RHEL-10-700510 - RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

Information

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

OpenSSH uses the first occurrence of a keyword it sees, and drop-in files are read in lexicographical order at the start of the configuration. Red Hat recommends using drop-in files rather than changing base configuration files.

Solution

Configure RHEL 10 SSH daemons to not allow GSSAPI authentication.

In "/etc/ssh/sshd_config.d", create a drop file that will lexicographically precede 50-redhat.conf and add the following line:

GSSAPIAuthentication no

Restart the SSH service with the following command for the changes to take effect:

$ sudo systemctl restart sshd.service

Item Details

Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1

Category: CONFIGURATION MANAGEMENT

Plugin: Unix

Control ID: 6a295740586cd300e0ed6336e71e578a33b635446fb9a682cb39d72ed63707aa

Detections

Analytics

RHEL-10-700510 - RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

Information

Solution

See Also

Item Details