This guide documents how OpenSSH should be configured on Gentoo Infrastructure servers.
Gentoo Infrastructure guidelines for running SSH
SSH is currently the only approved method of obtaining a remote shell on a server. rsh, telnet, and other insecure methods are not permitted. When configuring SSH, the following guidelines should be adhered to:
- SSHv2 only
- Never configure sshd to support version 1 of the SSH protocol. It has known weaknesses with the way it encrypts data.
- No DSA keys
- Deprecated upstream. RSA preferred for broad compatibility, but ECDSA and Ed25519 also supported.
- No root login
- Remote root login is not allowed. Users should login using their regular ID and then use sudo or su.
- No password authentication
- Where possible users should be required to use RSA keys to authenticate.
Unless specified above, the default values used in /etc/ssh/sshd_config are acceptable and should not be overridden without prior approval from the Gentoo Infrastructure project manager.
This article is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: klieber
They are listed here as the Wiki history does not allow for any external attribution. If you edit the Wiki article, please do not add yourself here; your contributions are recorded on the history page.