The rhost-based authentication for SSH must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216353	SOL-11.1-040350	SV-216353r959010_rule		Medium

Description
Setting this parameter forces users to enter a password when authenticating with SSH.

STIG	Date
Solaris 11 SPARC Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-17589r371147_chk )
Determine if rhost-based authentication is enabled. # grep "^IgnoreRhosts" /etc/ssh/sshd_config If the output is produced and it is not: IgnoreRhosts yes this is a finding. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used and there is no finding.

Fix Text (F-17587r371148_fix)
The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: IgnoreRhosts Change it to: IgnoreRhosts yes Restart the SSH service. # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.

Fix Text (F-17587r371148_fix)

The root role is required.

Modify the sshd_config file

# pfedit /etc/ssh/sshd_config

Locate the line containing:

IgnoreRhosts

Change it to:

IgnoreRhosts yes

Restart the SSH service.

# svcadm restart svc:/network/ssh

This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.