RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.

STIG ID: RHEL-09-255080  |  SRG: SRG-OS-000480-GPOS-00229 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-257992

Vulnerability Discussion

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Check

Verify the operating system does not allow a noncertificate trusted host SSH logon to the system with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*hostbasedauthentication'

HostbasedAuthentication no

If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.

If the required value is not set, this is a finding.

Fix

To configure RHEL 9 to not allow a noncertificate trusted host SSH logon to the system, add or modify the following line in "/etc/ssh/sshd_config" or in a file in "/etc/ssh/sshd_config.d".

HostbasedAuthentication no

Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.