The SSH daemon must restrict login ability to specific users and/or groups.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39419 | GEN005521-ESXI5-000103 | SV-51277r2_rule | Medium |
| Description |
|---|
| Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access. |
| STIG | Date |
|---|---|
| VMware ESXi Server 5.0 Security Technical Implementation Guide | 2015-02-10 |
Details
| Check Text ( C-46693r2_chk ) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for the AllowGroups setting (must include the root user's group). Note that the presence of the AllowGroups attribute in the sshd_config file implies that only users belonging to groups in the AllowGroups list are able to log in. # grep -i "^AllowGroups" /etc/ssh/sshd_config | grep -i root If the "AllowGroups" attribute is not present in the file, this is a finding. |
| Fix Text (F-44432r2_fix) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "AllowGroups" attribute (and attribute list) in the /etc/ssh/sshd_config configuration file. # vi /etc/ssh/sshd_config Re-enable lock down mode. |