UCF STIG Viewer Logo

The SSH daemon must restrict login ability to specific users and/or groups.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22470 GEN005521 SV-63727r1_rule Medium
Description
Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.
STIG Date
Oracle Linux 5 Security Technical Implementation Guide 2020-02-25

Details

Check Text ( C-52311r2_chk )
There are two ways in which access to SSH may restrict users or groups.

Check if /etc/pam.d/sshd is configured to require daemon style login control.

# grep pam_access.so /etc/pam.d/sshd|grep "required"|grep "account"| grep -v '^#'

If no lines are returned, sshd is not configured to use pam_access.

Check the SSH daemon configuration for the AllowGroups setting.

# egrep -i "AllowGroups|AllowUsers" /etc/ssh/sshd_config | grep -v '^#'

If no lines are returned, sshd is not configured to limit access to users/groups.

If sshd is not configured to limit access either through pam_access or the use "AllowUsers" or "AllowGroups", this is a finding.
Fix Text (F-54309r2_fix)
Edit the SSH daemon configuration and add an "AllowGroups" or "AllowUsers" directive specifying the groups and users allowed to have access.

Restart the SSH daemon.
# /sbin/service sshd restart

Alternatively, modify the /etc/pam.d/sshd file to include the line

account required pam_access.so accessfile=

If the "accessfile" option is not specified the default "access.conf" file will be used.

The "access.conf" file must contain the user restriction definitions.