10.4. Per-Account Configuration
Users should be instructed not to
create
.rhosts files. If trusted-host
authentication is enabled in the local SSH server, advise users to
create
.shosts files instead of
.rhosts.
For SSH1 and OpenSSH, each key in
~/.ssh/authorized_keys should be restricted by
appropriate options. First, use the
from option to
restrict access to particular keys by particular hosts when
appropriate. For example, suppose your
authorized_keys file contains a public key for
your home PC,
myhome.isp.net. No other machine will
ever authenticate using this key, so make the relationship explicit:
from="myhome.isp.net" ...key...
Also set idle timeouts for appropriate
keys:
from="myhome.isp.net",idle-timeout=5m ...key...
Finally, for each key, consider whether port forwarding, agent
forwarding, and tty allocation are ever necessary for incoming
connections. If not, disable these features with
no-port-forwarding,
no-agent-forwarding, and
no-pty, respectively:
from="myhome.isp.net",idle-timeout=5m,no-agent-forwarding ...key...
 |  |  |
| 10.3. Serverwide Configuration |  | 10.5. Key Management |
