Title

SLEM 5 SSH daemon must be configured to not allow authentication using known hosts authentication. (Cat II impact)

Discussion

Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.

Check Content

Verify SLEM 5 SSH daemon is configured to not allow authentication using "known hosts" authentication with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts' /etc/ssh/sshd_config:IgnoreUserKnownHosts yes If "IgnoreUserKnownHosts" is not set to "no", is commented out, missing, or conflicting results are returned, this is a finding.

Fix Text

Configure SLEM 5 SSH daemon to not allow authentication using "known hosts" authentication. Add or modify the following line in the "/etc/ssh/sshd_config" file: IgnoreUserKnownHosts yes Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-261340r996483_rule

Vulnerability ID: V-261340

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.