The rhost-based authentication for SSH must be disabled.

An XCCDF Rule

Description

<VulnDiscussion>Setting this parameter forces users to enter a password when authenticating with SSH.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216353r959010_rule
Severity: Medium
References: CCI-000366
Updated: 18 days ago

The root role is required.

Modify the sshd_config file

# pfedit /etc/ssh/sshd_config
Locate the line containing:

IgnoreRhosts

Change it to:

IgnoreRhosts yes

Restart the SSH service.

# svcadm restart svc:/network/ssh


This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.

The rhost-based authentication for SSH must be disabled.

Description

Remediation - Manual Procedure