6.1.6 Set SSH IgnoreRhosts to yes - Check if IgnoreRhosts is set to yes and not commented for the server.

Information

The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.

Note - If you will be editing all the SSH parameters, use the script in section 6.1 Configure SSH.

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows-
awk '/^ IgnoreRhosts/ { $2 = 'yes' } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
/usr/bin/mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
/usr/sbin/pkgchk -f -n -p /etc/ssh/sshd_config
/usr/sbin/svcadm restart svc:/network/ssh

See Also

https://workbench.cisecurity.org/files/614

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-14a., 800-53|IA-5

Plugin: Unix

Control ID: 2e8d5e80b7c3469fec66baf621d53688368faf789535af2c6bb6ba6fad070d0d