RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257992	RHEL-09-255080	SV-257992r943040_rule		Medium

Description
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

STIG	Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-61733r943039_chk )
Verify the operating system does not allow a noncertificate trusted host SSH logon to the system with the following command: $ sudo grep -ir hostbasedauthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* HostbasedAuthentication no If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding. If the required value is not set, this is a finding.

Check Text ( C-61733r943039_chk )

Verify the operating system does not allow a noncertificate trusted host SSH logon to the system with the following command:

$ sudo grep -ir hostbasedauthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*

HostbasedAuthentication no

If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.

If the required value is not set, this is a finding.

Fix Text (F-61657r925962_fix)
To configure RHEL 9 to not allow a noncertificate trusted host SSH logon to the system add or modify the following line in "/etc/ssh/sshd_config". HostbasedAuthentication no Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service