The SSH daemon must restrict login ability to specific users and/or groups.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22470	GEN005521	SV-37843r2_rule	ECLP-1	Medium

Description
Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.

STIG	Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide	2014-07-02

Details

Check Text ( None )
None

Fix Text (F-32309r2_fix)
Edit the SSH daemon configuration and add an "AllowGroups" or "AllowUsers" directive specifying the groups and users allowed to have access. Restart the SSH daemon. # /sbin/service sshd restart Alternatively, modify the /etc/pam.d/sshd file to include the line account required pam_access.so accessfile= If the "accessfile" option is not specified the default "access.conf" file will be used. The "access.conf" file must contain the user restriction definitions.

Fix Text (F-32309r2_fix)

Edit the SSH daemon configuration and add an "AllowGroups" or "AllowUsers" directive specifying the groups and users allowed to have access.

Restart the SSH daemon.
# /sbin/service sshd restart

Alternatively, modify the /etc/pam.d/sshd file to include the line

account required pam_access.so accessfile=

If the "accessfile" option is not specified the default "access.conf" file will be used. The "access.conf" file must contain the user restriction definitions.