{"description": "SSH can allow authentication through the obsolete rsh\ncommand through the use of the authenticating user's SSH keys. This should be disabled.\n<br /><br />\nTo ensure this behavior is disabled, add or correct the\nfollowing line in <tt>/etc/ssh/sshd_config</tt>:\n<pre>RhostsRSAAuthentication no</pre>", "rationale": "Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even\nin the event of misconfiguration elsewhere.", "severity": "medium", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "cui": ["3.1.12"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["AC-17(a)", "CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To check which SSH protocol version is allowed, check version of\n<tt>openssh-server</tt> with following command:\n<pre>$ rpm -qi openssh-server | grep Version</pre>\nVersions equal to or higher than 7.4 have deprecated the <tt>RhostsRSAAuthentication</tt> option.\nIf version is lower than 7.4, run the following command to check configuration:\nTo determine how the SSH daemon's <tt>RhostsRSAAuthentication</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n\n\nIf a line indicating <tt>no</tt> is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "As of <tt>openssh-server</tt> version <tt>7.4</tt> and above,\nthe <tt>RhostsRSAAuthentication</tt> option has been deprecated, and the line\n<pre>RhostsRSAAuthentication no</pre> in <tt>/etc/ssh/sshd_config</tt> is not\nnecessary."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable SSH Support for Rhosts RSA Authentication", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "RhostsRSAAuthentication", "value": "no", "datatype": "string"}, "backends": {}}}