Modifying SSH configurations

New Contributor

Anyone ever harden their Macs with a policy that edits the machine sshd_config file to be more hardened?

Forcing Protocol 2, no root logins, etc..


Contributor II

Dear dmarcantonio:

I did a little work with it a while ago after some students were logging in via ssh with their iPods and sending commands to the computer to say profane things. I just did some basic stuff, but below is some of the settings I put on the sshd_config file. I never actually ended up using it with Casper, but it could easily be captured using Casper Composer or applying it some other way. Anyway, maybe it will at least spark and idea or two:


  1. Source PC or Mac (The PC running as the ssh client)
  2. Destination Mac (The Mac to be ssh’d into)
  3. Intermediate knowledge of the command-line interface (CLI)
  4. Familiarity with OS X and Windows
  5. (optional) PuTTY
  6. Ability to use a text editor to edit config files

Conceptual Overview

  1. Allow only certain users access to ssh
  2. Create a banner message to deter users from malicious acts
  3. Enable the banner so that users will see it if they try to connect
  4. Make certain SSH-1 is disabled
  5. Disable access to accounts without passwords

Allow Only Certain Users to Login Via ssh

  1. On the Destination Mac, type ``` sudo cp /etc/sshd_config /etc/sshd_config.bak ``` to make a backup of the ssh server config file, in case any mistakes are made
  2. Enter a password, if prompted
  3. Open /etc/ssh_config in a text editor
  4. Type ``` AllowUsers <username(s)> ```under the #Authentication section. replacing <username(s)> with one or more user name separated by spaces

Note: DenyUsers can be used instead of AllowUsers. The syntax will be the same

  1. Save the file
  2. Try ssh’ing into the Mac as a user not on the list, to be certain it is working

Create Banner Message to Deter Users from Malicious Acts

  1. On the Destination Mac, type create the file /etc/issue
  2. Leave a few blank lines at the beginning and end of this file

Note: This will help make the banner message more visible to the user

  1. Save the file

/etc/issue example 1

This computer can and will be electronically monitored and/or electronically recorded. If you are seeing this message, you are attempting to access an area that may have severe consequences if you are not an authorized user.

Enable the Banner so People will See it when Trying to Login

  1. On the Destination Mac, open /etc/ssh_config in a text editor
  2. Uncomment the line #Banner none and modify it to be ``` Banner /etc/issue ```

Note: This will import the /etc/issue file created in the previous step.

Note: To change the message, always edit /etc/issue. The
changes will take effect when the file is saved.

Disable SSH-1 (most likely it is already off by default)

  1. On the Destination Mac, open /etc/ssh_config in a text editor
  2. Make certain only Protocol 2 is uncommented
  3. Save the file, if necessary

Disable Access to Accounts without Passwords

  1. On the Destination Mac, open /etc/ssh_config in a text editor
  2. Uncomment the line #PermitEmptyPasswords no
  3. Save the file