Disable SSH Support for .rhosts Files
An XCCDF Rule
Description
SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts
files.
The default SSH configuration disables support for .rhosts
. The appropriate
configuration is used if no value is set for IgnoreRhosts
.
To explicitly disable support for .rhosts files, add or correct the following line in
/etc/ssh/sshd_config
:
IgnoreRhosts yes
Rationale
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Find sshd_config included files
shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Find the include keyword, extract from the line the glob expression representing included files.
# And if it is a relative path prepend '/etc/ssh/'
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|')