AlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

An XCCDF Rule

Details
Profiles

Description

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

ID: SV-269161r1050043_rule
Version: ALMA-09-009370
Severity: Medium
References: CCI-001813
Updated: about 2 months ago

Remediation Templates

Configure the SSH daemon to not allow GSSAPI authentication.

Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":

GSSAPIAuthentication no
Alternatively, add the setting to an included file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

GSSAPIAuthentication no

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service

AlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

Description

Remediation Templates

A Manual Procedure