Disable SSH Support for .rhosts Files
An XCCDF Rule
Description
SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts
files.
The default SSH configuration disables support for .rhosts
. The appropriate
configuration is used if no value is set for IgnoreRhosts
.
To explicitly disable support for .rhosts files, add or correct the following line in
/etc/ssh/sshd_config
:
IgnoreRhosts yes
Rationale
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.5.6
- NIST-800-171-3.1.12