Important: You are required to change your passwords used for Gentoo services and set an email address for your Wiki account if you haven't done so. See the full announcement and Wiki email policy change for more information.

Project:Infrastructure/SSH Configuration

From Gentoo Wiki
Jump to: navigation, search

This guide documents how OpenSSH should be configured on Gentoo Infrastructure servers.

Gentoo Infrastructure guidelines for running SSH

General Guidelines

SSH is currently the only approved method of obtaining a remote shell on a server. rsh, telnet and other insecure methods are not allowed. When configuring SSH, the following guidelines should be adhered to:

  • SSHv2 only -- never configure sshd to support version 1 of the SSH protocol. It has known weaknesses with the way it encrypts data.
  • DSA keys -- DSA keys are preferred over RSA keys
  • No root login -- remote root login is not allowed. Users should login using their regular ID and then use sudo and/or su
  • No password authentication -- where possible users should be required to use DSA keys to authenticate.
Note
Unless specified above, the default values used in /etc/ssh/sshd_config are acceptable and should not be overridden without prior approval from the Gentoo Infrastructure project manager.

Acknowledgements

We would like to thank the following authors and editors for their contributions to this guide:

  • Kurt Lieber