HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_176
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 176 HostKey /etc/ssh/ssh_host_key This option “HostKey” specifies the host key’s location containing the private host key. RandomSeed /etc/ssh/ssh_random_seed This option “RandomSeed” specifies the file location containing the random seed for the server. Client that generates random numbers created automatically and updated regularly by the server uses this file. ServerKeyBits 1024 This option “ServerKeyBits” specifies how many bits to use in the server key. These key bits are used when the daemon starts to generate his RSA key. LoginGraceTime 600 This option “LoginGraceTime” specifies how long in second after a connection request the  server will wait before disconnecting if the user has not successfully logged in. KeyRegenerationInterval 3600 This option “KeyRegenerationInterval” specifies how long in second the server should wait before automatically regenerated his key. This is a security feature to prevent decrypting captured sessions. PermitRootLogin no This option “PermitRootLogin” specifies whether root can log in using ssh. Never say yes to this option. IgnoreRhosts yes This option “IgnoreRhosts” specifies whether rhosts or shosts files shouldn’t be used in authentication. For security reason it is recommended to not use rhosts or shosts files for authentication. StrictModes yes This option “StrictModes” specifies whether ssh should check user's permissions in their home directory and rhosts files before accepting login. This option must always be set to “yes” because sometimes users may accidentally leave their directory or files world-writable. QuietMode no This option “QuietMode” specifies whether the system runs in quiet mode. This option must be set to “no” because in quiet mode, nothing is logged in the system log, except fatal errors. Since we want to have information about users sessions it is preferable to disable this option. X11Forwarding no This option “X11Forwarding” specifies whether X11 forwarding must be enable or not on this server. Since we setup a server without GUI installed on it, we can safety turn this option off. FascistLogging no This option “FascistLogging” specifies whether to perform intrusive logging. This kind of logging is not recommended because it violates the privacy of users. PrintMotd yes This option “PrintMotd” specifies whether ssh daemon should print the content of the “/etc/motd” file when a user logs in interactively. The “/etc/motd” file is also know as “the message of the day”. KeepAlive yes