Sunday, September 11, 2011

Recommended sshd_config for OpenSSH

There are a few settings at /etc/ssh/sshd_config we can set to improve security, performance and user experience. Many of this information comes from SSH The Secure Shell, 2nd Edition from O'Reilly

1. Using SSH-2 Protocol and disable SSH-1 protocol altogether
Protocol 2

2. Ensure that the HostKey and PidFile are located on a machine's local disk and not over the NFS mount. The default setting should be in the machine local file like those below
HostKey /etc/ssh/ssh_host_key
PidFile /var/run/sshd.pid

3. File and directory permissions
The StrictModes value requires users to protect their SSH-related files and directories or else they will not authenticate.The default values is yes
StrictModes yes

4. Enable KeepAlive messages
Keepalive messages are enabled so that the connections to clients that have crashed or unreachable will terminate rather than be an orphaned process which require manual intervention by sysadmin to eliminate it.
Port 22 
ListenAddress 0.0.0.0
TcpKeepAlive yes

5. Disable Reverse DNS lookup
UseDNS no

6. Select a shorter grace login time
The default grace login is 2 minute which you might want to change. The value here is 30 seconds
LoginGraceTime 30

7. Authentication
The default setting are fine unless you wish to use Public-Key Authentication and wish to disabled Kerberos, Interactive and GSSAPIAuthentication
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
RSAAuthentication yes
RhostsRSAAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
IgnoreRhosts yes

8. Access Control
If you wish to allow only selected users or groups to use ssh, you would like to use
AllowGroups users
AllowUsers me_only
DenyGroups black_list
DenyUsers hacker_id
For more information, see How do I permit specific users SSH access?


9. Securing TCP port forwarding and X forwarding
AllowTcpForwarding yes
X11Forwarding yes

No comments: