4.2.8 Ensure sshd GSSAPIAuthentication is disabled

Information

The GSSAPIAuthentication parameter specifies whether user authentication based on GSSAPI is allowed

Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, and should be disabled to reduce the attack surface of the system

Solution

Edit the /etc/ssh/sshd_config file to set the GSSAPIAuthentication parameter to no above any Match entries as follows:

GSSAPIAuthentication no

Note: First occurrence of an option takes precedence, Match set statements withstanding.

See Also

https://workbench.cisecurity.org/benchmarks/15023

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: d0640da0300a2c613902efbf1801294f4f31b5ed2ec3019e3849d334dbebce4e