The ESXi host Secure Shell (SSH) daemon must ignore .rhosts files.

An XCCDF Rule

Details
Profiles

Description

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate the behavior of the obsolete "rsh" command in allowing users to enable insecure access to their accounts via ".rhosts" files.

ID: SV-258738r1015920_rule
Version: ESXI-80-000052
Severity: Medium
References: CCI-000765 CCI-000767
Updated: about 2 months ago

Remediation Templates

From an ESXi shell, run the following command:

# esxcli system ssh server config set -k ignorerhosts -v yes

or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'ignorerhosts'
$arguments.value = 'yes'
$esxcli.system.ssh.server.config.set.Invoke($arguments)

The ESXi host Secure Shell (SSH) daemon must ignore .rhosts files.

Description

Remediation Templates

A Manual Procedure