Customize SSHD configurations for servers

The system integration model of Advanced Server Access enables a wide range of customizations to system configurations to be used with Advanced Server Access. For example, Advanced Server Access admins can use SSHD configuration to customize how their servers respond to clients initiating connections.

Note: The Advanced Server Access agent (sftd) only adds two to four lines to your SSHD configuration file (/etc/ssh/sshd_config), including comments.

The following are some examples of how Advanced Server Access admins can customize their SSHD configuration file.

Disallow non-Advanced Server Access authentication in SSHD

To prevent any members of specific groups groups from authenticating with a non-Advanced Server Access credential, use a Match group to create a set of rules for Authorized Key Files. The code below prevents any member of the unix group "asa_dev" from authenticating with a non-Advanced Server Access credential.

Match Group asa_dev

    AuthorizedKeysFile none

    AuthenticationMethods publickey

    PubkeyAcceptedKeyTypes <insert-accepted-key-here>

Match groups should list the name of your Advanced Server Access-managed group name. 

The first line of your Match block should look like as follows: Match Group <ASA-managed-group-name>

Prevent interative log-ins on bastions

To prevent users from conducting interactive log-ins on your bastions, create a Match Group that applies this restriction with the value PermitTTY no. Using a Match Group block allows you to set this restriction for all users within your specified group. If you're an Advanced Server Access admin, do not add yourself to this group. You can directly add the following config to your SSHD without configuring the yaml file for this behavior:

Match Group asa_dev

     PermitTTY no

Note

While disabling TTYs is a best practice for bastion deployments, it's not a guarantee that all forms of remote execution are prevented. Ensure that your bastions are properly configured to prevent unwanted access.

Configure SSH session expiration

To configure SSH session expiration on Linux, define a TMOUT environment variable. Setting TMOUT allows you to automatically log out users after a specific period of idle-time. Here is an example of what a defined TMOUT variable looks like:

TMOUT=300
readonly TMOUT
export TMOUT

Note: This definition uses readonly to prevent users from changing its value.

Related topics

Deploy an Advanced Server Access server

Configure and use the Advanced Server Access server agent