Customize SSHD configurations for servers

The system integration model of Advanced Server Access enables a wide range of customizations to system configurations to be used with Advanced Server Access. For example, Advanced Server Access admins can use SSHD configuration to customize how their servers respond to clients initiating connections.

The following are some examples of how Advanced Server Access admins can customize their SSHD configuration file.

Prevent non-Advanced Server Access authentication in SSHD

To prevent any members of specific groups groups from authenticating with a non-Advanced Server Access credential, use a Match group to create a set of rules for Authorized Key Files. The following code prevents any member of the unix group "asa_dev" from authenticating with a non-Advanced Server Access credential.

Match Group asa_dev
    AuthorizedKeysFile none
    AuthenticationMethods publickey
    PubkeyAcceptedKeyTypes <insert-accepted-key-here>

Match groups should list the name of your Advanced Server Access-managed group name.

The first line of your Match block should look like as follows: Match Group <ASA-managed-group-name>

Prevent interactive bastions sign in

To prevent users from conducting interactive sign in on your bastions, create a Match Group that applies this restriction with the value PermitTTY no. Using a Match Group block allows you to set this restriction for all users within your specified group. If you're an Advanced Server Access admin, do not add yourself to this group. You can directly add the following config to your SSHD without configuring the yaml file for this behavior:

Match Group asa_dev
     PermitTTY no

Configure SSH session expiration

To configure SSH session expiration on Linux, define a TMOUT environment variable. Setting TMOUT allows you to automatically sign out users after a specific period of idle-time. Here is an example of what a defined TMOUT variable looks like: 

TMOUT=300  
     readonly TMOUT
     export TMOUT

Related topics