UCF STIG Viewer Logo

The SSH daemon must restrict login ability to specific users and/or groups.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22470 GEN005521 SV-46033r2_rule Medium
Description
Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.
STIG Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide 2018-09-19

Details

Check Text ( C-43304r1_chk )
There are two ways in which access to SSH may restrict users or groups.

Check if /etc/pam.d/sshd is configured to require daemon style login control.
# grep pam_access.so /etc/pam.d/sshd|grep "required"|grep "account"| grep -v '^#'
If no lines are returned, sshd is not configured to use pam_access.

Check the SSH daemon configuration for the AllowGroups setting.
# egrep -i "AllowGroups|AllowUsers" /etc/ssh/sshd_config | grep -v '^#'
If no lines are returned, sshd is not configured to limit access to users/groups.

If sshd is not configured to limit access either through pam_access or the use "AllowUsers" or "Allowgroups", this is a finding.
Fix Text (F-39393r2_fix)
Edit the SSH daemon configuration and add an "AllowGroups" or "AllowUsers" directive. specifying the groups and users allowed to have access.

Restart the SSH daemon.
# /sbin/service sshd restart


Alternatively, modify the /etc/pam.d/sshd file to include the line

account required pam_access.so accessfile=

If the "accessfile" option is not specified the default "access.conf" file will be used. The "access.conf" file must contain the user restriction definitions.