Title

Amazon Linux 2023 SSH daemon must not allow Kerberos authentication. (Cat II impact)

Discussion

Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.

Check Content

Verify Amazon Linux 2023 is configured so that the SSH daemon does not allow Kerberos authentication with the following command: $ [ec2-user@ip-172-31-12-63 ~]$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication' /etc/ssh/sshd_config.d/93-KerberosAuthentication.conf:KerberosAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer (ISSO), this is a finding.

Fix Text

Configure Amazon Linux 2023 so that the SSH daemon does not allow Kerberos authentication. Add the following line in "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no": KerberosAuthentication no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-274045r1120123_rule

Vulnerability ID: V-274045

Group Title: SRG-OS-000364-GPOS-00151

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.