Detections
Analytics

5.2.4 Ensure sshd access is configured

Information

There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged:

 - AllowUsers - Variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host.
 - AllowGroups - Variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.
 - DenyUsers - Variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host.
 - DenyGroups Variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.

More information about the openSSH server configuration is available in the "Configure SSH Server" section overview.

Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system.

Solution

Edit the /etc/ssh/sshd_config file to set one or more of the parameters above any Match set statements as follows:

AllowUsers <userlist>
 - AND/OR -
AllowGroups <grouplist>

Note: It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user or group and forget to add it to the deny list.

Impact:

These options are "ANDed" together. If both AllowUsers and AllowGroups are set, connections will be limited to the list of users that are also a member of an allowed group. It is recommended that only one be set for clarity and ease of administration.

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|4.3

Plugin: Unix

Control ID: 74bf2c79aa9c54acf09650c7d9373e83b3b642dafe25fa6236e77e4d15a324b9