Profile Applicability:
• Level 1
Description:
The HostbasedAuthentication option in the SSH daemon (sshd) allows authentication based on the client host's identity. Disabling this option prevents potential unauthorized access through compromised or spoofed trusted hosts.
Rationale:
Disabling HostbasedAuthentication reduces the risk of unauthorized access by ensuring authentication is based on user credentials rather than host identity, which is less secure.
Impact:
Pros:
Enhances SSH security by requiring user-based authentication.
Limits exposure to host spoofing attacks.
Cons:
May affect legacy systems or environments relying on host-based authentication.
Default Value:
HostbasedAuthentication is often enabled by default on some systems.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Check current HostbasedAuthentication setting in /etc/ssh/sshd_config:
grep ^HostbasedAuthentication /etc/ssh/sshd_config
Verify if it is set to no.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set HostbasedAuthentication to no:
HostbasedAuthentication no
Save the file and restart sshd:
systemctl restart sshd
Confirm the setting:
grep ^HostbasedAuthentication /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
Re-enable HostbasedAuthentication by setting it to yes if needed.
Restart sshd and verify functionality.
References: