Customize SSHD configurations for servers

Advanced Server Access allows SSHD customization options for Advanced Server Access admins, allowing customization on how their servers respond to clients initiating connections. Before beginning, make sure that you've installed and configured the Advanced Server Access agent on your server.

Note: The Advanced Server Access agent (sftd) only adds two lines to your SSHD files, including comments.

SSHD customization options

While SSHD customization can be done in a multitude of different ways, the following are some examples of how Advanced Server Access admins can customize their SSHD config file.

Disallow non-Advanced Server Access authentication in SSHD

To prevent any members of your groups from authenticating with a non-Advanced Server Access credential, use a Match group to create a set of rules for Authorized Key Files. The code below prevents any member of the unix group "asa_dev" from authenticating with a non-Advanced Server Access credential.

Match Group asa_dev

 AuthorizedKeysFile none

 AuthenticationMethods publickey

 PubkeyAcceptedKeyTypes <insert-accepted-key-here>

Match groups should list the name of your Advanced Server Access-managed group name. 

The first line of your Match block should look like as follows: Match Group <ASA-managed-group-name>

Prevent interaction log-ins on bastions

To prevent users from conducting interaction log-ins on your bastions, create a Match Group that applies this restriction with the value PermitTTY no. Using a Match Group block allows you to set this restriction for all users within your specified group. If you are an Advanced Server Access Admin, do not add yourself to this group. You can directly add the following config to your SSHD without configuring the yaml file for this behavior.

This is an example of what your Match Group could look like:

Match Group asa_dev

PermitTTY no

Configure SSH session expiration

To configure SSH session expiration on Linux, define a TMOUT environment variable. Setting TMOUT allows you to automatically log out users after a specific period of idle-time. Here is an example of what a defined TMOUT variable looks like:

readonly TMOUT
export TMOUT

Note: This definition uses readonly to prevent users from changing its value.

Related topics

Deploy an Advanced Server Access server

Configure and use the Advanced Server Access server agent