Detections
Analytics
RHEL-10-700540 - RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts authentication.
Information
Configuring the "IgnoreUserKnownHosts" setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.OpenSSH uses the first occurrence of a keyword it sees, and drop-in files are read in lexicographical order at the start of the configuration. Red Hat recommends using drop-in files rather than changing base configuration files.
Solution
Configure RHEL 10 SSH daemons to not allow known hosts authentication.In "/etc/ssh/sshd_config.d", create a drop file that will lexicographically precede 50-redhat.conf and add the following line:
IgnoreUserKnownHosts yes
Restart the SSH service with the following command for the changes to take effect:
$ sudo systemctl restart sshd.service
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_10_V1R1_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-6a., CAT|II, CCI|CCI-002696, Rule-ID|SV-281257r1184757_rule, STIG-ID|RHEL-10-700540, Vuln-ID|V-281257
Plugin: Unix
Control ID: 1b583841f203a677278adc8ebae6f4c258de72aa83b5a07d4f0229995588791b