4.5.3.4 sshd_config: Restrict users and groups allowed access via OpenSSH

Information

There are multiple options available to regulate access to a server via OpenSSH. At least of the following options should be implemented. Note: The allow/deny users directives are processed in the following order: DenyUsers, AllowUsers. The allow/deny groups directives are processed in the following order: DenyGroups, AllowGroups. Note: If a DenyUser or DenyGroup matches the associated Allow directive is not processed. To implement DenyAll except use only Allow* directives. To implement PermitALL except use only Deny* directives. It is advised not to combine Allow and Deny directives as this can make the configuration harder to debug.

DenyUsers: The DenyUsers variable specifies user names not permitted to access the system via sshd. The definition is a list username pattern(s) separated by spaces. Numeric userIDs are not are not allowed (recognized). Patterns can be narrowed to restrict access from specific hosts using the form username@host.

AllowUsers: The AllowUsers variable specifies user names permitted to access the system via sshd. The definition is a list username pattern(s) separated by spaces. Numeric userIDs are not are not allowed (recognized). Patterns can be narrowed to permit access only from specific host(s) using the form username@host.

DenyGroups: The DenyGroups variable specifies group names not permitted to access the system via sshd. The definition is a list groupname pattern(s) separated by spaces. Numeric groupIDs are not allowed (recognized). Login is disallowed for users whose primary group or supplementary group list matches one of the patterns.

AllowGroups: The AllowGroups variable specifies group names permitted to access the system via sshd. The definition is a list groupname pattern(s) separated by spaces. Numeric groupIDs are not allowed (recognized). Login is allowed for users whose primary group or supplementary group list matches one of the patterns.

Rationale:

By default, login is allowed for all users and all groups.

Restricting which users can access the system via OpenSSH will help ensure that only authorized users access the system.

Impact:

When implemented - no longer can any user connect from any host. They must satisfy the connection requirements.

As this is new to most AIX installations for this version of the benchmark we are setting it at Level 2 - for scoring - but we recommend your organization implements it as soon as possible.

Note: your organization may already have a OpenSSH restricted access model as this recommendation is already Level 1 for Linux* benchmarks.

Solution

Edit the /etc/ssh/sshd_config file to set one (or more) of the following parameters:

AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
startsrc -s sshd

Default Value:

All users from any host are permitted.

Additional Information:

Subsequent releases of AIX benchmarks are expected to have this recommendation scored at Level 1

See Also

https://workbench.cisecurity.org/benchmarks/7851