5.2.17 Ensure SSH access is limited

Information

There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged:

AllowUsers - Gives the system administrator the option of allowing specific users to ssh into the system

The list consists of space separated user names

Numeric user IDs are not recognized with this variable

A system administrator may restrict user access further by only allowing the allowed users to log in from a particular host by specifying the entry as < user>@<host>

AllowGroups - Gives the system administrator the option of allowing specific groups of users to ssh into the system

The list consists of space separated group names

Numeric group IDs are not recognized with this variable

DenyUsers - Gives the system administrator the option of denying specific users to ssh into the system

The list consists of space separated user names

Numeric user IDs are not recognized with this variable

If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host by specifying the entry as < user>@<host>

DenyGroups - Gives the system administrator the option of denying specific groups of users to ssh into the system

The list consists of space separated group names

Numeric group IDs are not recognized with this variable

Rationale:

Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system.

Solution

Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:

AllowUsers <userlist>

AllowGroups <grouplist>

DenyUsers <userlist>

DenyGroups <grouplist>

See Also

https://workbench.cisecurity.org/files/2920

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv7|4.3

Plugin: Unix

Control ID: bdb95576bbc2da32e1a67e6597d16a977aaf6f511472d3062c9d1a07a502a31a