 |  |
Chapter 10. A Recommended Setup
Contents:
The BasicsCompile-Time Configuration
Serverwide Configuration
Per-Account Configuration
Key Management
Client Configuration
Remote Home Directories (NFS, AFS)
Summary
- You're running SSH on a Unix machine.
- You want a secure system, sometimes at the expense of flexibility. For instance, rather than tell you to maintain your .rhosts files carefully, we recommend disabling Rhosts authentication altogether.
10.1. The Basics
Before you start configuring, make sure you're running an up-to-date SSH version. Some older versions have known security holes that are easily exploited. Always run the latest stable version, and apply updates or patches in a timely manner. (The same goes for your other security software.) Always keep important SSH-related files and directories protected. The server's host key should be readable only by root. Each user's home directory, SSH configuration directory, and .rhosts and .shosts files should be owned by the user and protected against all others. Also, remember that SSH doesn't and can't protect against all threats. It can secure your network connections but does nothing against other types of attacks, such as dictionary attacks against your password database. SSH should be an important part, but not the only part, of a robust security policy. [Section 3.11, "Threats SSH Doesn't Prevent"] |  | |
| 9.5. Summary |  | 10.2. Compile-Time Configuration |
