{"id":75013,"date":"2023-06-05T13:09:42","date_gmt":"2023-06-05T17:09:42","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&p=75013"},"modified":"2024-11-15T12:11:59","modified_gmt":"2024-11-15T17:11:59","slug":"configure-ssh-settings","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/configure-ssh-settings","title":{"rendered":"Configure SSH Settings"},"content":{"rendered":"\n
For Linux systems, JumpCloud writes to When a Linux device is registered, JumpCloud will persist the original <\/p><\/div> Note on the Allow SSH Root Login<\/strong> setting: The following is a list of the possible settings, the corresponding changes made to Expected Behavior:<\/strong> Users will authenticate with password only.<\/p>\n\n\n\n To enable SSH Password Login<\/strong>:<\/p>\n\n\n\n \/etc\/ssh\/sshd_config<\/strong>:<\/p>\n\n\n\n Expected Behavior:<\/strong> Users will authenticate with public key only.<\/p>\n\n\n\n To enable Public Key authentication<\/strong>:<\/p>\n\n\n\n \/etc\/ssh\/sshd_config<\/strong>:<\/p>\n\n\n\n Expected Behavior: <\/strong>When Public Key Authentication<\/strong> is selected in conjunction with Allow SSH Password Login<\/strong>, users will be able to authenticate using either of the selected options.<\/p>\n\n\n\n <\/p><\/div> Note:<\/strong> Allow SSH Password Login and Enable Public Key Authentication cannot both be enabled if MFA is also enforced.<\/p><\/div><\/div><\/div>\n\n\n\n \/etc\/ssh\/sshd_config<\/strong>:<\/p>\n\n\n\n Expected Behavior:<\/strong> Users will authenticate with password and TOTP token (when the TOTP Key is activated). See Enabling TOTP MFA for Linux<\/a>.<\/p>\n\n\n\n \/etc\/ssh\/sshd_config<\/strong>:<\/p>\n\n\n\n Expected Behavior:<\/strong> Users will authenticate with public key and TOTP token (when the TOTP Key is activated). See Enabling TOTP MFA for Linux<\/a>.<\/p>\n\n\n\n \/etc\/ssh\/sshd_config<\/strong>:<\/p>\n\n\n\n Match is an optional, conditional block in the sshd_config, and may be used to satisfy use cases that the agent does not. The agent will not overwrite a Match block. For detailed information, see the man page for your particular distro. Append a Match block to the end of the file. <\/p>\n\n\n\n <\/p><\/div> Be sure to restart sshd after making any config changes so that they take effect.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n In this example, require all users to use both a password AND a public key:<\/p>\n\n\n\n BeginGlobalExceptions In order to apply this to many devices at once, the Commands function can be leveraged in the JumpCloud Admin Portal.<\/p>\n\n\n\n Considerations<\/strong>:<\/p>\n\n\n\n To apply to multiple devices in Commands<\/strong>:<\/p>\n\n\n\n In order to make changes to existing systems’ ssh settings at scale, below are examples of two tools that allow for finding any system based on filter parameters, and then setting the desired parameters. In both examples, we’re filtering on the following settings:<\/p>\n\n\n\n Depending on the current settings of the system, one or more parameters may need to be set to false. In both examples, any system found will be set to only require public key authentication unless the parameter values are changed. <\/p>\n\n\n\n\/etc\/ssh\/sshd_config<\/code> in order to manage the sshd configuration. If exceptions are needed, it’s recommended to use the conditional Match block<\/a>. Anything within a Match block will be ignored by the JumpCloud agent. See Using the Match Block in sshd_config<\/a> below.<\/p>\n\n\n\n
sshd_config<\/code> settings via sshd extended test mode, which will detect all settings for the root user. Once JumpCloud manages the device, the settings in the Admin Portal will be periodically enforced.<\/p>\n\n\n\n
sshd_config PermitRootLogin<\/code> typically has four permissible values: yes, prohibit-password, forced-commands-only, or no. JumpCloud will only support yes or no values, and it is our policy to convert any non-yes value to no. If you want to enforce one of the other permissible values, it’s recommended to use the conditional Match block<\/a> to override the enforced value. See the man page<\/a> for your particular distribution to confirm permissible values and the default setting.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
sshd_config<\/code>, and the expected behavior. <\/p>\n\n\n\n
\n
SSH Password Login<\/h2>\n\n\n\n
\n
ChallengeResponseAuthentication no<\/code>
UsePAM yes<\/code>
PubkeyAuthentication no<\/code>
PermitRootLogin no<\/code>
PasswordAuthentication yes<\/code>
AuthorizedKeysFile .ssh\/authorized_keys<\/code><\/p>\n<\/div><\/div>\n\n\n\n
Public Key Authentication<\/h2>\n\n\n\n
\n
\u200b\u200bChallengeResponseAuthentication no<\/code>
UsePAM yes<\/code>
AuthorizedKeysFile .ssh\/authorized_keys<\/code>
PubkeyAuthentication yes<\/code>
PermitRootLogin no<\/code>
PasswordAuthentication no\u200b<\/code><\/p>\n<\/div><\/div>\n\n\n\n
SSH Password Login + Public Key Authentication<\/h2>\n\n\n\n
\u200b\u200bChallengeResponseAuthentication no<\/code>
UsePAM yes<\/code>
AuthorizedKeysFile .ssh\/authorized_keys<\/code>
PubkeyAuthentication yes<\/code>
PermitRootLogin no<\/code>
PasswordAuthentication yes\u200b<\/code><\/p>\n<\/div><\/div>\n\n\n\n
SSH Password Login + MFA<\/h2>\n\n\n\n
ChallengeResponseAuthentication yes<\/code>
UsePAM yesPubkeyAuthentication no<\/code>
PermitRootLogin no<\/code>
PasswordAuthentication yes<\/code>
AuthorizedKeysFile .ssh\/authorized_keys<\/code><\/p>\n<\/div><\/div>\n\n\n\n
Public Key Authentication + MFA<\/h2>\n\n\n\n
\u200b\u200bChallengeResponseAuthentication yes<\/code>
UsePAM yes<\/code>
AuthorizedKeysFile .ssh\/authorized_keys<\/code>
PubkeyAuthentication yes<\/code>
PermitRootLogin no<\/code>
PasswordAuthentication no<\/code>
AuthenticationMethods publickey,keyboard-interactive<\/code><\/p>\n<\/div><\/div>\n\n\n\n
Using the Match Block in sshd_config<\/h2>\n\n\n\n
Match All
PasswordAuthentication yes
PubkeyAuthentication yes
AuthenticationMethods password,publickey
GlobalExceptionsEnd<\/p>\n<\/div><\/div>\n\n\n\nAutomate change distribution to many devices<\/h3>\n\n\n\n
\n
\n
Configuring SSH Settings at Scale<\/h2>\n\n\n\n
\n
Using the PowerShell Module<\/h3>\n\n\n\n