Information
The operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
Rationale:
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Solution
Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
Add the following line in /etc/ssh/sshd_config, or uncomment the line and set the value to no:
Example: vim /etc/ssh/sshd_config
Add, uncomment or update the following line:
RhostsRSAAuthentication no
The SSH service must be restarted for changes to take effect.
# systemctl restart sshd.service
Notes:
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72239
Rule ID: SV-86863r4_rule
STIG ID: RHEL-07-040330
Severity: CAT II