Customize SSHD configurations for servers
Okta Privileged Access offers a system integration model that allows for various customizations to be made to the system configurations. One of the customization options available to Okta Privileged Access administrators is the ability to use SSHD configuration to modify how their servers respond to clients initiating connections.
The Okta Privileged Access agent (sftd) only adds two to four lines to your SSHD configuration file (/etc/ssh/sshd_config), including comments.
The following are some examples of how Okta Privileged Access admins can customize their SSHD configuration file.
Prevent interactive bastions sign in
To ensure that interactive sign-in is not allowed on your bastions by users, you can create a Match Group block with the value PermitTTY no to apply this restriction. This method enables you to set the restriction for all users in your specified group.
If you're an Okta Privileged Access admin, don't add yourself to this group. You can directly add the following config to your SSHD without configuring the yaml file for this behavior:Match Group asa_dev PermitTTY no
While disabling TTYs is a best practice for bastion deployments, it's not a guarantee that all forms of remote execution are prevented. Ensure that your bastions are properly configured to prevent unwanted access.
Configure SSH session expiration
To configure SSH session expiration on Linux, define a TMOUT environment variable. Setting TMOUT allows you to automatically sign-out users after a specific period of idle-time. Here's an example of what a defined TMOUT variable looks like:TMOUT=300 readonly TMOUT export TMOUT
This definition uses readonly to prevent users from changing its value.