6.5 Disable Rhost-based Authentication for SSH - IgnoreRhosts = yes

Information

The IgnoreRhosts parameter specifies that existing .rhosts and .shosts files, which may apply to application rather than user logins, will not be used in RhostsRSAAuthentication or HostbasedAuthentication.

Setting this parameter forces users to enter a password when authenticating with SSH.

Solution

Perform the following to implement the recommended state:
# awk '/^IgnoreRhosts/ { $2 = "yes" }
{ print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS
# mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config
# svcadm restart svc:/network/ssh

This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed.

See Also

https://workbench.cisecurity.org/files/611

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-14a., 800-53|IA-5

Plugin: Unix

Control ID: fcb67499f9bea474bae06d573d7aafdf02e388c2d47dfc0f541b4f79bf51bc5d