RHEL 9 SSH daemon must not allow GSSAPI authentication.

An XCCDF Rule

Details
Profiles

Description

Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227

ID: SV-258003r1045065_rule
Version: RHEL-09-255135
Severity: Medium
References: CCI-001813
Updated: about 2 months ago

Remediation Templates

Configure the SSH daemon to not allow GSSAPI authentication.

Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no":

GSSAPIAuthentication no
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

RHEL 9 SSH daemon must not allow GSSAPI authentication.

Description

Remediation Templates

A Manual Procedure