SSH Configuration Guide for Gentoo Infrastructure Servers

Kurt Lieber Author

Updated 06 July, 2003

1. Gentoo Infrastructure guidelines for running SSH

SSH is currently the only approved method of obtaining a remote shell on a server. rsh, telnet and other insecure methods are not allowed. When configuring SSH, the following guidelines should be adhered to:

SSHv2 only -- never configure sshd to support version 1 of the SSH protocol. It has known weaknesses with the way it encrypts data.
DSA keys -- DSA keys are preferred over RSA keys
No root login -- remote root login is not allowed. Users should login using their regular ID and then use sudo and/or su
No password authentication -- where possible users should be required to use DSA keys to authenticate.

Note: Unless specified above, the default values used in /etc/ssh/sshd_config are acceptable and should not be overridden without prior approval from the Gentoo Infrastructure project manager.

Sample sshd_config file

Here is a sample /etc/ssh/sshd_config file which may be used to quickly set up SSH on a new Gentoo Infrastructure server.

Code Listing 1.1: /etc/ssh/sshd_config

Port 22
Protocol 2
ServerKeyBits 2048
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
PAMAuthenticationViaKbdInt no
Compression yes
KeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 4

Note: In the example above, password authentication has been disabled in favor of key-based authentication.

Note: Where server resources (especially CPU utilization) are limited, compression may be set to 'no' to prevent the server from dedicating CPU cycles to compressing data sent to clients