UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The SSH daemon must restrict login ability to specific users and/or groups.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22470 GEN005521 SV-35052r1_rule ECLP-1 Medium
Description
Restricting SSH logins to a limited group of users, such as system administrators, prevents password guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.
STIG Date
HP-UX 11.31 Security Technical Implementation Guide 2018-03-01

Details

Check Text ( C-34923r1_chk )
Check the SSH daemon configuration. Note that keywords are case-insensitive and arguments (args) are case-sensitive.

keyword(s)=DenyUsers, AllowUsers, DenyGroups, AllowGroups (order of precedence, most to least).
arg(s)=

Default values for users/groups include: "". Lack of keyword(s) in the configuration file will result in allowing ssh access to all users and all groups. A typical installation should either include an allow (users/groups) list or deny (users/groups) list depending on what the defined site security requirements are.

Note: When the default "arg" value exactly matches the required "arg" value (see above), the entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior.

Examine the file.
# cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "DenyUsers|AllowUsers|DenyGroups|AllowGroups"

If keyword(s) with valid, space-separated user(s) and/or group(s) are not returned, this is a finding.
Fix Text (F-30228r1_fix)
Edit the SSH daemon configuration and add the appropriate keyword directive(s) and space-separated user/group names. The keyword order of precedence is as follows:

DenyUsers, AllowUsers, DenyGroups, AllowGroups