Template:SSH-Policy

SSH Server configuration requirements (settings incorporated in company approved image from kickstart).

• Ssh client configuration must not be modified, unless it is required by a piece of software to function correctly (eg; oracle db software requires creating a local config file, specifically for the oracle user, for the software to function correctly in a multi-server RAC configuration).
• The standard ssh port must not be used (minimizes logging activity due to scanning/hacking attempts).
• Ssh protocol version 1, and related insecure protocol 1 settings must be disabled.
• Server keys must be increased to 1024 bits or higher (was 768).
• Direct root logins must be disabled (except from the console), configuration must be set to "PermitRootLogin no" except where locked-down root keys are utilized for a trusted host or an automated process, in which case the configuration must be set to "PermitRootLogin without-password".
• Ssh strict modes checking ("StrictModes yes") must be used, except on systems where a monitoring account or script processing account (like nrpe/applog) is accessing an application account (where an app home directory has g+r, which breaks strict mode).
• Authorized keys filename ("AuthorizedKeysFile .ssh/authorized_keys") must be set/enforced, to disallow use of an authorized_keys2 file, in order to reduce ambiguity and prevent the use of multiple authorized key files.
• Insecure host-based authentication mechanisms must be disabled ("RhostsRSAAuthentication no", "HostbasedAuthentication no", "IgnoreUserKnownHosts yes", "IgnoreRhosts yes").
• Passwordless accounts must not be allowed ("PermitEmptyPasswords no").
• GSS API authentication ("GSSAPIAuthentication no") must be disabled, to prevent login delays & issues.
• TCP keep alive's ("TCPKeepAlive yes") must be set, in order to avoid infinitely hanging sessions.
• Privilege separation must be enabled ("UsePrivilegeSeparation yes").
• Ssh must be configured such that sessions will timeout after a period of inactivity (currently issues with this setup).
• Keys must be locked down in order to allow only the single host they are used/generated from, so that if the keys are used outside of that host, they will not work and are therefore useless (note: some keys are locked down to specific commands/directories and do not even allow shell access).
• X11 over ssh is enabled, to allow various needed GUI utilities (and for Oracle installs).

Note: Sometimes the "allowed unauthenticated connections" parameter ("MaxStartups") is modified where needed to permit a larger number of rsync connections (primarily on data aggregation (backup/DTS/etc.) systems).