Configure SSH Settings

For Linux systems, JumpCloud writes to /etc/ssh/sshd_config in order to manage the sshd configuration. If exceptions are needed, it's recommended to use the conditional Match block. Anything within a Match block will be ignored by the JumpCloud agent. See Using the Match Block in sshd_config below.

When a Linux device is registered, JumpCloud will persist the original sshd_config settings via sshd extended test mode, which will detect all settings for the root user. Once JumpCloud manages the device, the settings in the Admin Portal will be periodically enforced.

Note:

Note on the Allow SSH Root Login setting: sshd_config PermitRootLogin typically has four permissible values: yes, prohibit-password, forced-commands-only, or no. JumpCloud will only support yes or no values, and it is our policy to convert any non-yes value to no. If you want to enforce one of the other permissible values, it's recommended to use the conditional Match block to override the enforced value.  See the man page for your particular distribution to confirm permissible values and the default setting.

The following is a list of the possible settings, the corresponding changes made to sshd_config, and the expected behavior. 

SSH Password Login

Expected Behavior: Users will authenticate with password only.

To enable SSH Password Login:

  1. Go to DEVICE MANAGEMENT > Devices.
  2. Select a device. 
  3. Under the device Details tab, scroll to SSH Settings.
  4. Select the Allow SSH Password Login option.
  5. Save Device.

/etc/ssh/sshd_config:

ChallengeResponseAuthentication no
UsePAM yes
PubkeyAuthentication no
PermitRootLogin no
PasswordAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

Public Key Authentication

Expected Behavior: Users will authenticate with public key only.

To enable Public Key authentication:

  1. Go to DEVICE MANAGEMENT > Devices.
  2. Select a device. 
  3. Under the device Details tab, scroll to SSH Settings.
  4. Select the Enable Public Key Authentication option.
  5. Save Device.

/etc/ssh/sshd_config:

​​ChallengeResponseAuthentication no
UsePAM yes
AuthorizedKeysFile     .ssh/authorized_keys
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no​

SSH Password Login + Public Key Authentication

Expected Behavior: When Public Key Authentication is selected in conjunction with Allow SSH Password Login, users will be able to authenticate using either of the selected options.

Note: Allow SSH Password Login and Enable Public Key Authentication cannot both be enabled if MFA is also enforced.

/etc/ssh/sshd_config:

​​ChallengeResponseAuthentication no
UsePAM yes
AuthorizedKeysFile     .ssh/authorized_keys
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication yes​

SSH Password Login +  MFA

Expected Behavior: Users will authenticate with password and TOTP token (when the TOTP Key is activated). See Enabling TOTP MFA for Linux.

/etc/ssh/sshd_config:

ChallengeResponseAuthentication yes
UsePAM yesPubkeyAuthentication no
PermitRootLogin no
PasswordAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

Public Key Authentication + MFA

Expected Behavior:  Users will authenticate with public key and TOTP token (when the TOTP Key is activated). See Enabling TOTP MFA for Linux.

/etc/ssh/sshd_config:

​​ChallengeResponseAuthentication yes
UsePAM yes
AuthorizedKeysFile     .ssh/authorized_keys
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive

Using the Match Block in sshd_config

Match is an optional, conditional block in the sshd_config, and may be used to satisfy use cases that the agent does not. The agent will not overwrite a Match block. For detailed information, see the man page for your particular distro. Append a Match block to the end of the file.

Important:

Be sure to restart sshd after making any config changes so that they take effect.

In this example, require all users to use both a password AND a public key:

BeginGlobalExceptions
Match All
PasswordAuthentication yes
PubkeyAuthentication yes
AuthenticationMethods password,publickey
GlobalExceptionsEnd

Automate change distribution to many devices

In order to apply this to many devices at once, the Commands function can be leveraged in the JumpCloud Admin Portal.

Considerations:

  • Before running this across many systems, test the process on a small number of systems to manually verify desired behavior has been achieved.
  • This will not work with very old versions of sshd. In testing, we found the parameters needed for the exception were not honored with OpenSSH 5.x.
  • The script expects your sshd service to be called sshd. If it is not, modify lines 27 and 29 with the appropriate name of the service.
  • Appending the Match block to the end of the config is one way, and does not check to see if there are conflicting Match blocks. This method should work for most implementations, but testing before mass deployment is recommended.
  • The Match block in this script contains the above conditions. If there are other conditions required for your environment, change them as needed.

To apply to multiple devices in Commands:

  1. Copy the contents of the script to a local file.
  2. In the JumpCloud Admin Portal, create a new command. See Get Started: Commands.
  3. Upload the file created in step 1.
  4. Enter the path to the file in the command for execution. This is /tmp/FILENAME by default
  5. Select the desired device or device groups to apply the command to and save.
  6. When ready, select the new command and select run now.
  7. This command should return exit 0. Depending on the Linux flavor, there may also be some stdout in the logs section.

Configuring SSH Settings at Scale

In order to make changes to existing systems' ssh settings at scale, below are examples of two tools that allow for finding any system based on filter parameters, and then setting the desired parameters. In both examples, we're filtering on the following settings:

  • allowSshPasswordAuthentication
  • allowPublicKeyAuthentication
  • allowMultiFactorAuthentication

Depending on the current settings of the system, one or more parameters may need to be set to false. In both examples, any system found will be set to only require public key authentication unless the parameter values are changed. 

Using the PowerShell Module

See the Support Wiki for PowerShell Module basics.

Get-JCSystem -allowSshPasswordAuthentication $true -allowMultiFactorAuthentication $true -allowPublicKeyAuthentication $true | Set-JCSystem -allowSshPasswordAuthentication $false -allowMultiFactorAuthentication $false -allowPublicKeyAuthentication $true

To change the filter parameters, set one or more boolean values to false on the Get-JCSystem side of the operation. To change the settings being applied, set one or more of the boolean values on the Set-JCSystem side of the operation. Results are printed to screen.

Using Bash

setSshParams.sh

To change the filter parameters, set one or more boolean values to false within the getSystems function. To change the settings being applied, set one or more of the boolean values in the putSystemParams function. When the script runs, a file called results will be generated in the current working directory containing the output of the API call in putSystemParams. This will allow for checking that changes were made as expected.

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case