From Oracle Linux 5 Security Technical Implementation Guide
Part of GEN005521
Associated with: CCI-000225
Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.
There are two ways in which access to SSH may restrict users or groups. Check if /etc/pam.d/sshd is configured to require daemon style login control. # grep pam_access.so /etc/pam.d/sshd|grep "required"|grep "account"| grep -v '^#' If no lines are returned, sshd is not configured to use pam_access. Check the SSH daemon configuration for the AllowGroups setting. # egrep -i "AllowGroups|AllowUsers" /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, sshd is not configured to limit access to users/groups. If sshd is not configured to limit access either through pam_access or the use "AllowUsers" or "AllowGroups", this is a finding.
Edit the SSH daemon configuration and add an "AllowGroups" or "AllowUsers" directive specifying the groups and users allowed to have access.
Restart the SSH daemon.
# /sbin/service sshd restart
Alternatively, modify the /etc/pam.d/sshd file to include the line
account required pam_access.so accessfile=
Lavender hyperlinks in small type off to the right (of CSS
id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header
Powered by sagemincer