STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Oracle Linux 9 Security Technical Implementation Guide

V-271718

CAT II (Medium)

OL 9 SSH daemon must not allow Kerberos authentication.

Rule ID

SV-271718r1091866_rule

STIG

Oracle Linux 9 Security Technical Implementation Guide

Version

V1R5

CCIs

CCI-001813

Discussion

Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.

Check Content

Verify that OL 9 SSH daemon does not allow Kerberos authentication with the following command:

$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication'
KerberosAuthentication no

If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer (ISSO), this is a finding.

Fix Text

Configure the SSH daemon to not allow Kerberos authentication.

Add the following line in "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" or uncomment the line and set the value to "no":

KerberosAuthentication no

The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service