{"description": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like Kerberos.\n<br/>\nThe default SSH configuration disallows authentication validation through Kerberos.\nThe appropriate configuration is used if no value is set for <tt>KerberosAuthentication</tt>.\n<br/>\nTo explicitly disable Kerberos authentication, add or correct the following line in\n\n\n<tt>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</tt>:\n\n<pre>KerberosAuthentication no</pre>", "rationale": "Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos\nis enabled through SSH, the SSH daemon provides a means of access to the\nsystem's Kerberos implementation.\nConfiguring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.", "severity": "medium", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "cui": ["3.1.12"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["AC-17(a)", "CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1"], "ospp": ["FTP_ITC_EXT.1", "FCS_SSH_EXT.1.2"], "srg": ["SRG-OS-000364-GPOS-00151", "SRG-OS-000480-GPOS-00227"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "control_references": {"ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's <tt>KerberosAuthentication</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n<pre>$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf</pre>\n\nIf a line indicating <tt>no</tt> is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "To configure the system add or modify the following line in \"/etc/ssh/sshd_config\".\n\nKerberosAuthentication no\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 SSH daemon must not allow Kerberos authentication.", "vuldiscussion": "Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.", "checktext": "Verify the SSH daemon does not allow Kerberos authentication with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2&gt;&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*kerberosauthentication'\n\nKerberosAuthentication no\n\nIf the value is returned as \"yes\", the returned line is commented out, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer (ISSO), this is a finding.", "fixtext": "Configure the SSH daemon to not allow Kerberos authentication.\n\nAdd the following line in \"/etc/ssh/sshd_config\" or to a file in \"/etc/ssh/sshd_config.d\", or uncomment the line and set the value to \"no\":\n\nKerberosAuthentication no\n\nThe SSH service must be restarted for changes to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable Kerberos Authentication", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "KerberosAuthentication", "value": "no", "datatype": "string", "is_default_value": "true"}, "backends": {}}}