UCF STIG Viewer Logo

The SSH client must not permit GSSAPI authentication unless needed.


Overview

Finding ID Version Rule ID IA Controls Severity
GEN005525-ESXI5-9994 GEN005525-ESXI5-9994 GEN005525-ESXI5-9994_rule Low
Description
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-GEN005525-ESXI5-9994_chk )
Disable lock down mode. Enable the ESXi Shell. Check the SSH client configuration for the GSSAPIAuthentication setting.
# grep -i GSSAPIAuthentication /etc/ssh/ssh_config | grep -v '^#'

If "GSSAPIAuthentication" is set to "yes", this is a finding.'

Re-enable lock down mode.
Fix Text (F-GEN005525-ESXI5-9994_fix)
Disable lock down mode.
Enable the ESXi Shell.

Edit the SSH client configuration and add/modify the "GSSAPIAuthentication" configuration and set it to "no".
# vi /etc/ssh/ssh_config

Re-enable lock down mode.