{"description": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like GSSAPI.\n<br/>\nThe default SSH configuration disallows authentications based on GSSAPI. The appropriate\nconfiguration is used if no value is set for <tt>GSSAPIAuthentication</tt>.\n<br/>\nTo explicitly disable GSSAPI authentication, add or correct the following line in\n\n\n<tt>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</tt>:\n\n<pre>GSSAPIAuthentication no</pre>", "rationale": "GSSAPI authentication is used to provide additional authentication mechanisms to\napplications. Allowing GSSAPI authentication through SSH exposes the system's\nGSSAPI to remote hosts, increasing the attack surface of the system.", "severity": "medium", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "cui": ["3.1.12"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-17(a)"], "nist-csf": ["PR.IP-1"], "ospp": ["FTP_ITC_EXT.1", "FCS_SSH_EXT.1.2"], "srg": ["SRG-OS-000364-GPOS-00151", "SRG-OS-000480-GPOS-00227"], "cis": ["5.1.9"], "ism": ["0418", "1055", "1402"]}, "control_references": {"cis": ["5.1.9"], "ism": ["0418", "1055", "1402"]}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's <tt>GSSAPIAuthentication</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n<pre>$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf</pre>\n\nIf a line indicating <tt>no</tt> is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "To configure the system add or modify the following line in \"/etc/ssh/sshd_config\".\n\nGSSAPIAuthentication no\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 SSH daemon must not allow GSSAPI authentication.", "vuldiscussion": "Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.", "checktext": "Verify the SSH daemon does not allow GSSAPI authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2&gt;&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*gssapiauthentication'\n\nGSSAPIAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding.\n\nIf the required value is not set, this is a finding.", "fixtext": "Configure the SSH daemon to not allow GSSAPI authentication.\n\nAdd or uncomment the following line to \"/etc/ssh/sshd_config\" or to a file in \"/etc/ssh/sshd_config.d\" and set the value to \"no\":\n\nGSSAPIAuthentication no\n\nThe SSH service must be restarted for changes to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable GSSAPI Authentication", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "GSSAPIAuthentication", "value": "no", "datatype": "string", "is_default_value": "true"}, "backends": {}}}