← Rules Catalog
mediumaccess-controlverified rollback-safe

Disable SSH Kerberos authentication

ssh-kerberos-authentication · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must not use Kerberos password authentication. This directive controls whether sshd attempts to validate password credentials against a Kerberos KDC, which is separate from GSSAPI ticket-based authentication.

Rationale

Kerberos password authentication through SSH sends credentials to a KDC for validation, adding an unnecessary authentication path when standard PAM-based or public key methods are available. An attacker could exploit this path to intercept or redirect Kerberos authentication attempts, especially in environments without a properly configured Kerberos realm.

Check → Remediate

Checksshd_effective_config
key:
kerberosauthentication
expected:
no
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
KerberosAuthentication
value:
no
separator:
reload:
sshd

Framework references

STIG

V-230291 / RHEL-08-010521V-281255 / RHEL-10-700520V-258004 / RHEL-09-255140

NIST 800-53

CM-6IA-2

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#authentication#kerberos