Disable GSSAPI Authentication
An XCCDF Rule
Description
Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate
configuration is used if no value is set for GSSAPIAuthentication
.
To explicitly disable GSSAPI authentication, add or correct the following line in
/etc/ssh/sshd_config
:
GSSAPIAuthentication no
Rationale
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
Remediation - Ansible
- name: Disable GSSAPI Authentication
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd_config