The SSH daemon must not permit GSSAPI authentication unless needed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39280 | GEN005524-ESXI5-000104 | SV-51096r1_rule | Low |
| Description |
|---|
| GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed. |
| STIG | Date |
|---|---|
| VMware ESXi Server 5.0 Security Technical Implementation Guide | 2013-09-12 |
Details
| Check Text ( C-46544r1_chk ) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for the GSSAPIAuthentication setting. # grep -i GSSAPIAuthentication /etc/ssh/sshd_config | grep -v '^#' If "GSSAPIAuthentication" is set to "yes", this is a finding.' Re-enable lock down mode. |
| Fix Text (F-44259r1_fix) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "GSSAPIAuthentication" configuration and set it to "no". # vi /etc/ssh/sshd_config Re-enable lock down mode. |