RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-281254 | RHEL-10-700510 | SV-281254r1184754_rule | CCI-001813 | medium |
| Description | ||||
| GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. OpenSSH uses the first occurrence of a keyword it sees, and drop-in files are read in lexicographical order at the start of the configuration. Red Hat recommends using drop-in files rather than changing base configuration files. | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 10 Security Technical Implementation Guide | 2026-03-11 | |||
Details
Check Text (C-281254r1184754_chk)
Verify RHEL 10 SSH daemons do not allow GSSAPI authentication with the following command:
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication'
/etc/ssh/sshd_config.d/10-stig.conf:GSSAPIAuthentication no
/etc/ssh/sshd_config.d/50-redhat.conf:GSSAPIAuthentication yes
Verify the runtime setting with the following command:
$ sudo sshd -T | grep -i gssapiauthentication
gssapiauthentication no
If the "GSSAPIAuthentication" keyword is not set to "no" in a drop-in that lexicographically precedes 50-redhat.conf, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer, this is a finding.
Fix Text (F-85720r1166713_fix)
Configure RHEL 10 SSH daemons to not allow GSSAPI authentication.
In "/etc/ssh/sshd_config.d", create a drop file that will lexicographically precede 50-redhat.conf and add the following line:
GSSAPIAuthentication no
Restart the SSH service with the following command for the changes to take effect:
$ sudo systemctl restart sshd.service