mediumaccess-controlverified ✓rollback-safe
Disable SSH rhosts-based authentication
ssh-ignore-rhosts · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must ignore .rhosts and .shosts files for host-based authentication. These legacy trust files allow users to specify remote hosts and users that should be granted access without a password.
Rationale
The .rhosts mechanism is a legacy trust model that relies on hostname and username matching without cryptographic verification. An attacker who can create or modify a user's .rhosts file can establish password-free access from arbitrary hosts, completely bypassing authentication controls.
Check → Remediate
Checksshd_effective_config
- key:
- ignorerhosts
- expected:
- yes
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- IgnoreRhosts
- value:
- yes
- separator:
- reload:
- sshd
Framework references
CIS
rhel10 5.1.11rhel8 5.1.13rhel9 5.1.13
STIG
V-258005 / RHEL-09-255145V-281256 / RHEL-10-700530
NIST 800-53
CM-6AC-3
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#authentication#rhosts