PHTN-30-000087 - The Photon operating system must configure sshd to ignore user-specific 'known_host' files.

Information

Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines that must also be ignored while disabling host-based authentication generally.

Solution

Navigate to and open:

/etc/ssh/sshd_config

Ensure the 'IgnoreUserKnownHosts' line is uncommented and set to the following:

IgnoreUserKnownHosts yes

At the command line, run the following command:

# systemctl restart sshd.service

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-256556r887342_rule, STIG-ID|PHTN-30-000087, Vuln-ID|V-256556

Plugin: Unix

Control ID: 9474a17cfc3aa0218d669f7dcdf572fd2b94e7d36773c08a32d35d51aa61275d