mediumaccess-controlverified ✓rollback-safe
Disable SSH user known hosts for host-based auth
ssh-ignore-user-known-hosts · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must ignore user-level known_hosts files when performing host-based authentication. The IgnoreUserKnownHosts directive prevents sshd from trusting host keys cached in individual user home directories for host-based authentication decisions.
Rationale
User-managed known_hosts files can be modified to trust arbitrary hosts. An attacker who gains write access to a user's .ssh/known_hosts file could add a malicious host's key, causing the server to accept host-based authentication from attacker-controlled systems.
Check → Remediate
Checksshd_effective_config
- key:
- ignoreuserknownhosts
- expected:
- yes
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- IgnoreUserKnownHosts
- value:
- yes
- separator:
- reload:
- sshd
Framework references
STIG
V-230290 / RHEL-08-010520V-281257 / RHEL-10-700540
NIST 800-53
CM-6
Live verification
rhel10:checkrhel8:check
#ssh#authentication#known-hosts