Users should be instructed not to create .rhosts files. If hostbased authentication is enabled in the local SSH server, advise users to create .shosts files instead of .rhosts files.

For OpenSSH, each key in ~/.ssh/authorized_keys should be restricted by appropriate options. First, use the from option to restrict access to particular keys by particular hosts when appropriate. For example, suppose your authorized_keys file contains a public key for your home PC, myhome.isp.net. No other machine will ever authenticate using this key, so make the relationship explicit:

    from="myhome.isp.net" ...key...

Also set idle timeouts for appropriate keys:

    from="myhome.isp.net",idle-timeout=5m ...key...

Finally, for each key, consider whether port forwarding, agent forwarding, and tty allocation are ever necessary for incoming connections. If not, disable these features with no-port-forwarding, no-agent-forwarding, and no-pty, respectively:

    from="myhome.isp.net",idle-timeout=5m,no-agent-forwarding ...key...