Our security tooling is flagging potential vulnerabilities in krb5, for the sake of this question lets just assume Kerberos is not a value add for me.
We do not use Kerberos for authentication to this server, everything is handled through Amazon System Manager (SSM), which uses SSH keys to authenticate.
As a result I thought the simple solution would be to disable Kerberos based authentication.
I have thought of two potential ways to do this so far, but wanted to check that I didn't break anything:
- In Ubuntu Kerberos auth should be handled by the pam-auth-update utility. So removing pam-auth-update should delete Kerberos. However, it might also delete other important things?
- The other option I thought of was to go into etc/services and delete krb5kdc/kpropd/etc. entries. Not sure though if this will leave pieces of Kerberos lying around and I dont have a full list of services that Kerberos uses.
Then finally, should I be doing this at all? Is this a bad idea, if I know I do not want to use Kerberos auth ever on this server?
apt-rdepends -r --state-follow=Installed --state-show=Installed libkrb5-3for the list (here forlibkrb5-3).openssh-clientandopenssh-serverdepends on those libraries because ssh can do Kerberos authentication. That doesn't mean that Kerberos is in use or that your system is vulnerable, but that doesn't also mean you're not vulnerable, as for instance, a remote attacker could possibly trick yoursshdto run some code in the krb5 library and hit the vulnerability there.pam-auth-updateis part of the framework to configure PAM, it's not the one doing authentication let alone Kerberos authentication. Your vulnerability scanner should be able to tell you what software exactly it thinks is vulnerable.