5.3.26 Ensure RSA rhosts authentication is not allowed

Information

The operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.

Rationale:

Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.

Solution

Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
Add the following line in /etc/ssh/sshd_config, or uncomment the line and set the value to no:
Example: vim /etc/ssh/sshd_config
Add, uncomment or update the following line:

RhostsRSAAuthentication no

The SSH service must be restarted for changes to take effect.

# systemctl restart sshd.service

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, Rule-ID|SV-204588r603261_rule, STIG-ID|RHEL-07-040330

Plugin: Unix

Control ID: 1358cc0fec5578a377d79edf69259c55efc2ac93ba583b1bf29f5986c20865e7