5.2.25 Ensure SSH setting for 'IgnoreUserKnownHosts' is enabled - IgnoreUserKnownHosts is enabled.


The operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.


Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.


Configure the SSH daemon to not allow authentication using known hosts authentication.
Add the following line in /etc/ssh/sshd_config, or uncomment the line and set the value to yes:
Example: vim /etc/ssh/sshd_config
Add, uncomment, or update the following line.

IgnoreUserKnownHosts yes

The SSH service must be restarted for changes to take effect.

# systemctl restart sshd.service


This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019

Vul ID: V-72249

Rule ID: SV-86873r3_rule

STIG ID: RHEL-07-040380

Severity: CAT II

See Also


Item Details


References: 800-53|CM-6b.

Plugin: Unix

Control ID: e3e7da9cb14cfb724a03e9fd29060cb0c16739dae9deb073c2bec897b320f6da