A Linux bastion host must be hardened so that root can never log in with SSH, only users who belong to the bastion UNIX group may start an interactive SSH session, and all X11 forwarding over SSH is disabled. After editing /etc/ssh/sshd_config and reloading the service, which group of directives will satisfy all three requirements?
PermitRootLogin no
DenyGroups bastion
X11Forwarding no
PermitRootLogin prohibit-password
AllowUsers %bastion
X11Forwarding no
PermitRootLogin no
AllowGroups bastion
X11Forwarding no
The directive PermitRootLogin no blocks every form of SSH authentication for the root account. AllowGroups bastion tells sshd to accept logins only from users whose primary or supplementary group list includes bastion, rejecting everyone else. X11Forwarding no turns off X-window forwarding entirely. Together, these three lines implement every requirement.
The other sets each miss at least one goal:
Using PermitRootLogin prohibit-password still allows key-based root access.
Prefixing a group with % in AllowUsers %bastion is invalid; AllowUsers matches user names, not groups.
DenyGroups bastion would block the bastion group instead of permitting it.
X11Forwarding yes leaves X11 forwarding enabled even if the other directives are correct.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the directive 'PermitRootLogin no' do?
Open an interactive chat with Bash
How does 'AllowGroups bastion' restrict access in SSH?
Open an interactive chat with Bash
What is X11 forwarding and why disable it?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access