Make sure HostbasedAuthentication is disabled


The HostbasedAuthentication SSHD configuration specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2.

this is disable by default. This test ensures the default configuration is in place.

Why you should not enable HostbasedAuthentication

Host-based authentication allows hosts to authenticate on behalf of all or some of that particular host’s users. This mean that compromising one host can allow an attacker to move trivially to other hosts. It is not recommended that hosts unilaterally trust one another, even within an organization, and even that hosts are cryptographically authenticated.

How to disable HostbasedAuthentication

You need to delete the line containing HostbasedAuthentication, since the default value is the correct one. Or change to no.

grep HostbasedAuthentication /etc/ssh/sshd_config

If the output isn’t empty, the argument is present in the file. Edit the file /etc/ssh/sshd_config and replace the current HostbasedAuthentication value for no. Or just remove the line.

If the output is empty, this argument could still be defined in a .conf file at /etc/ssh/sshd_config.d/. Check there too:

grep HostbasedAuthentication /etc/ssh/sshd_config.d/*.conf
The /etc/ssh/sshd_config.d/ directory doesn’t exist at Ubuntu 18.04, you only need to check it if you`re using Ubuntu 20.04 or more recent.

If the output isn’t empty, edit the file where the argument is defined, changing its value to no.

If you couldn’t find the argument definition anywhere, and it is still enabled, edit the file /etc/ssh/sshd_config and include the following line:

HostbasedAuthentication no

Finally, restart the SSHD service:

sudo systemctl restart sshd