Difference between revisions of "Template:SSH-Policy"
From The Linux Source
(Created page with "SSH Server configuration requirements (settings incorporated in company approved image from kickstart). * Ssh client configuration must not be modified, unless it is required...") |
(No difference)
|
Revision as of 17:59, 9 May 2017
SSH Server configuration requirements (settings incorporated in company approved image from kickstart).
- Ssh client configuration must not be modified, unless it is required by a piece of software to function correctly (eg; oracle db software requires creating a local config file, specifically for the oracle user, for the software to function correctly in a multi-server RAC configuration).
- The standard ssh port must not be used (minimizes logging activity due to scanning/hacking attempts).
- Ssh protocol version 1, and related insecure protocol 1 settings must be disabled.
- Server keys must be increased to 1024 bits or higher (was 768).
- Direct root logins must be disabled (except from the console), configuration must be set to "PermitRootLogin no" except where locked-down root keys are utilized for a trusted host or an automated process, in which case the configuration must be set to "PermitRootLogin without-password".
- Ssh strict modes checking ("StrictModes yes") must be used, except on systems where a monitoring account or script processing account (like nrpe/applog) is accessing an application account (where an app home directory has g+r, which breaks strict mode).
- Authorized keys filename ("AuthorizedKeysFile .ssh/authorized_keys") must be set/enforced, to disallow use of an authorized_keys2 file, in order to reduce ambiguity and prevent the use of multiple authorized key files.
- Insecure host-based authentication mechanisms must be disabled ("RhostsRSAAuthentication no", "HostbasedAuthentication no", "IgnoreUserKnownHosts yes", "IgnoreRhosts yes").
- Passwordless accounts must not be allowed ("PermitEmptyPasswords no").
- GSS API authentication ("GSSAPIAuthentication no") must be disabled, to prevent login delays & issues.
- TCP keep alive's ("TCPKeepAlive yes") must be set, in order to avoid infinitely hanging sessions.
- Privilege separation must be enabled ("UsePrivilegeSeparation yes").
- Ssh must be configured such that sessions will timeout after a period of inactivity (currently issues with this setup).
- Keys must be locked down in order to allow only the single host they are used/generated from, so that if the keys are used outside of that host, they will not work and are therefore useless (note: some keys are locked down to specific commands/directories and do not even allow shell access).
- X11 over ssh is enabled, to allow various needed GUI utilities (and for Oracle installs).
Note: Sometimes the "allowed unauthenticated connections" parameter ("MaxStartups") is modified where needed to permit a larger number of rsync connections (primarily on DTS systems).