InformationThe operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
SolutionConfigure the SSH daemon to not allow authentication using known hosts authentication.
Add the following line in /etc/ssh/sshd_config, or uncomment the line and set the value to yes:
Example: vim /etc/ssh/sshd_config
Add, uncomment, or update the following line.
The SSH service must be restarted for changes to take effect.
# systemctl restart sshd.service
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72249
Rule ID: SV-86873r3_rule
STIG ID: RHEL-07-040380
Severity: CAT II