OL 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-271704	SRG-OS-000364-GPOS-00151	OL09-00-002341	SV-271704r1091824_rule	2025-05-08	1

Description
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

ℹ️ Check
Verify that OL 9 SSH daemon does not allow GSSAPI authentication with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 \| awk '/filename/ {print $4}' \| tr -d '\r' \| tr '\n' ' ' \| xargs sudo grep -iH '^\s*gssapiauthentication' GSSAPIAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding.

ℹ️ Check

Verify that OL 9 SSH daemon does not allow GSSAPI authentication with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication' GSSAPIAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, and the use of GSSAPI authentication has not been documented with the information system security officer (ISSO), this is a finding.

✔️ Fix
Configure the SSH daemon to not allow GSSAPI authentication. Add or uncomment the following line to "/etc/ssh/sshd_config" or to a file in "/etc/ssh/sshd_config.d" and set the value to "no": GSSAPIAuthentication no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service