STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.

DISA Rule

SV-215292r508663_rule

Vulnerability Number

V-215292

Group Title

SRG-OS-000373-GPOS-00158

Rule Version

AIX7-00-002108

Severity

CAT II

CCI(s)

• CCI-002038 - The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.

Weight

10

Fix Recommendation

Edit "/etc/ssh/sshd_config" and remove the "GSSAPIAuthentication" setting or change the value to "no".

Refresh sshd:
# stopsrc -s sshd
# startsrc -s sshd

Check Contents

Ask the SA if GSSAPI authentication is used for SSH authentication to the system. If so, this is not applicable.

Check the SSH daemon configuration for the GSSAPI authentication setting:

# grep -i GSSAPIAuthentication /etc/ssh/sshd_config | grep -v '^#'
GSSAPIAuthentication no

If the setting is not set to "no", this is a finding.

Vulnerability Number

V-215292

Documentable

False

Rule Version

AIX7-00-002108

Severity Override Guidance

Ask the SA if GSSAPI authentication is used for SSH authentication to the system. If so, this is not applicable.

Check the SSH daemon configuration for the GSSAPI authentication setting:

# grep -i GSSAPIAuthentication /etc/ssh/sshd_config | grep -v '^#'
GSSAPIAuthentication no

If the setting is not set to "no", this is a finding.

Check Content Reference

M

Target Key

4012

Comments