Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-39283 | GEN005538-ESXI5-000112 | SV-51099r1_rule | Medium |
Description |
---|
If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication. |
STIG | Date |
---|---|
VMware ESXi Server 5.0 Security Technical Implementation Guide | 2013-09-12 |
Check Text ( C-46547r1_chk ) |
---|
Disable lock down mode. Enable the ESXi Shell. Login as root and execute the following command(s): # grep RhostsRSAAuthentication /etc/ssh/sshd_config If "RhostsRSAAuthentication" is set to "yes" or the keyword/line is missing, this is a finding. Re-enable lock down mode. |
Fix Text (F-44262r1_fix) |
---|
Disable lock down mode. Enable the ESXi Shell. Login as root and execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the "RhostsRSAAuthentication" keyword to "no", i.e.; RhostsRSAAuthentication=no Re-enable lock down mode. |