4.2.6 Configuring SSH - ignore .shosts and .rhosts

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The recommendation is to edit the /etc/ssh/sshd_config file and set the IgnoreRhosts parameter to ignore .shosts and.rhosts files.

A user can logon to a remote system without authenticating themselves if.rhosts or .shosts files exist in the remote home directory and if the client machine name and user name are present in these files. This method is fundamentally insecure as the local system can be exploited by IP, DNS (Domain Name Server) and routing spoofing attacks. Additionally, this authentication method relies on the integrity of the client machine. These weaknesses have been known and exploited for a long time. Since this authentication method is not secure, it must be disabled.


Edit the /etc/ssh/sshd_config file to disable the .shosts and .rhosts authentication parameter-

vi /etc/ssh/sshd_config


#IgnoreRhosts yes


IgnoreRhosts yes

Re-cycle the sshd daemon to pick up the configuration changes-

stopsrc -s sshd
startsrc -s sshd

See Also