← Back to Amazon Linux 2023 Security Technical Implementation Guide

V-274044

CAT II (Medium)

Amazon Linux 2023 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

Rule ID

SV-274044r1120120_rule

STIG

Amazon Linux 2023 Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-001813

Discussion

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

Check Content

Verify Amazon Linux 2023 is configured so that the SSH daemon does not allow GSSAPI authentication with the following command:

$ sudo /usr/sbin/sshd -dd 2&gt;&amp;1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication'
/etc/ssh/sshd_config.d/50-redhat.conf:GSSAPIAuthentication no

If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding.

If the required value is not set, this is a finding.

Fix Text

Configure Amazon Linux 2023 so that the SSH daemon does not allow GSSAPI authentication.

Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no":

GSSAPIAuthentication no

The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service