Best Practice for SSH Security
Hey All
What is best practice for setting security with SSH access, with servers joined to an AD domain using SSSD.
Trying to work out which way is best...
- /etc/ssh/sshd_config
using the AllowGroups directive
- /etc/sssd/sssd.config
using access_provider = simple
simple_allow_groups
or is it best to use a combination of both (sssd_ad and allowgroups in ssh)
Thanks in advance
Responses
Hi Paul, I do not know the answer to your question, but on another note for ssh and security, Facebook just recently released how they control or secure ssh, check it out @ https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/ I am interested if you are using sssd to join AD domain via an IPA or directly?
As with any "what's the best way" types of questions, the answer relies heavily on what your specific outcome requirements are.
For example, in the environments that I assist with, the primary goal is to limit access to the interactive shell. Access to other service-components are more open-ended. Thus, we tend to implement within the SSH service (and or any other individual services that need controlled). For our environments, limiting things at the authentication subsystem just really don't work for us (end up having to do too many exceptions to standard configs).
Hi Paul, In addition to limit access using the simple access provider, we are going to manage sshd with ansible. Maybe this solution could serve you as well.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
