AlmaLinux OS 9 SSH daemon must not allow known hosts authentication.

An XCCDF Rule

Details
Profiles

Description

Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

ID: SV-269267r1050149_rule
Version: ALMA-09-021140
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Configure the SSH daemon to not allow known hosts authentication.

Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":

IgnoreUserKnownHosts yes
Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

$ echo 'IgnoreUserKnownHosts yes' > /etc/ssh/sshd_config.d/40-knownhosts.conf

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service

AlmaLinux OS 9 SSH daemon must not allow known hosts authentication.

Description

Remediation Templates

A Manual Procedure