Disabling the GSSAPI key exchange algorithm in CA PIM and CA PAM SC
search cancel

Disabling the GSSAPI key exchange algorithm in CA PIM and CA PAM SC

book

Article ID: 236381

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Recently, vulnerability scans have revealed the GSSAPI key exchange algorithm to be a possible subject of attacks when configured in sshd.

However the UNIX/Linux server where the scan has been run also has UNAB installed

This article discussed if disabling it should cause any issue for UNAB/PAM SC or PIM operation

Environment

CA PIM and PAM SC all versions

Cause

As far as UNAB is concerned,  GSSAPI in ssh/sshd is required only if UNAB users want SSO-style logon for ssh logins, i.e., passwordless subsequent logons after the first ssh logon is authenticated.   

GSSAPI-related tokens in ssh and sshd configurations can be disabled without any effect on UNAB (only SSO will not be available).  PAMSC does not use GSSAPI/Kerberos directly.

Note however that on the Unix/Linux side GSSAPI is an integral part of the authentication stack for accessing AD, so it cannot be taken out. 

Resolution

GSSAPI can be removed as a key exchange algorithm with the cautions outlined above, but it cannot be removed from the Linux/UNIX system because it is used for AD authentication