Customize your Server's SSHD File
Advanced Server Access allows SSHD customization options for Advanced Server Access Admins, allowing customization on how their servers respond to clients initiating connections. Before beginning, make sure that you've installed and configured the Advanced Server Access agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. on your server.
Note: The Advanced Server Access sftd agent only adds two lines to your SSHD files, including comments.
SSHD Customization Options
While SSHD customization can be done in a multitude of different ways, here are some examples of things Advanced Server Access Admins can do to customize their SSHD config file.
Disallow non-Advanced Server Access Authentication in SSHD
To prevent any members of your groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from authenticating with a non-Advanced Server Access credential, use a
Matchgroup to create a set of rules for Authorized Key Files. The code below prevents any member of the unix group "sft_dev" from authenticaing with a non-Advanced Server Access credential.
Match Group asa_dev AuthorizedKeysFile none AuthenticationMethods publickey PubkeyAcceptedKeyTypes <insert-accepted-key-here>
Matchgroups should list the name of your Advanced Server Access-managed group name:
The first line of your
Matchblock should look like as follows:
Match Group <ASA-managed-group-name>
Prevent interaction log-ins on bastions
To prevent users from conducting interaction log-ins on your bastions, create a
Match Groupthat applies this restriction with the value
PermitTTY no. Using a
Match Groupblock allows you to set this restriction for all users within your specified group. If you are an Advanced Server Access AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page., do not add yourself to this group. You can directly add the following config to your SSHD without configuring the yaml file for this behavior.
This is an example of what your
Match Groupcould look like:
Match Group asa_dev PermitTTY no
Configure SSH Session Expiration
To configure SSH Session Expiration on Linux, define a
TMOUTenvironment variable. Setting
TMOUTallows you to automatically log out users after a specific period of idle-time. Here is an example of what a defined TMOUT variable looks like:
TMOUT=300 readonly TMOUT export TMOUT
Note:The function above uses
readonlyto prevent users from changing it's value.