Profile Applicability:
• Level 1
Description:
The IgnoreRhosts option in the SSH daemon (sshd) configuration disables the use of .rhosts and .shosts files for authentication, which are considered insecure. Enabling this option ensures SSH does not rely on these files, reducing the risk of unauthorized access.
Rationale:
Disabling .rhosts and .shosts authentication methods prevents potential misuse of insecure trust relationships and enhances SSH security by requiring stronger authentication mechanisms.
Impact:
Pros:
Eliminates weak authentication methods.
Reduces the attack surface for SSH access.
Cons:
May affect legacy systems relying on .rhosts or .shosts authentication.
Default Value:
IgnoreRhosts is usually enabled by default, but this should be verified.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Check current IgnoreRhosts setting in /etc/ssh/sshd_config:
grep ^IgnoreRhosts /etc/ssh/sshd_config
Verify it is set to yes.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set IgnoreRhosts to yes:
IgnoreRhosts yes
Save the file and restart sshd:
systemctl restart sshd
Confirm the setting:
grep ^IgnoreRhosts /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
Set IgnoreRhosts to no if necessary.
Restart sshd and verify behavior.
References: