Recently, vulnerability scans have revealed the GSSAPI key exchange algorithm to be a possible subject of attacks when configured in sshd.
However the UNIX/Linux server where the scan has been run also has UNAB installed
This article discussed if disabling it should cause any issue for UNAB/PAM SC or PIM operation
CA PIM and PAM SC all versions
As far as UNAB is concerned, GSSAPI in ssh/sshd is required only if UNAB users want SSO-style logon for ssh logins, i.e., passwordless subsequent logons after the first ssh logon is authenticated.
GSSAPI-related tokens in ssh and sshd configurations can be disabled without any effect on UNAB (only SSO will not be available). PAMSC does not use GSSAPI/Kerberos directly.
Note however that on the Unix/Linux side GSSAPI is an integral part of the authentication stack for accessing AD, so it cannot be taken out.
GSSAPI can be removed as a key exchange algorithm with the cautions outlined above, but it cannot be removed from the Linux/UNIX system because it is used for AD authentication