Detections
Analytics
ALMA-09-009480 - AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.
Information
Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.Solution
Configure the SSH daemon to not allow Kerberos authentication.Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":
KerberosAuthentication no
Alternatively, add the setting to an included file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:
KerberosAuthentication no
Restart the SSH daemon for the settings to take effect:
$ systemctl restart sshd.service
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CL_AlmaLinux_OS_9_V1R6_STIG.zip
Item Details
Audit Name: DISA Cloud Linux AlmaLinux OS 9 STIG v1r6
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-5(1), CAT|II, CCI|CCI-001813, Rule-ID|SV-269162r1050044_rule, STIG-ID|ALMA-09-009480, Vuln-ID|V-269162
Plugin: Unix
Control ID: 0ace6b1f6e2a69bfe5286b6d9b3556bd90cce709df58405795411010036389f4