mediumaccess-controlverified ✓
Configure SSH access restrictions
ssh-access-control · RHEL ≥ 8 · 1 impl
Description
The SSH daemon must restrict access to authorized users or groups using AllowUsers, AllowGroups, DenyUsers, or DenyGroups directives. At least one of these directives must be configured to limit which accounts can establish SSH sessions.
Rationale
Without explicit access restrictions, every account on the system is potentially reachable via SSH. An attacker who compromises a service account or discovers a weak password on any system account can log in remotely. Restricting SSH access to designated users or groups implements the principle of least privilege for remote access.
Check → Remediate
Checkcommand
grep -rEi '^(AllowUsers|AllowGroups|DenyUsers|DenyGroups)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 2>/dev/null
- expected_exit:
- 0
Remediatemanual
- note:
- Configure AllowUsers, AllowGroups, DenyUsers, or DenyGroups with site-specific values
Framework references
CIS
rhel10 5.1.4rhel8 5.1.6rhel9 5.1.7
NIST 800-53
AC-3AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#access-control#authorization