RHEL 9 SSH daemon must not allow GSSAPI authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258003	RHEL-09-255135	SV-258003r925996_rule		Medium

Description
Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227

STIG	Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-61744r925994_chk )
Verify the SSH daemon does not allow GSSAPI authentication with the following command: $ sudo grep -ir gssapiauth /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* GSSAPIAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding. If the required value is not set, this is a finding.

Check Text ( C-61744r925994_chk )

Verify the SSH daemon does not allow GSSAPI authentication with the following command:

$ sudo grep -ir gssapiauth /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*

GSSAPIAuthentication no

If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding.

If the required value is not set, this is a finding.

Fix Text (F-61668r925995_fix)
Configure the SSH daemon to not allow GSSAPI authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": GSSAPIAuthentication no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service