ESXI-65-000019 - The ESXi host SSH daemon must not permit Kerberos authentication.

Information

Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems.

Solution

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in '/etc/ssh/sshd_config':

KerberosAuthentication no

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y21M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CAT|III, CCI|CCI-000366, Rule-ID|SV-207620r388482_rule, STIG-ID|ESXI-65-000019, STIG-Legacy|SV-104071, STIG-Legacy|V-93985, Vuln-ID|V-207620

Plugin: Unix

Control ID: b3b75a802ab081a67f6c84f4bade970b0e8050d00f54dcf5546f0e8d2b329863