Profile Applicability:
• Level 1
Description:
The GSSAPIAuthentication option in the SSH daemon (sshd) enables authentication using the Generic Security Services Application Program Interface (GSSAPI), often associated with Kerberos. Disabling this option reduces attack surface by preventing potential misuse or vulnerabilities in GSSAPI authentication.
Rationale:
Disabling GSSAPIAuthentication reduces risk from complex authentication mechanisms that may not be needed, minimizing potential vulnerabilities and attack vectors.
Impact:
Pros:
Simplifies authentication mechanisms.
Reduces exposure to potential GSSAPI/Kerberos related vulnerabilities.
Cons:
Disables Kerberos-based single sign-on, which may affect environments relying on it.
Default Value:
GSSAPIAuthentication may be enabled by default on some systems.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Check current GSSAPIAuthentication setting in /etc/ssh/sshd_config:
grep ^GSSAPIAuthentication /etc/ssh/sshd_config
Verify if it is set to no.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set GSSAPIAuthentication to no:
GSSAPIAuthentication no
Save the file and restart sshd:
systemctl restart sshd
Confirm the setting:
grep ^GSSAPIAuthentication /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
Re-enable GSSAPIAuthentication by setting it to yes if needed.
Restart sshd and verify functionality.
References:
NIST SP 800-53 Revision 5 - AC-17