15.3. Configure the /etc/ssh/ssh_config file

The /etc/ssh/ssh_config file is the system-wide configuration file for OpenSSH which allows you to set options that modify the operation of the client programs. The file contains keyword-value pairs, one per line, with keywords being case insensitive. Here are the most important keywords to configure your ssh for top security; a complete listing and/or special requirements are available in the man page for ssh(1).

Edit the ssh_config file, vi /etc/ssh/ssh_config and add/or change, if necessary the following parameters:

          # Site-wide defaults for various options

          Host *
          ForwardAgent no
          ForwardX11 no
          RhostsAuthentication no
          RhostsRSAAuthentication no
          RSAAuthentication yes
          PasswordAuthentication yes
          FallBackToRsh no
          UseRsh no
          BatchMode no
          CheckHostIP yes
          StrictHostKeyChecking no
          IdentityFile ~/.ssh/identity
          Port 22
          Cipher blowfish
          EscapeChar ~
          
This tells ssh_config file to set itself up for this particular configuration setup with:

Host *

The option Host restricts all forwarded declarations and options in the configuration file to be only for those hosts that match one of the patterns given after the keyword. The pattern * means for all hosts up to the next Host keyword. With this option you can set different declarations for different hosts in the same ssh_config file.

ForwardAgent no

The option ForwardAgent specifies which connection authentication agent if any should be forwarded to the remote machine.

ForwardX11 no

The option ForwardX11 is for people that use the Xwindow GUI and want to automatically redirect X11 sessions to the remote machine. Since we setup a server and don't have GUI installed on it, we can safely turn this option off.

RhostsAuthentication no

The option RhostsAuthentication specifies whether we can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't use this option.

RhostsRSAAuthentication no

The option RhostsRSAAuthentication specifies whether or not to try rhosts authentication in concert with RSA host authentication.

RSAAuthentication yes

The option RSAAuthentication specifies whether to try RSA authentication. This option must be set to yes for better security on your sessions. RSA uses public and private keys pair created with the ssh-keygen1utility for authentication purposes.

PasswordAuthentication yes

The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security, this option must always be set to yes.

FallBackToRsh no

The option FallBackToRsh specifies that if a connection with ssh daemon fails rsh should automatically be used instead. Recalling that rsh service is insecure, this option must always be set to no.

UseRsh no

The option UseRsh specifies that rlogin/rsh services should be used on this host. As with the FallBackToRsh option, it must be set to no for obvious reasons.

BatchMode no

The option BatchMode specifies whether a username and password querying on connect will be disabled. This option is useful when you create scripts and dont want to supply the password. e.g. Scripts that use the scp command to make backups over the network.

CheckHostIP yes

The option CheckHostIP specifies whether or not ssh will additionally check the host IP address that connect to the server to detect DNS spoofing. It's recommended that you set this option to yes.

StrictHostKeyChecking no

The option StrictHostKeyChecking specifies whether or not ssh will automatically add new host keys to the $HOME/.ssh/known_hosts file, or never automatically add new host keys to the host file. This option, when set to yes, provides maximum protection against Trojan horse attacks. One interesting procedure with this option is to set it to no at the beginning, allow ssh to add automatically all common hosts to the host file as they are connected to, and then return to set it to yes to take advantage of this feature.

IdentityFile ~/.ssh/identity

The option IdentityFile specifies an alternate RSA authentication identity file to read. Also, multiple identity files may be specified in the configuration file ssh_config.

Port 22

The option Port specifies on which port number ssh connects to on the remote host. The default port is 22.

Cipher blowfish

The option Cipher specifies what cipher should be used for encrypting sessios. The blowfish use 64-bit blocks and keys of up to 448 bits.

EscapeChar ~

The option EscapeChar specifies the session escape character for suspension.