This guide documents how OpenSSH should be configured on Gentoo Infrastructure servers.
Gentoo Infrastructure guidelines for running SSH
SSH is currently the only approved method of obtaining a remote shell on a server. rsh, telnet and other insecure methods are not allowed. When configuring SSH, the following guidelines should be adhered to:
- SSHv2 only -- never configure sshd to support version 1 of the SSH protocol. It has known weaknesses with the way it encrypts data.
- DSA keys -- DSA keys are preferred over RSA keys
- No root login -- remote root login is not allowed. Users should login using their regular ID and then use sudo and/or su
- No password authentication -- where possible users should be required to use DSA keys to authenticate.
Unless specified above, the default values used in /etc/ssh/sshd_config are acceptable and should not be overridden without prior approval from the Gentoo Infrastructure project manager.
We would like to thank the following authors and editors for their contributions to this guide:
- Kurt Lieber