Information
The IgnoreRhosts parameter controls whether .rhosts and .shosts files will be used in RhostsRSAAuthentication or HostbasedAuthentication.
Rationale:
A user can logon to a remote system without authenticating themselves if .rhosts or .shosts files exist in the remote home directory and if the client machine name and user name are present in these files.
This method presents a risk as the system could be exploited by IP, DNS (Domain Name Server) and routing spoofing attacks. Additionally, this authentication method relies on the integrity of the client machine.
These weaknesses are well known and have been exploited. Since this authentication method entails a risk the primary recommendation is to disable the method (setting is yes). Only with documented cases - including steps to mitigate the accepted risk - may shosts mechanism be activated.
Impact:
The title of this recommendation implies acceptance of shosts-only. This is only expected for particular hosts.
Further, the addition of shosts-only requires OpenSSH 8.2 and later.
Since AIX is currently operating with OpenSSH 8.1 the audit and remediation paragraphs are written to implement the preferred setting - yes IgnoreRhosts in any form.
Solution
Edit the /etc/ssh/sshd_config file to disable the .shosts and .rhosts authentication parameter:
vi /etc/ssh/sshd_config
Replace:
#IgnoreRhosts yes
With:
IgnoreRhosts yes
Re-cycle the sshd daemon to pick up the configuration changes:
stopsrc -s sshd
startsrc -s sshd
Default Value:
IgnoreRhosts yes