Host-based authentication for login-based services must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-216120 | SOL-11.1-040390 | SV-216120r959010_rule | CCI-000366 | medium |
| Description | ||||
| The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. | ||||
| STIG | Date | |||
| Solaris 11 X86 Security Technical Implementation Guide | 2025-05-05 | |||
Details
Check Text (C-216120r959010_chk)
Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf.
Determine if host-based authentication services are enabled.
# grep 'pam_rhosts_auth.so.1' /etc/pam.conf /etc/pam.d/*| grep -vc '^#'
If the returned result is not 0 (zero), this is a finding.
Fix Text (F-17356r372743_fix)
Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf.
The root role is required.
# ls -l /etc/pam.d
to identify the various configuration files used by PAM.
Search each file for the pam_rhosts_auth.so.1 entry.
# grep pam_rhosts_auth.so.1 [filename]
Identify the file with the line pam_hosts_auth.so.1 in it.
# pfedit [filename]
Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".