UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Host-based authentication for login-based services must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216357 SOL-11.1-040390 SV-216357r603267_rule Medium
Description
The use of .rhosts authentication is an insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled.
STIG Date
Solaris 11 SPARC Security Technical Implementation Guide 2020-12-08

Details

Check Text ( C-17593r371159_chk )
Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf.

Determine if host-based authentication services are enabled.

# grep 'pam_rhosts_auth.so.1' /etc/pam.conf /etc/pam.d/*| grep -vc '^#'

If the returned result is not 0 (zero), this is a finding.
Fix Text (F-17591r371160_fix)
Note: This is the location for Solaris 11.1. For earlier versions, the information is in /etc/pam.conf.

The root role is required.

# ls -l /etc/pam.d
to identify the various configuration files used by PAM.

Search each file for the pam_rhosts_auth.so.1 entry.

# grep pam_rhosts_auth.so.1 [filename]

Identify the file with the line pam_hosts_auth.so.1 in it.

# pfedit [filename]

Insert a comment character (#) at the beginning of the line containing "pam_hosts_auth.so.1".