4.5.3.14 sshd_config: Use Conditional exception(s).

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

There are several options available to regulate access to a server via OpenSSH. There are settings that are set at a global level only and there are settings that have a global default but can be modified to meet specific client (from) requirements for the server (to) being configured.

These overrides are specified via a conditional block that starts with the directive Match. When all the MATCH criteria (User, Group, Host, LocalAddress, LocalPort, RDomain, and Address, or the single token ALL that matches by definition) the following settings can be redefined (overwrite) previous setting values:

AcceptEnv, AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, AllowTcpForwarding, AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile, AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, Banner, CASignatureAlgorithms, ChrootDirectory, ClientAliveCountMax, ClientAliveInterval, DenyGroups, DenyUsers, DisableForwarding, ExposeAuthInfo, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedAlgorithms, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IgnoreRhosts, Include, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitListen, PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms, PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset, X11Forwarding and X11UseLocalhost.

Rationale:

There are situations where exceptions to the corporate security policy are required. Match is the mechanism that permits the configuration - and documentation - of exceptions.

# Example of overriding settings on a per-user basis

# anoncvs does not get a comman prompt, instead a specific command is started.

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# PermitTTY no

# ForceCommand cvs server

# The user michael requires, and is permitted (see support ticket X123456), the use of X11Forwarding.

# Match User michael

# X11Forwarding yes

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Default Value:

No MATCH statements are used.

See Also

https://workbench.cisecurity.org/benchmarks/13069