GEN005527 - The SSH daemon must not allow host-based authentication.

Information

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Solution

SSH's cryptographic host-based authentication is more secure than '.rhosts' authentication since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in '/etc/ssh/sshd_config':

HostbasedAuthentication no

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(2), CAT|II, CCI|CCI-000766, Rule-ID|SV-218612r603259_rule, STIG-ID|GEN005527, STIG-Legacy|SV-75259, STIG-Legacy|V-58537, Vuln-ID|V-218612

Plugin: Unix

Control ID: 604101c17904fc27efec7b403f6cf7b0b387ba126630b3fea2f4129c5448429a