Disable Kerberos Authentication
An XCCDF Rule
Description
Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos.
The appropriate configuration is used if no value is set for KerberosAuthentication
.
To explicitly disable Kerberos authentication, add or correct the following line in
/etc/ssh/sshd_config
:
KerberosAuthentication no
Rationale
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Find sshd_config included files
shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Find the include keyword, extract from the line the glob expression representing included files.
# And if it is a relative path prepend '/etc/ssh/'
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|')