RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos authentication.

Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. OpenSSH uses the first occurrence of a keyword it sees, and drop-in files are read in lexicographical order at the start of the configuration. Red Hat recommends using drop-in files rather than changing base configuration files.

Verify RHEL 10 SSH daemons do not allow Kerberos authentication with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication' /etc/ssh/sshd_config.d/10-stig.conf:KerberosAuthentication no Verify the runtime setting with the following command: $ sudo sshd -T | grep -i kerberosauthentication kerberosauthentication no If the "KerberosAuthentication" keyword is not set to "no" in a drop-in that lexicographically precedes 50-redhat.conf, no output is returned, and the use of Kerberos authentication has not been documented with the information system security officer, this is a finding.

Configure RHEL 10 SSH daemons to not allow Kerberos authentication. In "/etc/ssh/sshd_config.d", create a drop file that will lexicographically precede 50-redhat.conf and add the following line: KerberosAuthentication no Restart the SSH service with the following command for the changes to take effect: $ sudo systemctl restart sshd.service