Customize SSHD configurations for servers

The system integration model of Advanced Server Access enables a wide range of customizations to system configurations to be used with Advanced Server Access. For example, Advanced Server Access admins can use SSHD configuration to customize how their servers respond to clients initiating connections.

The Advanced Server Access agent (sftd) only adds two to four lines to your SSHD configuration file (/etc/ssh/sshd_config), including comments.

The following are some examples of how Advanced Server Access admins can customize their SSHD configuration file.

Prevent non-Advanced Server Access authentication in SSHD

To prevent any members of specific groups groups from authenticating with a non-Advanced Server Access credential, use a Match group to create a set of rules for Authorized Key Files. The following code prevents any member of the unix group "asa_dev" from authenticating with a non-Advanced Server Access credential.

Match Group asa_dev AuthorizedKeysFile none AuthenticationMethods publickey PubkeyAcceptedKeyTypes <insert-accepted-key-here>

Match groups should list the name of your Advanced Server Access-managed group name.

The first line of your Match block should look like as follows: Match Group <ASA-managed-group-name>

Prevent interactive bastions sign in

To prevent users from conducting interactive sign in on your bastions, create a Match Group that applies this restriction with the value PermitTTY no. Using a Match Group block allows you to set this restriction for all users within your specified group. If you're an Advanced Server Access admin, do not add yourself to this group. You can directly add the following config to your SSHD without configuring the yaml file for this behavior:

Match Group asa_dev PermitTTY no

While disabling TTYs is a best practice for bastion deployments, it's not a guarantee that all forms of remote execution are prevented. Ensure that your bastions are properly configured to prevent unwanted access.

Configure SSH session expiration

To configure SSH session expiration on Linux, define a TMOUT environment variable. Setting TMOUT allows you to automatically sign out users after a specific period of idle-time. Here is an example of what a defined TMOUT variable looks like:

TMOUT=300 readonly TMOUT export TMOUT

This definition uses readonly to prevent users from changing its value.

Related topics