SSH Server Configuration
The revised campus Minimum Security Standards for Network Devices (MSSND) (effective Jan 1, 2022; to be implemented by Dec 31, 2022) includes restrictions on acceptable use of remote interactive shells. Ideally, some form of multi-factor authentication (MFA) should be used for any remote access, to help prevent attacks via compromised credentials.
At the end of the Fall 2022 semester, IRIS will begin blocking incoming SSH connections from off-campus, except to those machines registered with us as approved SSH servers. Such machines should use one of the “Approved SSH Server Configurations for use from off-campus” described below.
This means that simply starting an SSH server on your machine will no longer be sufficient to allow remote access to it from anywhere. If you require SSH access from off-campus, you will also need to use one of the following configurations approved for use from off-campus, and update the machine’s network registration to indicate that it’s an SSH server with an approved configuration.
Recommended SSH Server Configuration
Use the default!
Hosts should generally not allow SSH connections from off-campus.
By default, our firewall will block SSH connections from off-campus. So SSH connections will only be allowed from other campus or VPN hosts (making it easy for Berkeley folks to connect from anywhere). No special configuration of sshd is needed, and no need to request that SSH be exposed to the internet, when you register your device for use on EECS networks.
Approved SSH Server Configurations for use from off-campus
For hosts that must have SSH service exposed to the internet, one of the following configurations may be used. We also strongly recommend using something like fail2ban on such hosts, to help prevent brute-force attacks. These configurations are considered “unit approved” for the purposes of MSSND.