3.6.2.6 Configuring SSH - disallow host based authentication

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The recommendation is to edit the /etc/ssh/sshd_config file to ensure that host-based authentication is disallowed.

Rationale:

Using host-based authentication, any user on a trusted host can log into another host on which this feature is enabled. Since this feature depends only on system authentication and not on user authentication, it must be disabled.

Solution

Edit the /etc/ssh/sshd_config file to ensure that host based authentication is disallowed:

vi /etc/ssh/sshd_config

Replace:

#HostbasedAuthentication no

With:

HostbasedAuthentication no

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
startsrc -s sshd

Default Value:

HostbasedAuthentication no

Additional Information:

Reversion:

Revert to the default setting for the HostBasedAuthentication parameter:

vi /etc/ssh/sshd_config

Replace:

HostbasedAuthentication no

With:

# HostbasedAuthentication no

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd

startsrc -s sshd

See Also

https://workbench.cisecurity.org/files/3525