{"description": "Sites setup to use Kerberos or other GSSAPI Authentication require setting\nsshd to accept this authentication.\nTo enable GSSAPI authentication, add or correct the following line in\n\n\n<tt>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</tt>:\n\n<pre>GSSAPIAuthentication yes</pre>", "rationale": "Kerberos authentication for SSH is often implemented using GSSAPI. If\nKerberos is enabled through SSH, the SSH daemon provides a means of access\nto the system's Kerberos implementation. Vulnerabilities in the system's\nKerberos implementations may be subject to exploitation.\n\nFor enterprises, Kerberos is often enabled and used with GSSAPI for \ncentralized user account management which may necessitate enabling of\nGSSAPI functionality in SSH. ", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's <tt>GSSAPIAuthentication</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n\n\nIf a line indicating <tt>yes</tt> is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable GSSAPI Authentication", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "GSSAPIAuthentication", "value": "yes", "datatype": "string"}, "backends": {}}}