Detections
Analytics

4.5.3.4 sshd_config: Restrict users and groups allowed access via OpenSSH

Information

There are multiple options available to regulate access to a server via OpenSSH. At least of the following options should be implemented. Note: The allow/deny users directives are processed in the following order: DenyUsers, AllowUsers. The allow/deny groups directives are processed in the following order: DenyGroups, AllowGroups. Note: If a DenyUser or DenyGroup matches the associated Allow directive is not processed. To implement DenyAll except use only Allow* directives. To implement PermitALL except use only Deny* directives. It is advised not to combine Allow and Deny directives as this can make the configuration harder to debug.

DenyUsers: The DenyUsers variable specifies user names not permitted to access the system via sshd. The definition is a list username pattern(s) separated by spaces. Numeric userIDs are not are not allowed (recognized). Patterns can be narrowed to restrict access from specific hosts using the form username@host.

AllowUsers: The AllowUsers variable specifies user names permitted to access the system via sshd. The definition is a list username pattern(s) separated by spaces. Numeric userIDs are not are not allowed (recognized). Patterns can be narrowed to permit access only from specific host(s) using the form username@host.

DenyGroups: The DenyGroups variable specifies group names not permitted to access the system via sshd. The definition is a list groupname pattern(s) separated by spaces. Numeric groupIDs are not allowed (recognized). Login is disallowed for users whose primary group or supplementary group list matches one of the patterns.

AllowGroups: The AllowGroups variable specifies group names permitted to access the system via sshd. The definition is a list groupname pattern(s) separated by spaces. Numeric groupIDs are not allowed (recognized). Login is allowed for users whose primary group or supplementary group list matches one of the patterns.

Rationale:

By default, login is allowed for all users and all groups.

Restricting which users can access the system via OpenSSH will help ensure that only authorized users access the system.

Impact:

When implemented - no longer can any user connect from any host. They must satisfy the connection requirements.

Note: your organization may already have a OpenSSH restricted access model as this recommendation is already Level 1 for Linux* benchmarks.

Solution

Edit the /etc/ssh/sshd_config file to set one (or more) of the following parameters:

AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
startsrc -s sshd

Default Value:

All users from any host are permitted.

Additional Information:

Subsequent releases of AIX benchmarks are expected to have this recommendation scored at Level 1

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT, MAINTENANCE

References: 800-53|CM-7, 800-53|MA-4, CSCv7|9.2

Plugin: Unix

Control ID: 11e0233953b2b887422283ea0362c007c2a9690c28aedc242cb0047a6a231943