Disable SSH Support for Rhosts RSA Authentication
An XCCDF Rule
Description
SSH can allow authentication through the obsolete rsh
command through the use of the authenticating user's SSH keys. This should be disabled.
To ensure this behavior is disabled, add or correct the
following line in /etc/ssh/sshd_config
:
RhostsRSAAuthentication no
warning alert: Warning
As of
openssh-server
version 7.4
and above,
the RhostsRSAAuthentication
option has been deprecated, and the line
RhostsRSAAuthentication noin
/etc/ssh/sshd_config
is not
necessary.Rationale
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^RhostsRSAAuthentication")
Remediation - Ansible
- name: Disable SSH Support for Rhosts RSA Authentication
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd_config