Restrictions to System Administration
Secure system administration is the traditional use case for Secure Shell.
Disabling Root Login
Usually, allowing direct root logins from the network is a bad idea. It
is better to use forced commands to automate tasks requiring privileges
(described in Section Forced Commands
below), and make people use
sudo to elevate
In addition to
DenyUsers, you can
easily disable root logins with passwords (Section Configuring Root Logins). Put the following to
This way, jobs automated with forced commands will work.
If you are sure you or your users do not need to create tunnels
(possibly going around firewall restrictions or such), you can disable
tunneling (port forwarding) altogether by adding the following to your
If you need more fine-grained control, consider using
AllowTcpForwardingForUsers (and related keywords
can even allow and deny tunnels based on originator and destination
(based on the IP address and port). See Tunneling.
Disabling Terminal Access
If you only want to enable file transfers or tunneling for users in group
users, you can disable terminal access by adding the following to your
Other related keywords that can be used are:
It is recommended to deny also agent forwarding if Terminal
Access is denied in
Note that the users will be able to use SFTP and other subsystems defined in the
SSH Tectia Server configuration. Any other "exec" and "shell" requests will be denied for
the users. This includes forced commands with public keys described in Section
Forced Commands and the legacy style password
changing when performed as forced command.
Forced Commands (with Public Keys)
If you have maintenance jobs requiring non-interactive access to your
server, use public-key authentication and forced commands. This way, if
the private key is compromised, the public key cannot be used to perform
anything other than the predetermined command on the
server. (This is, of course, also bad, but it would be worse if
the malicious attacker would have unrestricted access to the
Do not use the root account for jobs where it is not absolutely necessary.
You can set up a forced command in the
options command="tar zxvf - /usr/local"
This would, on a successful login with
backup-key.pub, force a backup
job to start.
You can also use the command that was given on the
options command="echo $SSH2_ORIGINAL_COMMAND"
% ssh2 localhost kukkuu
For more information on the public-key options in the authorization file,
see Using the Authorization File.
Note that if the user or the user's group has been denied terminal
access (with the
Terminal.DenyGroups keywords), also forced commands will be
SSH Tectia Server can be configured to reject connection attempts from unknown
hosts. For example the following allows connections only from the
10.1.0.0/8 IP addresses and from an external
host with the IP address
Please see Section Restricting User Logins for information on the regular expression syntax and for
more configuration examples and options.
On systems with several network interfaces, SSH Tectia Server can also be bound to a
specific network interface so that the server can be only accessed from
the intended network. For example, the following will bind the listener
10.1.60.25 using port 2222:
SSH Tectia Server logs are most important for auditing. The logs also provide
troubleshooting information, for example, when user authentication fails
and a user is unable to log in. Please see Section Auditing for more information.
It is recommended to notify the users before they decide to log in that
their actions are logged. In some jurisdictions this is required.
To display for example the following text to the users before login, the
banner message saved to name
Unauthorized use of this system is prohibited.
All actions are logged.