The Photon operating system must configure sshd to ignore user-specific "known_host" files.

An XCCDF Rule

Details
Profiles

Description

Secure Shell (SSH) trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines that must also be ignored while disabling host-based authentication generally.

ID: SV-256556r991589_rule
Version: PHTN-30-000087
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Navigate to and open:

/etc/ssh/sshd_config

Ensure the "IgnoreUserKnownHosts" line is uncommented and set to the following:
IgnoreUserKnownHosts yes

At the command line, run the following command:

# systemctl restart sshd.service

The Photon operating system must configure sshd to ignore user-specific "known_host" files.

Description

Remediation Templates

A Manual Procedure