Securities Software (Network Services).Linux OpenSSH Client/Server
FallBackToRsh no
The option “FallBackToRsh” specifies that if a connection with ssh daemon fails rsh should automatically be used instead. Recalling that rsh service is insecure, this option must always be set to no.
UseRsh no
The option “UseRsh” specifies that rlogin/rsh services should be used on this host. As with the
“FallBackToRsh” option, it must be set to no for obvious reasons.
BatchMode no
The option “BatchMode” specifies whether a username and password querying on connect will be disabled. This option is useful when you create scripts and don’t want to supply the password, (e.g. Scripts that use the scp command to make backups over the network).
CheckHostIP yes
The option “CheckHostIP” specifies whether or not ssh will additionally check the host IP address
that connect to the server to detect DNS spoofing. It’s recommended that you set this option to
“yes”.
StrictHostKeyChecking no
The option “StrictHostKeyChecking” specifies whether or not ssh will automatically add new host keys to the $HOME/.ssh/known_hosts file, or never automatically add new host keys to the host file. This option, when set to “yes”, provides maximum protection against Trojan horse attacks. One interesting procedure with this option is to set it to “no” at the beginning, allow ssh to add automatically all common hosts to the host file as they are connected to, and then return to set it to “yes” to take advantage of this feature.
IdentityFile ~/.ssh/identity
The option “IdentityFile” specifies an alternate RSA authentication identity file to read. Also,
multiple identity files may be specified in the configuration file (ssh_config).
Port 22
The option “Port” specifies on which port number ssh connects to on the remote host. The default
port is 22.
Cipher blowfish
The option “Cipher” specifies what cipher should be used for encrypting sessions. The blowfish
use 64-bit blocks and keys of up to 448 bits.
EscapeChar ~
The option “EscapeChar” specifies the session escape character for suspension.
Configure the “/etc/ssh/sshd_config” file
The 7etc/ssh/sshd_config” file is the system-wide configuration file for OpenSSH which allows you to set options that modify the operation of the daemon. This file contains keyword-value pairs, one per line, with keywords being case insensitive. Here are the most important keywords to configure your “sshd” for top security; a complete listing and/or special requirements are available in the man page for sshd (8).
Edit the sshd_config file (vi /etc/ssh/sshd_config) and add/or change, if necessary, the following parameters:
# This is ssh server systemwide configuration file. Port 22