Per-Account Configuration
Users should be instructed not to create .rhosts files. If hostbased authentication is enabled in the local SSH server, advise users to create .shosts files instead of .rhosts files.
For OpenSSH, each key in ~/.ssh/authorized_keys should be restricted
by appropriate options. First, use the from
option to restrict access to particular
keys by particular hosts when appropriate. For example, suppose your
authorized_keys file contains a
public key for your home PC, myhome.isp.net. No
other machine will ever authenticate using this key, so make the
relationship explicit:
from="myhome.isp.net" ...key
...
Also set idle timeouts for appropriate keys:
from="myhome.isp.net",idle-timeout=5m ...key
...
Finally, for each key, consider whether port forwarding, agent
forwarding, and tty allocation are ever necessary for incoming
connections. If not, disable these features with no-port-forwarding
, no-agent-forwarding
, and no-pty
, respectively:
from="myhome.isp.net",idle-timeout=5m,no-agent-forwarding ...key
...
Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.