Host-based authentication for login-based services must be disabled.

An XCCDF Rule

Description

<VulnDiscussion>The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216357r959010_rule
Severity: Medium
References: CCI-000366
Updated: 18 days ago

Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf.

The root role is required.

# ls -l /etc/pam.d
to identify the various configuration files used by PAM.
Search each file for the pam_rhosts_auth.so.1 entry.

# grep pam_rhosts_auth.so.1 [filename]

Identify the file with the line pam_hosts_auth.so.1 in it.

# pfedit [filename]

Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".

Host-based authentication for login-based services must be disabled.

Description

Remediation - Manual Procedure