AlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

STIG ID: ALMA-09-009370  |  SRG: SRG-OS-000364-GPOS-00151 |  Severity: medium |  CCI: CCI-001813 |  Vulnerability Id: V-269161

Vulnerability Discussion

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

Check

Verify the SSH daemon does not allow GSSAPI authentication with the following command:

$ /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication'

gssapiauthentication no

If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding.

If the required value is not set, this is a finding.

Fix

Configure the SSH daemon to not allow GSSAPI authentication.

Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":

GSSAPIAuthentication no

Alternatively, add the setting to an included file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

GSSAPIAuthentication no

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.