此内容没有您所选择的语言版本。
3.2.2.3. Other Ways of Securing SSH
Protocol Version
Even though the implementation of the
SSH
protocol supplied with Red Hat Enterprise Linux supports both the SSH-1 and SSH-2 versions of the protocol, only the latter should be used whenever possible. The SSH-2 version contains a number of improvements over the older SSH-1, and the majority of advanced configuration options is only available when using SSH-2.
Users are encouraged to make use of SSH-2 in order to maximize the extent to which the
SSH
protocol protects the authentication and communication for which it is used. The version or versions of the protocol supported by the sshd
daemon can be specified using the Protocol
configuration directive in the /etc/ssh/sshd_config
file. The default setting is 2
.
Key Types
While the
ssh-keygen
command generates a pair of SSH-2 RSA keys by default, using the -t
option, it can be instructed to generate DSA or ECDSA keys as well. The ECDSA (Elliptic Curve Digital Signature Algorithm) offers better performance at the same symmetric key length. It also generates shorter keys.
Non-Default Port
By default, the
sshd
daemon listens on the 22
network port. Changing the port reduces the exposure of the system to attacks based on automated network scanning, thus increasing security through obscurity. The port can be specified using the Port
directive in the /etc/ssh/sshd_config
configuration file. Note also that the default SELinux policy must be changed to allow for the use of a non-default port. You can do this by modifying the ssh_port_t
SELinux type by typing the following command as root
:
~]# semanage -a -t ssh_port_t -p tcp port_number
In the above command, replace port_number with the new port number specified using the
Port
directive.
No Root Login
Provided that your particular use case does not require the possibility of logging in as the
root
user, you should consider setting the PermitRootLogin
configuration directive to no
in the /etc/ssh/sshd_config
file. By disabling the possibility of logging in as the root
user, the administrator can audit which user runs what privileged command after they log in as regular users and then gain root
rights.
Important
This section draws attention to the most common ways of securing an
SSH
setup. By no means should this list of suggested measures be considered exhaustive or definitive. Refer to sshd_config(5)
for a description of all configuration directives available for modifying the behavior of the sshd
daemon and to ssh(1)
for an explanation of basic SSH
concepts.