Disabling the GSSAPI key exchange algorithm in CA PIM and CA PAM SC
search cancel

Disabling the GSSAPI key exchange algorithm in CA PIM and CA PAM SC


Article ID: 236381


Updated On:


CA Privileged Access Manager - Server Control (PAMSC)


Recently, vulnerability scans have revealed the GSSAPI key exchange algorithm to be a possible subject of attacks when configured in sshd.

However the UNIX/Linux server where the scan has been run also has UNAB installed

This article discussed if disabling it should cause any issue for UNAB/PAM SC or PIM operation


CA PIM and PAM SC all versions


As far as UNAB is concerned,  GSSAPI in ssh/sshd is required only if UNAB users want SSO-style logon for ssh logins, i.e., passwordless subsequent logons after the first ssh logon is authenticated.   

GSSAPI-related tokens in ssh and sshd configurations can be disabled without any effect on UNAB (only SSO will not be available).  PAMSC does not use GSSAPI/Kerberos directly.

Note however that on the Unix/Linux side GSSAPI is an integral part of the authentication stack for accessing AD, so it cannot be taken out. 


GSSAPI can be removed as a key exchange algorithm with the cautions outlined above, but it cannot be removed from the Linux/UNIX system because it is used for AD authentication