From f6e975652b1ee6879a5f379426718857b4e0b93b Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Fri, 7 Nov 2025 19:59:34 -0800
Subject: [PATCH 1/6] CMP-3916: Fix sshd_disable_gssapi_auth remediation for
 Kubernetes

Add shared Kubernetes configuration that disables GSSAPI authentication
in SSHD by setting GSSAPIAuthentication to 'no' with higher priority.
This is necessary because the default 50-redhat.conf file contains
GSSAPIAuthentication set to 'yes', which must be overridden for
compliance requirements.
---
 .../sshd_disable_gssapi_auth/kubernetes/shared.yml        | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
new file mode 100644
index 000000000000..c325c1fbc6e5
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_ocp,multi_platform_rhcos
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ kubernetes_sshd_set() }}}
+---
+{{{ kubernetes_sshd_dropin('GSSAPIAuthentication no', config_basename='75-complianceascode-sshd_disable_gssapi_auth.conf') }}}

From 24f322cc1c9742472a09855a2cd60aad76dee9f8 Mon Sep 17 00:00:00 2001
From: Xiaojie Yuan <xiyuan@redhat.com>
Date: Mon, 10 Nov 2025 15:22:24 +0800
Subject: [PATCH 2/6] Remove extra config file

---
 .../ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
index c325c1fbc6e5..40fa307e578e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
@@ -5,4 +5,5 @@
 # disruption = low
 {{{ kubernetes_sshd_set() }}}
 ---
+{{{ kubernetes_sshd_remove_dropin('00-complianceascode-GSSAPIAuthentication.conf') }}}
 {{{ kubernetes_sshd_dropin('GSSAPIAuthentication no', config_basename='75-complianceascode-sshd_disable_gssapi_auth.conf') }}}

From 72cf10748ebf5d390a8db8796ab0885b1674150a Mon Sep 17 00:00:00 2001
From: Xiaojie Yuan <xiyuan@redhat.com>
Date: Mon, 10 Nov 2025 15:40:14 +0800
Subject: [PATCH 3/6] Update to remove the old
 00-complianceascode-GSSAPIAuthentication.conf file

---
 shared/macros/10-kubernetes.jinja | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/shared/macros/10-kubernetes.jinja b/shared/macros/10-kubernetes.jinja
index 15a7eea15294..c0a111e5f0d2 100644
--- a/shared/macros/10-kubernetes.jinja
+++ b/shared/macros/10-kubernetes.jinja
@@ -248,6 +248,34 @@ spec:
 {{{ kubernetes_machine_config_file(path='/etc/ssh/sshd_config.d/' + config_basename, file_permissions_mode='0600', source=sshd_dropin_content, ocp_version_range=ocp_version_range) }}}
 {{%- endmacro -%}}
 
+{{#
+  High level macro to generate Kubernetes remediation to remove SSH daemon configuration drop-in files.
+  This is used to clean up old or incorrectly named drop-in files.
+  Parameters:
+    config_basename: Basename of the drop-in file to remove (e.g., '00-complianceascode-GSSAPIAuthentication.conf')
+    ocp_version_range: Optional OpenShift version range (default: '>=4.13.0')
+#}}
+{{%- macro kubernetes_sshd_remove_dropin(config_basename, ocp_version_range='>=4.13.0') -%}}
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+{{%- if ocp_version_range|length > 0 %}}
+metadata:
+  annotations:
+    complianceascode.io/ocp-version: '{{{ ocp_version_range }}}'
+{{%- endif %}}
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - path: /etc/ssh/sshd_config.d/{{{ config_basename }}}
+        overwrite: true
+        contents:
+          source: data:,
+        mode: 0600
+{{%- endmacro -%}}
+
 
 {{% macro usbguard_config_source() %}}
 #

From 86ee969b099f34f2532a6648871bf4251c203fae Mon Sep 17 00:00:00 2001
From: Xiaojie Yuan <xiyuan@redhat.com>
Date: Tue, 11 Nov 2025 11:12:35 +0800
Subject: [PATCH 4/6] Update

---
 .../sshd_disable_gssapi_auth/oval/shared.xml  | 116 ++++++++++++++++++
 1 file changed, 116 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml
new file mode 100644
index 000000000000..ba89fa72cd0b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml
@@ -0,0 +1,116 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    <metadata>
+      <title>Disable GSSAPI Authentication</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Ensure GSSAPIAuthentication is effectively disabled by checking that either no config sets it, or the first config that sets it uses 'no'</description>
+    </metadata>
+    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+      <criteria comment="sshd is not installed" operator="AND">
+        <extend_definition comment="sshd is not required or requirement is unset"
+          definition_ref="sshd_not_required_or_unset" />
+        {{% if product == "sle12" %}}
+        <extend_definition definition_ref="package_openssh_removed"
+          comment="rpm package openssh removed"/>
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server removed"
+          definition_ref="package_openssh-server_removed" />
+        {{% endif %}}
+      </criteria>
+      <criteria comment="sshd is installed and configured" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset"
+          definition_ref="sshd_required_or_unset" />
+        {{% if product == "sle12" %}}
+        <extend_definition comment="rpm package openssh installed"
+          definition_ref="package_openssh_installed" />
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server installed"
+          definition_ref="package_openssh-server_installed" />
+        {{% endif %}}
+        <criteria comment="Runtime effective configuration has GSSAPIAuthentication no" operator="OR">
+          <!-- PASS if: Our compliance config exists and comes before any conflicting config -->
+          <criteria operator="AND">
+            <criterion comment="Compliance config file exists with GSSAPIAuthentication no"
+              test_ref="test_{{{ rule_id }}}_compliance_config_correct" />
+            <criterion comment="No conflicting earlier config file exists"
+              test_ref="test_{{{ rule_id }}}_no_earlier_conflict" negate="true" />
+          </criteria>
+          <!-- PASS if: Main config has it set to no and no dropin overrides it -->
+          <criteria operator="AND">
+            <criterion comment="Main sshd_config has GSSAPIAuthentication no"
+              test_ref="test_{{{ rule_id }}}_main_config_no" />
+            <criterion comment="No dropin config overrides to yes"
+              test_ref="test_{{{ rule_id }}}_dropin_override_yes" negate="true" />
+          </criteria>
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <!-- Test 1: Check if our compliance config file has GSSAPIAuthentication no -->
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+    comment="Check compliance config has GSSAPIAuthentication no"
+    id="test_{{{ rule_id }}}_compliance_config_correct" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_compliance_config" />
+    <ind:state state_ref="state_{{{ rule_id }}}_value_no" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_compliance_config" version="1">
+    <ind:path>/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">^\d+-complianceascode.*gssapi.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- Test 2: Check if there's a conflicting config that comes BEFORE our compliance config
+       This looks for files 00-*.conf through 74-*.conf that set GSSAPIAuthentication to yes -->
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+    comment="Check if earlier config files set GSSAPIAuthentication to yes"
+    id="test_{{{ rule_id }}}_no_earlier_conflict" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_earlier_configs_yes" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_earlier_configs_yes" version="1">
+    <ind:path>/etc/ssh/sshd_config.d</ind:path>
+    <!-- Match files that come before 75- in lexicographic order -->
+    <ind:filename operation="pattern match">^[0-6][0-9]-.*\.conf$|^7[0-4]-.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(yes)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- Test 3: Check main sshd_config -->
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+    comment="Check main config has GSSAPIAuthentication no"
+    id="test_{{{ rule_id }}}_main_config_no" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_main_config" />
+    <ind:state state_ref="state_{{{ rule_id }}}_value_no" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_main_config" version="1">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- Test 4: Check if any dropin overrides to yes -->
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+    comment="Check if dropin configs set GSSAPIAuthentication to yes"
+    id="test_{{{ rule_id }}}_dropin_override_yes" version="1">
+    <ind:object object_ref="object_{{{ rule_id }}}_dropin_yes" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_dropin_yes" version="1">
+    <ind:path>/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(yes)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- State: value should be "no" -->
+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}_value_no" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^(?i)no(?-i)$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>

From 428c1eb9d898ff40ead79de86a54e2c8cbe14530 Mon Sep 17 00:00:00 2001
From: Xiaojie Yuan <xiyuan@redhat.com>
Date: Tue, 11 Nov 2025 12:04:03 +0800
Subject: [PATCH 5/6] Don't use distributed SSH config

---
 .../kubernetes/shared.yml                     |   9 --
 .../sshd_disable_gssapi_auth/oval/shared.xml  | 116 ------------------
 .../sshd_disable_gssapi_auth/rule.yml         |   1 +
 3 files changed, 1 insertion(+), 125 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
deleted file mode 100644
index 40fa307e578e..000000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-# platform = multi_platform_ocp,multi_platform_rhcos
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ kubernetes_sshd_set() }}}
----
-{{{ kubernetes_sshd_remove_dropin('00-complianceascode-GSSAPIAuthentication.conf') }}}
-{{{ kubernetes_sshd_dropin('GSSAPIAuthentication no', config_basename='75-complianceascode-sshd_disable_gssapi_auth.conf') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml
deleted file mode 100644
index ba89fa72cd0b..000000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml
+++ /dev/null
@@ -1,116 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    <metadata>
-      <title>Disable GSSAPI Authentication</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Ensure GSSAPIAuthentication is effectively disabled by checking that either no config sets it, or the first config that sets it uses 'no'</description>
-    </metadata>
-    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
-      <criteria comment="sshd is not installed" operator="AND">
-        <extend_definition comment="sshd is not required or requirement is unset"
-          definition_ref="sshd_not_required_or_unset" />
-        {{% if product == "sle12" %}}
-        <extend_definition definition_ref="package_openssh_removed"
-          comment="rpm package openssh removed"/>
-        {{% else %}}
-        <extend_definition comment="rpm package openssh-server removed"
-          definition_ref="package_openssh-server_removed" />
-        {{% endif %}}
-      </criteria>
-      <criteria comment="sshd is installed and configured" operator="AND">
-        <extend_definition comment="sshd is required or requirement is unset"
-          definition_ref="sshd_required_or_unset" />
-        {{% if product == "sle12" %}}
-        <extend_definition comment="rpm package openssh installed"
-          definition_ref="package_openssh_installed" />
-        {{% else %}}
-        <extend_definition comment="rpm package openssh-server installed"
-          definition_ref="package_openssh-server_installed" />
-        {{% endif %}}
-        <criteria comment="Runtime effective configuration has GSSAPIAuthentication no" operator="OR">
-          <!-- PASS if: Our compliance config exists and comes before any conflicting config -->
-          <criteria operator="AND">
-            <criterion comment="Compliance config file exists with GSSAPIAuthentication no"
-              test_ref="test_{{{ rule_id }}}_compliance_config_correct" />
-            <criterion comment="No conflicting earlier config file exists"
-              test_ref="test_{{{ rule_id }}}_no_earlier_conflict" negate="true" />
-          </criteria>
-          <!-- PASS if: Main config has it set to no and no dropin overrides it -->
-          <criteria operator="AND">
-            <criterion comment="Main sshd_config has GSSAPIAuthentication no"
-              test_ref="test_{{{ rule_id }}}_main_config_no" />
-            <criterion comment="No dropin config overrides to yes"
-              test_ref="test_{{{ rule_id }}}_dropin_override_yes" negate="true" />
-          </criteria>
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-
-  <!-- Test 1: Check if our compliance config file has GSSAPIAuthentication no -->
-  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
-    comment="Check compliance config has GSSAPIAuthentication no"
-    id="test_{{{ rule_id }}}_compliance_config_correct" version="1">
-    <ind:object object_ref="object_{{{ rule_id }}}_compliance_config" />
-    <ind:state state_ref="state_{{{ rule_id }}}_value_no" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_compliance_config" version="1">
-    <ind:path>/etc/ssh/sshd_config.d</ind:path>
-    <ind:filename operation="pattern match">^\d+-complianceascode.*gssapi.*\.conf$</ind:filename>
-    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Test 2: Check if there's a conflicting config that comes BEFORE our compliance config
-       This looks for files 00-*.conf through 74-*.conf that set GSSAPIAuthentication to yes -->
-  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
-    comment="Check if earlier config files set GSSAPIAuthentication to yes"
-    id="test_{{{ rule_id }}}_no_earlier_conflict" version="1">
-    <ind:object object_ref="object_{{{ rule_id }}}_earlier_configs_yes" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_earlier_configs_yes" version="1">
-    <ind:path>/etc/ssh/sshd_config.d</ind:path>
-    <!-- Match files that come before 75- in lexicographic order -->
-    <ind:filename operation="pattern match">^[0-6][0-9]-.*\.conf$|^7[0-4]-.*\.conf$</ind:filename>
-    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(yes)[ \t]*(?:$|#)</ind:pattern>
-    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Test 3: Check main sshd_config -->
-  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
-    comment="Check main config has GSSAPIAuthentication no"
-    id="test_{{{ rule_id }}}_main_config_no" version="1">
-    <ind:object object_ref="object_{{{ rule_id }}}_main_config" />
-    <ind:state state_ref="state_{{{ rule_id }}}_value_no" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_main_config" version="1">
-    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- Test 4: Check if any dropin overrides to yes -->
-  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
-    comment="Check if dropin configs set GSSAPIAuthentication to yes"
-    id="test_{{{ rule_id }}}_dropin_override_yes" version="1">
-    <ind:object object_ref="object_{{{ rule_id }}}_dropin_yes" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_{{{ rule_id }}}_dropin_yes" version="1">
-    <ind:path>/etc/ssh/sshd_config.d</ind:path>
-    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
-    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(yes)[ \t]*(?:$|#)</ind:pattern>
-    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- State: value should be "no" -->
-  <ind:textfilecontent54_state id="state_{{{ rule_id }}}_value_no" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^(?i)no(?-i)$</ind:subexpression>
-  </ind:textfilecontent54_state>
-
-</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
index 355b98ed75c0..769d9d252906 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
@@ -55,3 +55,4 @@ template:
         value: 'no'
         datatype: string
         is_default_value: 'true'
+        sshd_distributed_config: 'false'

From 66bf9949a5365d9cae4dd15163ed814b9d231b72 Mon Sep 17 00:00:00 2001
From: Xiaojie Yuan <xiyuan@redhat.com>
Date: Tue, 11 Nov 2025 16:57:09 +0800
Subject: [PATCH 6/6] Remove template for the rule

---
 .../ansible/shared.yml                        |  7 ++
 .../sshd_disable_gssapi_auth/bash/shared.sh   |  7 ++
 .../kubernetes/shared.yml                     | 15 ++++
 .../sshd_disable_gssapi_auth/oval/shared.xml  | 68 +++++++++++++++++++
 .../sshd_disable_gssapi_auth/rule.yml         |  9 ---
 5 files changed, 97 insertions(+), 9 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/ansible/shared.yml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/bash/shared.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/ansible/shared.yml
new file mode 100644
index 000000000000..a64f731f32ed
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/ansible/shared.yml
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_sshd_remediation(parameter="GSSAPIAuthentication", value="no", config_is_distributed=false) }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/bash/shared.sh
new file mode 100644
index 000000000000..1dd8ad398d86
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_sshd_remediation(parameter="GSSAPIAuthentication", value="no", config_is_distributed="false") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
new file mode 100644
index 000000000000..bedec14667b0
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml
@@ -0,0 +1,15 @@
+# platform = multi_platform_ocp,multi_platform_rhcos
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Remove any old dropin configs that may have been created
+{{{ kubernetes_sshd_remove_dropin('00-complianceascode-GSSAPIAuthentication.conf') }}}
+---
+{{{ kubernetes_sshd_remove_dropin('01-complianceascode-reinforce-os-defaults.conf') }}}
+---
+{{{ kubernetes_sshd_remove_dropin('75-complianceascode-sshd_disable_gssapi_auth.conf') }}}
+---
+# Modify the main sshd_config file directly (no version restriction)
+{{{ kubernetes_sshd_set(ocp_version_range='') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml
new file mode 100644
index 000000000000..f6a45c27bee2
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml
@@ -0,0 +1,68 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    <metadata>
+      <title>Disable GSSAPI Authentication</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Ensure 'GSSAPIAuthentication' is configured with value 'no' in /etc/ssh/sshd_config</description>
+    </metadata>
+    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+      <criteria comment="sshd is not installed" operator="AND">
+        <extend_definition comment="sshd is not required or requirement is unset"
+          definition_ref="sshd_not_required_or_unset" />
+        {{% if product == "sle12" %}}
+        <extend_definition definition_ref="package_openssh_removed"
+          comment="rpm package openssh removed"/>
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server removed"
+          definition_ref="package_openssh-server_removed" />
+        {{% endif %}}
+      </criteria>
+      <criteria comment="sshd is installed and configured" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset"
+          definition_ref="sshd_required_or_unset" />
+        {{% if product == "sle12" %}}
+        <extend_definition comment="rpm package openssh installed"
+          definition_ref="package_openssh_installed" />
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server installed"
+          definition_ref="package_openssh-server_installed" />
+        {{% endif %}}
+        <criteria comment="sshd is configured correctly" operator="AND">
+          <criteria comment="the configuration is correct if it exists" operator="AND">
+            <criterion comment="Check the GSSAPIAuthentication in /etc/ssh/sshd_config"
+              test_ref="test_{{{ rule_id }}}" />
+          </criteria>
+          <criterion comment="the configuration exists" test_ref="test_GSSAPIAuthentication_present_{{{ rule_id }}}" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <!-- Main test: Check /etc/ssh/sshd_config only -->
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file"
+    id="test_{{{ rule_id }}}" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+    <ind:state state_ref="state_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <!-- Test that configuration exists -->
+  <ind:textfilecontent54_test id="test_GSSAPIAuthentication_present_{{{ rule_id }}}" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of GSSAPIAuthentication is present">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
index 769d9d252906..8d5197bec9a7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
@@ -47,12 +47,3 @@ fixtext: |-
     {{{ fixtext_sshd_lineinfile("GSSAPIAuthentication", "no") }}}
 
 srg_requirement: 'The {{{ full_name }}} SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.'
-
-template:
-    name: sshd_lineinfile
-    vars:
-        parameter: GSSAPIAuthentication
-        value: 'no'
-        datatype: string
-        is_default_value: 'true'
-        sshd_distributed_config: 'false'