Thursday, December 27, 2012

Restict SSH logins

As a System Administrator you always want to make your servers more secure. With that being said I'm going to restrict ssh logins. To do this, I will make a change to the /etc/ssh/sshd_config file. This change will limit the ability of accounts to login using ssh to only accounts in a the users group. The example below is from a Solaris 10 server, but this will still work on any UNIX, BSD and Linux system. We have done this on Solaris 10, RHEL 5 and SLES 11 servers at my work place.

Before you begin,  login to the server using a remote console or at least more then one terminal. I had one co-worker lock himself out of the server because he forgot to add himself to the users group before he restarted ssh. I would also take note of any programs that use ssh so you don't lock them out.

# vi /etc/ssh/sshd_config
Add the following line to the /etc/ssh/sshd_config file. AllowGroups users You can use any group you want, you don't have to use the users group. Often you will find that many people like to use the group sshusers for this function. I use the default group users, because all the user accounts use SSH to access my servers. Make sure you check all you application accounts and make use they are the in the group that are using for SSH. otherwise your applications may no longer work.

To have the changes take affect you need to restart the sshd process. # svcadm restart ssh or # /etc/rc2.d/K03sshd stop
# /etc/rc2.d/K03sshd start

Test the the new setup by trying to login with one accout not in the users group and one that is. The account that is in the users group should be able to login, but the account that is not should not.

 If you have anything to add please post below.