Should I disable GSSAPIAuthentication in sshd_config when joining to a windows domain via SSSD

Latest response

Hello,

Quick question as I can't find many results on the internet. I'm working on joining a test system to our windows domain via SSSD to utilize remote identity and authentication but i noticed the default sshd_config file has GSSAPIAuthentication=yes. This means i can ssh into a system joined to the domain without specifying creds if my client machine has a valid ticket. I'm confused because the man pages say this default value is No but even removing the sshd_config file and reinstall openssh-server, it changes it back to yes. Does anybody know if there are any dependencies within the system that would require this? I doubt it but could be wrong. I'm assuming that disabling this would only affect ssh client-side authenticating to the system? Thanks in advance.

Responses

Hello Christoper Lebron,

I don't think that the "GSSAPIAuthentication" is required in case of using SSSD. Mostly, GSS-API is used when authentication protocol is Kerberos. But SSSD can interact with Kerberos as well. I don't have much information to share regarding this. Lets see if any community members has to say anything about it.

All the best!