AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.

STIG ID: ALMA-09-009480  |  SRG: SRG-OS-000364-GPOS-00151 |  Severity: medium |  CCI: CCI-001813 |  Vulnerability Id: V-269162

Vulnerability Discussion

Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.

Check

Verify the SSH daemon does not allow Kerberos authentication with the following command:

$ /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication'

kerberosauthentication no

If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer (ISSO), this is a finding.

Fix

Configure the SSH daemon to not allow Kerberos authentication.

Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":

KerberosAuthentication no

Alternatively, add the setting to an included file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

KerberosAuthentication no

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.