Check: RHEL-09-255140
RHEL 9 STIG:
RHEL-09-255140
(in versions v1 r2 through v1 r1)
Title
RHEL 9 SSH daemon must not allow Kerberos authentication. (Cat II impact)
Discussion
Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227
Check Content
Verify the SSH daemon does not allow Kerberos authentication with the following command: $ sudo grep -i kerberosauth /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* KerberosAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer (ISSO), this is a finding.
Fix Text
Configure the SSH daemon to not allow Kerberos authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": KerberosAuthentication no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service
Additional Identifiers
Rule ID: SV-258004r925999_rule
Vulnerability ID: V-258004
Group Title: SRG-OS-000364-GPOS-00151
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-001813 |
The information system enforces access restrictions. |