Detections
Analytics

5.3.28 Ensure SSH IgnoreUserKnownHosts is enabled

Information

The operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.

Rationale:

Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.

Solution

Configure the SSH daemon to not allow authentication using known hosts authentication.
Add the following line in /etc/ssh/sshd_config, or uncomment the line and set the value to yes:
Example: vim /etc/ssh/sshd_config
Add, uncomment, or update the following line.

IgnoreUserKnownHosts yes

The SSH service must be restarted for changes to take effect.

# systemctl restart sshd.service

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, Rule-ID|SV-204593r603261_rule, STIG-ID|RHEL-07-040380

Plugin: Unix

Control ID: 936bec105b76741a0ad56a98580c2d6ef737cbe18d8cca85bb2aca845a13aee4