Customize SSHD configurations for servers
The system integration model of Advanced Server Access enables a wide range of customizations to system configurations to be used with Advanced Server Access. For example, Advanced Server Access admins can use SSHD configuration to customize how their servers respond to clients initiating connections.
Note: The Advanced Server Access agent (sftd) only adds two to four lines to your SSHD configuration file (/etc/ssh/sshd_config), including comments.
The following are some examples of how Advanced Server Access admins can customize their SSHD configuration file.
Disallow non-Advanced Server Access authentication in SSHD
To prevent any members of specific groups groups from authenticating with a non-Advanced Server Access credential, use a Match group to create a set of rules for Authorized Key Files. The code below prevents any member of the unix group "asa_dev" from authenticating with a non-Advanced Server Access credential.
Match Group asa_dev
Match groups should list the name of your Advanced Server Access-managed group name.
The first line of your Match block should look like as follows: Match Group <ASA-managed-group-name>
Prevent interative log-ins on bastions
To prevent users from conducting interactive log-ins on your bastions, create a Match Group that applies this restriction with the value PermitTTY no. Using a Match Group block allows you to set this restriction for all users within your specified group. If you're an Advanced Server Access admin, do not add yourself to this group. You can directly add the following config to your SSHD without configuring the yaml file for this behavior:
Match Group asa_dev
While disabling TTYs is a best practice for bastion deployments, it's not a guarantee that all forms of remote execution are prevented. Ensure that your bastions are properly configured to prevent unwanted access.
Configure SSH session expiration
To configure SSH session expiration on Linux, define a TMOUT environment variable. Setting TMOUT allows you to automatically log out users after a specific period of idle-time. Here is an example of what a defined TMOUT variable looks like:
Note: This definition uses readonly to prevent users from changing its value.