How to enable or disable GSSAPI authentication in SSH

GSSAPI-based authentication allows OpenSSH servers to delegate user identity checks to external mechanisms such as Kerberos, integrating SSH logins with centralized single sign-on. In environments that depend on domain tickets and constrained delegation, enabling GSSAPI reduces password prompts and aligns SSH access with existing security policies.

During connection setup, the sshd daemon evaluates the GSSAPIAuthentication directive in /etc/ssh/sshd_config to decide whether to offer GSSAPI as a client method. When the option is enabled and a compatible client and key distribution center are available, SSH can complete logins using tickets instead of interactive credentials while still applying server-side access controls and authorized key checks where configured.

Leaving GSSAPI active on systems that do not use it can slow down logins due to DNS lookups, ticket acquisition attempts, or unreachable Kerberos infrastructure. Adjusting the GSSAPIAuthentication setting at the server level and validating the configuration before restarting sshd balances performance with the needs of any existing single sign-on deployment.

GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed. The default is no.

Related: How to improve SSH performance and speed
Related: How to disable reverse DNS lookup in SSH

Steps to disable or enable GSSAPI authentication in SSH:

  1. Open a terminal session on the SSH server with an account that has sudo privileges. 
    $ whoami
user
  2. Create a backup of the current /etc/ssh/sshd_config file before changing any settings. 
    $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-$(date +%Y%m%d%H%M%S)

    Misconfigured /etc/ssh/sshd_config can block remote logins, so a backup allows quick rollback if sshd fails to restart.

  3. Open the /etc/ssh/sshd_config file in a text editor. 
    $ sudo vi /etc/ssh/sshd_config

    Any text editor such as nano, vim, or vi can modify the configuration file as long as the process runs with root or sudo privileges.

  4. Search within the file or use grep to locate any existing GSSAPIAuthentication directives. 
    $ sudo grep -n -i gssapiauthentication /etc/ssh/sshd_config
80:#GSSAPIAuthentication no
  5. Set the GSSAPIAuthentication option to no to disable or yes to enable GSSAPI-based logins. 
    GSSAPIAuthentication no

    Add the line if missing and remove any leading # character so that OpenSSH does not treat it as a comment.

  6. Write the changes to disk and close the editor.
  7. Validate the SSH daemon configuration for syntax errors before restarting the service. 
    $ sudo sshd -t

    No output indicates that sshd parsed /etc/ssh/sshd_config successfully.

    Related: How to test SSH server configuration

  8. Restart the sshd service to apply the updated GSSAPI setting. 
    $ sudo systemctl restart ssh

    On some Linux distributions the service name is sshd instead of ssh, so use sudo systemctl restart sshd if the first command fails.

    Related: How to manage the SSH server service with systemctl in Linux

  9. Confirm that the running daemon uses the intended GSSAPIAuthentication value. 
    $ sudo sshd -T | grep -i gssapiauthentication
gssapiauthentication no
  10. Open a new SSH connection from a client and observe whether the login proceeds without unexpected delays or GSSAPI prompts.