← Rules Catalog
mediumaccess-controlverified rollback-safe

Disable SSH rhosts-based authentication

ssh-ignore-rhosts · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must ignore .rhosts and .shosts files for host-based authentication. These legacy trust files allow users to specify remote hosts and users that should be granted access without a password.

Rationale

The .rhosts mechanism is a legacy trust model that relies on hostname and username matching without cryptographic verification. An attacker who can create or modify a user's .rhosts file can establish password-free access from arbitrary hosts, completely bypassing authentication controls.

Check → Remediate

Checksshd_effective_config
key:
ignorerhosts
expected:
yes
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
IgnoreRhosts
value:
yes
separator:
reload:
sshd

Framework references

CIS

rhel10 5.1.11rhel8 5.1.13rhel9 5.1.13

STIG

V-258005 / RHEL-09-255145V-281256 / RHEL-10-700530

NIST 800-53

CM-6AC-3

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#authentication#rhosts