Best Practice for SSH Security

Latest response

Hey All

What is best practice for setting security with SSH access, with servers joined to an AD domain using SSSD.

Trying to work out which way is best...

  1. /etc/ssh/sshd_config

using the AllowGroups directive

  1. /etc/sssd/sssd.config

using access_provider = simple
simple_allow_groups

or is it best to use a combination of both (sssd_ad and allowgroups in ssh)

Thanks in advance

Responses

Hi Paul, I do not know the answer to your question, but on another note for ssh and security, Facebook just recently released how they control or secure ssh, check it out @ https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/ I am interested if you are using sssd to join AD domain via an IPA or directly?

As with any "what's the best way" types of questions, the answer relies heavily on what your specific outcome requirements are.

For example, in the environments that I assist with, the primary goal is to limit access to the interactive shell. Access to other service-components are more open-ended. Thus, we tend to implement within the SSH service (and or any other individual services that need controlled). For our environments, limiting things at the authentication subsystem just really don't work for us (end up having to do too many exceptions to standard configs).

Hi Paul, In addition to limit access using the simple access provider, we are going to manage sshd with ansible. Maybe this solution could serve you as well.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.