4.5.3.7 sshd_config: HostbasedAuthentication is 'no'

Information

The recommendation is to ensure the sshd daemon is configured to prevent host-based authentication.

Rationale:

Host-based authentication is a method to authenticate users (rather than requiring password or key-based authentication method). Used at a system level by OpenSSH requires the file /etc/shosts.equiv to contain a list of so-called trusted hosts. When this method is active any user on a trusted host can login to the server as authenticated because the server identity the user imitates the connection from (aka the OpenSSH client) authentificatees the user as trusted.

Since this feature disables user-based authentication from some hosts - our recommendation is to disable host-based authentication.

Solution

Edit the /etc/ssh/sshd_config file to ensure that host based authentication is disallowed:

vi /etc/ssh/sshd_config

Replace:

#HostbasedAuthentication no

With:

HostbasedAuthentication no

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
startsrc -s sshd

Default Value:

HostbasedAuthentication no

Additional Information:

Reversion:

Revert to the default setting for the HostBasedAuthentication parameter:

vi /etc/ssh/sshd_config

Replace:

HostbasedAuthentication no

With:

# HostbasedAuthentication no

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd

startsrc -s sshd

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-6, 800-53|CM-7, 800-53|MA-4, CSCv7|9.2

Plugin: Unix

Control ID: c39dc84cbc98a966b30c518f483a00db3c3b70c1b3f383309680d4ed447b5f23