Rule ID
SV-285323r1211197_rule
Version
V1R2
CCIs
Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. Satisfies: SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00228
If OpenSSH is not installed on the system, this requirement is not applicable. Verify the system does not allow GSSAPI authentication with the following command: C:\ > Get-Content "$env:ProgramData\ssh\sshd_config" | Select-String -Pattern '^\s*GSSAPIAuthentication' GSSAPIAuthentication no If the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.
To configure the system, add or modify the following line in the "$env:ProgramData/ssh/sshd_config" file: GSSAPIAuthentication no Restart the OpenSSH service for the settings to take effect.