← Rules Catalog
mediumaccess-controlverified

Configure SSH access restrictions

ssh-access-control · RHEL ≥ 8 · 1 impl

Description

The SSH daemon must restrict access to authorized users or groups using AllowUsers, AllowGroups, DenyUsers, or DenyGroups directives. At least one of these directives must be configured to limit which accounts can establish SSH sessions.

Rationale

Without explicit access restrictions, every account on the system is potentially reachable via SSH. An attacker who compromises a service account or discovers a weak password on any system account can log in remotely. Restricting SSH access to designated users or groups implements the principle of least privilege for remote access.

Check → Remediate

Checkcommand
grep -rEi '^(AllowUsers|AllowGroups|DenyUsers|DenyGroups)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 2>/dev/null
expected_exit:
0
Remediatemanual
note:
Configure AllowUsers, AllowGroups, DenyUsers, or DenyGroups with site-specific values

Framework references

CIS

rhel10 5.1.4rhel8 5.1.6rhel9 5.1.7

NIST 800-53

AC-3AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#access-control#authorization