5.2.23 Ensure RSA rhosts authentication is not allowed

Information

The operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.

Rationale:

Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.

Solution

Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
Add the following line in /etc/ssh/sshd_config, or uncomment the line and set the value to no:
Example: vim /etc/ssh/sshd_config
Add, uncomment or update the following line:

RhostsRSAAuthentication no

The SSH service must be restarted for changes to take effect.

# systemctl restart sshd.service

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72239

Rule ID: SV-86863r4_rule

STIG ID: RHEL-07-040330

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-14a., 800-53|SC-13

Plugin: Unix

Control ID: 6c05317b12f1840ec4496a2d366e924361136060a23d7802c885bdf806fd8bf4