Project:Infrastructure/Server SSH configuration

From Gentoo Wiki
Jump to:navigation Jump to:search

This guide documents how OpenSSH should be configured on Gentoo Infrastructure servers.

Gentoo Infrastructure guidelines for running SSH


SSH is currently the only approved method of obtaining a remote shell on a server. rsh, telnet, and other insecure methods are not permitted. When configuring SSH, the following guidelines should be adhered to:

SSHv2 only
Never configure sshd to support version 1 of the SSH protocol. It has known weaknesses with the way it encrypts data.
No DSA keys
Deprecated upstream. RSA preferred for broad compatibility, but ECDSA and Ed25519 also supported.
No root login
Remote root login is not allowed. Users should login using their regular ID and then use sudo or su.
No password authentication
Where possible users should be required to use SSH keys to authenticate.
Unless specified above, the default values used in /etc/ssh/sshd_config are acceptable and should not be overridden without prior approval from the Gentoo Infrastructure project manager.

This page is based on a document formerly found on our main website
The following people contributed to the original document: klieber
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.