4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv

Information

The recommendation is to remove both the /etc/shosts.equiv and /etc/rhosts.equiv file. This is a consequence of the recommendation to not use HostbasedAuthentification.

Rationale:

The recommendation is to not use HostbasedAuthentification unless there is a documented need already exists the logical consequence is to remove these files, if they exist, to lower the risk of accidental activation.

In any case - the file /etc/rhosts.equiv should be removed - period. (Note: This is also recommended elsewhere.)

Impact:

The file /etc/shosts.equiv, in combination with the OpenSSH sshd_config: HostbasedAuthentication, can allow passwordless authentication between servers.

Without HostbasedAuthentication the file /etc/shosts.equiv has no purpose.

Solution

Print (for review) and then remove the content of the /etc/[rs]hosts.equiv files:

for file in /etc/[rs]hosts.equiv; do
print '+++ ${file} +++'
/usr/bin/cat -n ${file}
/usr/bin/rm -f ${file}
done

Default Value:

N/A

Additional Information:

Reversion:

The /etc/shosts.equiv file would need to be restored from a backup or from the remediation log.

The file /etc/rhosts.equiv should not be restored.

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 7a785c947bd56db550a5e2cc48a6ab6eb6c805dde9b2de465ce022d893d43415