5.1.11 Ensure sshd GSSAPIAuthentication is disabled

Information

The GSSAPIAuthentication parameter specifies whether user authentication based on GSSAPI is allowed

Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, and should be disabled to reduce the attack surface of the system

Solution

Edit the /etc/ssh/sshd_config file to set the GSSAPIAuthentication parameter to no above any Include and Match entries as follows:

GSSAPIAuthentication no

Note: First occurrence of an option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location.

See Also

https://workbench.cisecurity.org/benchmarks/18210

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: b275f60323d4a95dc37157f6f20fa9bbdbe09af1bc8ecd21feb5e501f16d6472