Support at 02:01, 10 May 2017

2017-05-10T02:01:19Z

Support: Created page with "SSH Server configuration requirements (settings incorporated in company approved image from kickstart). * Ssh client configuration must not be modified, unless it is required..."

2017-05-10T01:59:07Z

Created page with "SSH Server configuration requirements (settings incorporated in company approved image from kickstart). * Ssh client configuration must not be modified, unless it is required..."

New page

SSH Server configuration requirements (settings incorporated in company approved image from kickstart).
* Ssh client configuration must not be modified, unless it is required by a piece of software to function correctly (eg; oracle db software requires creating a local config file, specifically for the oracle user, for the software to function correctly in a multi-server RAC configuration).
* The standard ssh port must not be used (minimizes logging activity due to scanning/hacking attempts).
* Ssh protocol version 1, and related insecure protocol 1 settings must be disabled.
* Server keys must be increased to 1024 bits or higher (was 768).
* Direct root logins must be disabled (except from the console), configuration must be set to "PermitRootLogin no" except where locked-down root keys are utilized for a trusted host or an automated process, in which case the configuration must be set to "PermitRootLogin without-password".
* Ssh strict modes checking ("StrictModes yes") must be used, except on systems where a monitoring account or script processing account (like nrpe/applog) is accessing an application account (where an app home directory has g+r, which breaks strict mode).
* Authorized keys filename ("AuthorizedKeysFile .ssh/authorized_keys") must be set/enforced, to disallow use of an authorized_keys2 file, in order to reduce ambiguity and prevent the use of multiple authorized key files.
* Insecure host-based authentication mechanisms must be disabled ("RhostsRSAAuthentication no", "HostbasedAuthentication no", "IgnoreUserKnownHosts yes", "IgnoreRhosts yes").
* Passwordless accounts must not be allowed ("PermitEmptyPasswords no").
* GSS API authentication ("GSSAPIAuthentication no") must be disabled, to prevent login delays & issues.
* TCP keep alive's ("TCPKeepAlive yes") must be set, in order to avoid infinitely hanging sessions.
* Privilege separation must be enabled ("UsePrivilegeSeparation yes").
* Ssh must be configured such that sessions will timeout after a period of inactivity (currently issues with this setup).
* Keys must be locked down in order to allow only the single host they are used/generated from, so that if the keys are used outside of that host, they will not work and are therefore useless (note: some keys are locked down to specific commands/directories and do not even allow shell access).
* X11 over ssh is enabled, to allow various needed GUI utilities (and for Oracle installs).

Note: Sometimes the "allowed unauthenticated connections" parameter ("MaxStartups") is modified where needed to permit a larger number of rsync connections (primarily on DTS systems).

← Older revision		Revision as of 02:01, 10 May 2017
Line 16:		Line 16:
	* X11 over ssh is enabled, to allow various needed GUI utilities (and for Oracle installs).		* X11 over ssh is enabled, to allow various needed GUI utilities (and for Oracle installs).

−	Note: Sometimes the "allowed unauthenticated connections" parameter ("MaxStartups") is modified where needed to permit a larger number of rsync connections (primarily on DTS systems).	+	Note: Sometimes the "allowed unauthenticated connections" parameter ("MaxStartups") is modified where needed to permit a larger number of rsync connections (primarily on data aggregation (backup/DTS/etc.) systems).

Template:SSH-Policy - Revision history

Support at 02:01, 10 May 2017

Support: Created page with "SSH Server configuration requirements (settings incorporated in company approved image from kickstart). * Ssh client configuration must not be modified, unless it is required..."