Skip to content

Disable SSH Support for Rhosts RSA Authentication

An XCCDF Rule

Description

SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

RhostsRSAAuthentication no

warning alert: Warning

As of openssh-server version 7.4 and above, the RhostsRSAAuthentication option has been deprecated, and the line
RhostsRSAAuthentication no
in /etc/ssh/sshd_config is not necessary.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

ID
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
Severity
Medium
References
Updated



Remediation - Ansible

- name: Find sshd_config included files
  shell: |-
    included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
    [[ -n $included_files ]] && ls $included_files || true
  register: sshd_config_included_files
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^RhostsRSAAuthentication")