CME-806

Kerberos Authentication (GSSAPI)

Harden Identity High Confidence

Description

Centralized ticket-based authentication using Kerberos. Passwords never transmitted over the network; mutual authentication prevents impersonation of either party.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Credential interception useless; tickets are time-limited and host-bound

CWE Relationships

CWE-319 CWE-287

Verification

Check Kerberos authentication is configured

$ klist -k /etc/krb5.keytab 2>/dev/null | head -3
# Expected: keytab entries
Platform: linux
$ sshd -T | grep gssapiauthentication
# Expected: gssapiauthentication yes
Platform: linux
← CME-805: Credential Rotation Policy CME-901: SSH Hardening (Comprehensive) →