AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.

An XCCDF Rule

Description

Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.

ID: SV-269162r1050044_rule
Version: ALMA-09-009480
Severity: Medium
References: CCI-001813
Updated: about 2 months ago

Remediation Templates

Configure the SSH daemon to not allow Kerberos authentication.

Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":

KerberosAuthentication no
Alternatively, add the setting to an included file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

KerberosAuthentication no

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service

AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.

Description

Remediation Templates

A Manual Procedure