Gentoo Logo

SSH Configuration Guide for Gentoo Infrastructure Servers

1.  Gentoo Infrastructure guidelines for running SSH

General Guidelines

SSH is currently the only approved method of obtaining a remote shell on a server. rsh, telnet and other insecure methods are not allowed. When configuring SSH, the following guidelines should be adhered to:

  • SSHv2 only -- never configure sshd to support version 1 of the SSH protocol. It has known weaknesses with the way it encrypts data.
  • DSA keys -- DSA keys are preferred over RSA keys
  • No root login -- remote root login is not allowed. Users should login using their regular ID and then use sudo and/or su
  • No password authentication -- where possible users should be required to use DSA keys to authenticate.

Note: Unless specified above, the default values used in /etc/ssh/sshd_config are acceptable and should not be overridden without prior approval from the Gentoo Infrastructure project manager.

Sample sshd_config file

Here is a sample /etc/ssh/sshd_config file which may be used to quickly set up SSH on a new Gentoo Infrastructure server.

Code Listing 1.1: /etc/ssh/sshd_config

Port 22
Protocol 2
ServerKeyBits 2048
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
PAMAuthenticationViaKbdInt no
Compression yes
KeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 4

Note: In the example above, password authentication has been disabled in favor of key-based authentication.

Note: Where server resources (especially CPU utilization) are limited, compression may be set to 'no' to prevent the server from dedicating CPU cycles to compressing data sent to clients



Print

Updated 06 July, 2003

Summary: This guide documents how OpenSSH should be configured on Gentoo Infrastructure servers.

Kurt Lieber
Author

Donate to support our development efforts.

Support OSL

Support OSL

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

Global Netoptex Inc.

Global Netoptex Inc.

Bytemark

Bytemark

Copyright 2001-2008 Gentoo Foundation, Inc. Questions, Comments? Contact us.