The SSH daemon must restrict login ability to specific users and/or groups.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22470	GEN005521	SV-35052r1_rule	ECLP-1	Medium

Description
Restricting SSH logins to a limited group of users, such as system administrators, prevents password guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2015-12-02

Details

Check Text ( C-34923r1_chk )
Check the SSH daemon configuration. Note that keywords are case-insensitive and arguments (args) are case-sensitive. keyword(s)=DenyUsers, AllowUsers, DenyGroups, AllowGroups (order of precedence, most to least). arg(s)= Default values for users/groups include: "". Lack of keyword(s) in the configuration file will result in allowing ssh access to all users and all groups. A typical installation should either include an allow (users/groups) list or deny (users/groups) list depending on what the defined site security requirements are. Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior. Examine the file. # cat /opt/ssh/etc/sshd_config \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]*//' \| grep -v '^#' \| egrep -i "DenyUsers\|AllowUsers\|DenyGroups\|AllowGroups" If keyword(s) with valid, space-separated user(s) and/or group(s) are not returned, this is a finding.

Check Text ( C-34923r1_chk )

Check the SSH daemon configuration. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword(s)=DenyUsers, AllowUsers, DenyGroups, AllowGroups (order of precedence, most to least).
arg(s)=

Default values for users/groups include: "". Lack of keyword(s) in the configuration file will result in allowing ssh access to all users and all groups. A typical installation should either include an allow (users/groups) list or deny (users/groups) list depending on what the defined site security requirements are.

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "DenyUsers|AllowUsers|DenyGroups|AllowGroups"

If keyword(s) with valid, space-separated user(s) and/or group(s) are not returned, this is a finding.

Fix Text (F-30228r1_fix)
Edit the SSH daemon configuration and add the appropriate keyword directive(s) and space-separated user/group names. The keyword order of precedence is as follows: DenyUsers, AllowUsers, DenyGroups, AllowGroups