Skip to content

Disable SSH Support for Rhosts RSA Authentication

An XCCDF Rule

Description

SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

RhostsRSAAuthentication no

warning alert: Warning

As of openssh-server version 7.4 and above, the RhostsRSAAuthentication option has been deprecated, and the line
RhostsRSAAuthentication no
in /etc/ssh/sshd_config is not necessary.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

ID
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^RhostsRSAAuthentication")

Remediation - Ansible

- name: Disable SSH Support for Rhosts RSA Authentication
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config