STIGQter STIGQter: STIG Summary: Canonical Ubuntu 16.04 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jan 2020: The SSH daemon must not allow authentication using known hosts authentication.

DISA Rule

SV-90521r2_rule

Vulnerability Number

V-75841

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

UBTU-16-030300

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the SSH daemon to not allow authentication using known hosts authentication.

Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":

IgnoreUserKnownHosts yes

The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:

# sudo systemctl restart sshd.service

Check Contents

Verify the SSH daemon does not allow authentication using known hosts authentication.

To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command:

# grep IgnoreUserKnownHosts /etc/ssh/sshd_config

IgnoreUserKnownHosts yes

If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.

Vulnerability Number

V-75841

Documentable

False

Rule Version

UBTU-16-030300

Severity Override Guidance

Verify the SSH daemon does not allow authentication using known hosts authentication.

To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command:

# grep IgnoreUserKnownHosts /etc/ssh/sshd_config

IgnoreUserKnownHosts yes

If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.

Check Content Reference

M

Target Key

3075

Comments