Enable GSSAPI Authentication
An XCCDF Rule
Description
Sites setup to use Kerberos or other GSSAPI Authenticaion require setting
sshd to accept this authentication.
To enable GSSAPI authentication, add or correct the following line in
/etc/ssh/sshd_config
:
GSSAPIAuthentication yes
Rationale
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. For enterprises, Kerberos is often enabled and used with GSSAPI for centralized user account management which may necessitate enabling of GSSAPI functionality in SSH.
- ID
- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
Remediation - Ansible
- name: Enable GSSAPI Authentication
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd_config