The rhost-based authentication for SSH must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-216116 | SOL-11.1-040350 | SV-216116r959010_rule | CCI-000366 | medium |
| Description | ||||
| Setting this parameter forces users to enter a password when authenticating with SSH. | ||||
| STIG | Date | |||
| Solaris 11 X86 Security Technical Implementation Guide | 2025-05-05 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-216116r959010_chk)
Determine if rhost-based authentication is enabled.
# grep "^IgnoreRhosts" /etc/ssh/sshd_config
If the output is produced and it is not:
IgnoreRhosts yes
this is a finding.
If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used and there is no finding.
Fix Text (F-17352r372731_fix)
The root role is required.
Modify the sshd_config file
# pfedit /etc/ssh/sshd_config
Locate the line containing:
IgnoreRhosts
Change it to:
IgnoreRhosts yes
Restart the SSH service.
# svcadm restart svc:/network/ssh
This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.