STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The RHEL 8 SSH daemon must not allow unused methods of authentication.

DISA Rule

SV-230291r627750_rule

Vulnerability Number

V-230291

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

RHEL-08-010521

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the SSH daemon to not allow authentication using unused methods of authentication.

Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":

KerberosAuthentication no
GSSAPIAuthentication no

The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:

$ sudo systemctl restart sshd.service

Check Contents

Verify the SSH daemon does not allow authentication using unused methods of authentication with the following command:

$ sudo grep -i "KerberosAuthentication\|GSSAPIAuthentication" /etc/ssh/sshd_config

KerberosAuthentication no
GSSAPIAuthentication no

If the values are returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.

Vulnerability Number

V-230291

Documentable

False

Rule Version

RHEL-08-010521

Severity Override Guidance

Verify the SSH daemon does not allow authentication using unused methods of authentication with the following command:

$ sudo grep -i "KerberosAuthentication\|GSSAPIAuthentication" /etc/ssh/sshd_config

KerberosAuthentication no
GSSAPIAuthentication no

If the values are returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the ISSO, this is a finding.

Check Content Reference

M

Target Key

2921

Comments