← Rules Catalog
mediumaccess-controlverified rollback-safe

Disable SSH user known hosts for host-based auth

ssh-ignore-user-known-hosts · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must ignore user-level known_hosts files when performing host-based authentication. The IgnoreUserKnownHosts directive prevents sshd from trusting host keys cached in individual user home directories for host-based authentication decisions.

Rationale

User-managed known_hosts files can be modified to trust arbitrary hosts. An attacker who gains write access to a user's .ssh/known_hosts file could add a malicious host's key, causing the server to accept host-based authentication from attacker-controlled systems.

Check → Remediate

Checksshd_effective_config
key:
ignoreuserknownhosts
expected:
yes
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
IgnoreUserKnownHosts
value:
yes
separator:
reload:
sshd

Framework references

STIG

V-230290 / RHEL-08-010520V-281257 / RHEL-10-700540

NIST 800-53

CM-6

Live verification

rhel10:checkrhel8:check
#ssh#authentication#known-hosts