Detections
Analytics

5.3.26 Ensure RSA rhosts authentication is not allowed

Information

The operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.

Rationale:

Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.

Solution

Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
Add the following line in /etc/ssh/sshd_config, or uncomment the line and set the value to no:
Example: vim /etc/ssh/sshd_config
Add, uncomment or update the following line:

RhostsRSAAuthentication no

The SSH service must be restarted for changes to take effect.

# systemctl restart sshd.service

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, Rule-ID|SV-204588r603261_rule, STIG-ID|RHEL-07-040330

Plugin: Unix

Control ID: 4e603df2ceb112cce66b76301740248c1fda1944573c5ae4036972da881d09a5