UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

RHEL 9 SSH daemon must not allow Kerberos authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258004 RHEL-09-255140 SV-258004r958796_rule Medium
Description
Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
STIG Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide 2024-06-04

Details

Check Text ( C-61745r952203_chk )
Verify the SSH daemon does not allow Kerberos authentication with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication'

KerberosAuthentication no

If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer (ISSO), this is a finding.
Fix Text (F-61669r925998_fix)
Configure the SSH daemon to not allow Kerberos authentication.

Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":

KerberosAuthentication no

The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service