Configure the SSH Library Item

Learn how to configure and manage the SSH server and client on macOS.

Adding the SSH library item to your Library

  1. Navigate to Library in the left-hand navigation bar.
  2. Select Add New in the upper right-hand corner.

    SSH_LIT1
  3. Scroll down to the Profiles section and select SSH.
  4. Click Add & Configure.

    SSH_LIT3

Configuring the SSH Library item

Configure SSH according to your organization’s security tolerances under the General section within the SSH library item. Alternatively, you can follow the guidance below to meet NIST or STIG requirements. To meet CIS L1 requirements and if the organization is not using a CIS Level 1 Blueprint, turn off SSH server availability on macOS.

  1. Add a descriptive title in the Add a title field.
  2. Assign the SSH library item to a Blueprint in the Select Blueprint dropdown.
  3. Select SSH server availability.
  4. Click on On.
  5. Select Challenge-response authentication.
  6. Click on On.
  7. Select Root login.
  8. Click on Off.
  9. Select SSH login banner.
  10. Click on On.
  11. Enter a custom Banner text per your organization’s security policy. You may also use the default text.

    SSH_scrollv6
  12. Select Login attempt grace period.
  13. Ensure that the login attempt timeout is set to 30 seconds.
  14. Select Session timeout.
  15. Ensure that the session timeout is set to 900 seconds.
  16. Select Maximum alive count.
  17. Ensure that the alive count is set to 0 messages.
  18. Select Remove non-FIPS Ciphers.
  19. Select Remove non-FIPS Message Authentication Codes.
  20. Select Use secure key exchange algorithms.
  21. Click Save.

    SSH_scrollv7

Note: The /etc/ssh/ssh_config and /etc/ssh/sshd_config config files may return to their default values upon any update or major upgrade. However, the Kandji agent will automatically remediate and set the corresponding values defined in the SSH library item.