4.2.9 Ensure sshd GSSAPIAuthentication is disabled

Information

The GSSAPIAuthentication parameter specifies whether user authentication based on GSSAPI is allowed

Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, and should be disabled to reduce the attack surface of the system

Solution

Edit the /etc/ssh/sshd_config file to set the GSSAPIAuthentication parameter to no above any Match statement:

GSSAPIAuthentication no

Note: First occurrence of a option takes precedence, Match set statements withstanding.

See Also

https://workbench.cisecurity.org/benchmarks/15962

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 13ba316d818907e8a71b7e6f12755df2dbd342d8a21669b96b8d09b8c9e76f8e