mediumaccess-controlverified ✓rollback-safe
Disable SSH Kerberos authentication
ssh-kerberos-authentication · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must not use Kerberos password authentication. This directive controls whether sshd attempts to validate password credentials against a Kerberos KDC, which is separate from GSSAPI ticket-based authentication.
Rationale
Kerberos password authentication through SSH sends credentials to a KDC for validation, adding an unnecessary authentication path when standard PAM-based or public key methods are available. An attacker could exploit this path to intercept or redirect Kerberos authentication attempts, especially in environments without a properly configured Kerberos realm.
Check → Remediate
Checksshd_effective_config
- key:
- kerberosauthentication
- expected:
- no
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- KerberosAuthentication
- value:
- no
- separator:
- reload:
- sshd
Framework references
STIG
V-230291 / RHEL-08-010521V-281255 / RHEL-10-700520V-258004 / RHEL-09-255140
NIST 800-53
CM-6IA-2
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#authentication#kerberos