Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The SSH daemon must not allow rhosts RSA authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| GEN005538-ESXI5-000112 | GEN005538-ESXI5-000112 | GEN005538-ESXI5-000112_rule | Medium |
| Description |
|---|
| If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-GEN005538-ESXI5-000112_chk ) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Login as root and execute the following command(s): # grep RhostsRSAAuthentication /etc/ssh/sshd_config If "RhostsRSAAuthentication" is set to "yes" or the keyword/line is missing, this is a finding. Re-enable lock down mode. |
| Fix Text (F-GEN005538-ESXI5-000112_fix) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Login as root and execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the "RhostsRSAAuthentication" keyword to "no", i.e.; RhostsRSAAuthentication=no Re-enable lock down mode. |