Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The SSH client must not permit GSSAPI authentication unless needed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| GEN005525-ESXI5-9994 | GEN005525-ESXI5-9994 | GEN005525-ESXI5-9994_rule | Low |
| Description |
|---|
| GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-GEN005525-ESXI5-9994_chk ) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Check the SSH client configuration for the GSSAPIAuthentication setting. # grep -i GSSAPIAuthentication /etc/ssh/ssh_config | grep -v '^#' If "GSSAPIAuthentication" is set to "yes", this is a finding.' Re-enable lock down mode. |
| Fix Text (F-GEN005525-ESXI5-9994_fix) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Edit the SSH client configuration and add/modify the "GSSAPIAuthentication" configuration and set it to "no". # vi /etc/ssh/ssh_config Re-enable lock down mode. |