We are in a process of Disabling local accounts SSH completely in our environment for all linux servers, We are able to disable this in combination of DSC & Azure policy which all working fine.
Now the problem is we are disabling UID from 1000 and above, assuming the below 1000 will be used for system accounts (Ex : Apache,Nginx,Postgres) also users can create the useraccounts with lessthan UID 1000 and bypass our policy, now please suggest any workarounds here to target all local accounts with out disturbing any running services, we asked teams to replace local accounts with service principles if any legitimate requirement with the use of local users.
There are multiple ways to deny local users access. I’d like to understand which is the most effective or recommended approach among the following options
1) Add denyusers list on /etc/ssh/sshd_config
2) Add denyusers list on Access.conf
3) Set /Nologin for all local accounts in /etc/passwd
we are disabling local account by adding below lines and users will login via Azure RBAC with entra using extension "AADSSHLoginForLinux"
#added by guestconfiguration
Match User *
DenyUsers user1 user2 ...
#end of match by guestconfiguration
Asked by Dev Reddy
(21 rep)
Jun 15, 2025, 02:46 AM
Last activity: Jun 16, 2025, 01:44 PM
Last activity: Jun 16, 2025, 01:44 PM