediation paragraphs are written to implement the preferred setting - yes IgnoreRhosts in any form.

Solution

Edit the /etc/ssh/sshd_config file to disable the .shosts and .rhosts authentication parameter:

vi /etc/ssh/sshd_config

Replace:

#IgnoreRhosts yes

With:

IgnoreRhosts yes

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
startsrc -s sshd

Default Value:

IgnoreRhosts yes

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-6, 800-53|CM-7, 800-53|MA-4, CSCv7|9.2

Plugin: Unix

Control ID: c87da5d5d2703481b0078e2a630e02c8ecceaf1d35aa973d1a9ccbeb0bdb0ff5