RHEL 9 SSH daemon must not allow known hosts authentication.

An XCCDF Rule

Details
Profiles

Description

Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

ID: SV-258006r1045071_rule
Version: RHEL-09-255150
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Configure the SSH daemon to not allow known hosts authentication.

Add the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d", or uncomment the line and set the value to "yes":

IgnoreUserKnownHosts yes
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

RHEL 9 SSH daemon must not allow known hosts authentication.

Description

Remediation Templates

A Manual Procedure