Disable Host-Based Authentication

Docs > Datadog Security > OOTB Rules > Disable Host-Based Authentication

Classification:

compliance

Framework:

Control:

Description

SSH’s cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication.

To explicitly disable host-based authentication, add or correct the following line in

/etc/ssh/sshd_config:

HostbasedAuthentication no

Rationale

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd\_config" ] ; then
 
 LC\_ALL=C sed -i "/^\s\*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd\_config"
else
 touch "/etc/ssh/sshd\_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd\_config"

cp "/etc/ssh/sshd\_config" "/etc/ssh/sshd\_config.bak"
# Insert before the line matching the regex '^Match'.
line\_number="$(LC\_ALL=C grep -n "^Match" "/etc/ssh/sshd\_config.bak" | LC\_ALL=C sed 's/:.\*//g')"
if [ -z "$line\_number" ]; then
 # There was no match of '^Match', insert at
 # the end of the file.
 printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd\_config"
else
 head -n "$(( line\_number - 1 ))" "/etc/ssh/sshd\_config.bak" > "/etc/ssh/sshd\_config"
 printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd\_config"
 tail -n "+$(( line\_number ))" "/etc/ssh/sshd\_config.bak" >> "/etc/ssh/sshd\_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd\_config.bak"

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Disable Host-Based Authentication
 block:

 - name: Check for duplicate values
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: false
 regexp: (?i)^\s\*HostbasedAuthentication\s+
 state: absent
 check\_mode: true
 changed\_when: false
 register: dupes

 - name: Deduplicate values from /etc/ssh/sshd\_config
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: false
 regexp: (?i)^\s\*HostbasedAuthentication\s+
 state: absent
 when: dupes.found is defined and dupes.found > 1

 - name: Insert correct line to /etc/ssh/sshd\_config
 lineinfile:
 path: /etc/ssh/sshd\_config
 create: true
 regexp: (?i)^\s\*HostbasedAuthentication\s+
 line: HostbasedAuthentication no
 state: present
 insertbefore: ^[#\s]\*Match
 validate: /usr/sbin/sshd -t -f %s
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.5.6
 - NIST-800-171-3.1.12
 - NIST-800-53-AC-17(a)
 - NIST-800-53-AC-3
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - PCI-DSSv4-8.3.1
 - disable\_host\_auth
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy