OL 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271704 | OL09-00-002341 | SV-271704r1091824_rule | CCI-001813 | medium |
| Description | ||||
| GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. | ||||
| STIG | Date | |||
| Oracle Linux 9 Security Technical Implementation Guide | 2025-05-08 | |||
Details
Check Text (C-271704r1091824_chk)
Verify that OL 9 SSH daemon does not allow GSSAPI authentication with the following command:
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication'
GSSAPIAuthentication no
If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding.
Fix Text (F-75661r1091823_fix)
Configure the SSH daemon to not allow GSSAPI authentication.
Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no":
GSSAPIAuthentication no
The SSH service must be restarted for changes to take effect:
$ sudo systemctl restart sshd.service