ESXI-65-000019 – The ESXi host SSH daemon must not permit Kerberos authentication.

Details

Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system’s Kerberos implementation. Vulnerabilities in the system’s Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems.

Solution

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in ‘/etc/ssh/sshd_config’:

KerberosAuthentication no

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y21M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

800-53|CM-6b.
CAT|III
CCI|CCI-000366
Rule-ID|SV-207620r388482_rule
STIG-ID|ESXI-65-000019
STIG-Legacy|SV-104071
STIG-Legacy|V-93985
Vuln-ID|V-207620

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles