Re: SSH / Witch options are secure ??

[Chris Ess <azarin () tokimi net>]

> Hello list
>
> I have just set up a suse 8.0 isdn router and want to update sshd. Which
> options do you choose via ./configure to be as secure as possible?
> Is the default installation secure enough? I have downloaded the newest
> release 3.6.1p2.
>
> I have red that OpenBSD with SSHD 2.9.9 - 3.3 is vulnerable with this
> options enabled.
>
> -- SSH2 support
> -- Challenge-response authentication enabled (reported by exploit, sort
> of)
> -- SKEY and/or BSDAUTH defined at compile time (reported by exploit)
>
> I now I am paranoid 8^) but this will be the only reachable service from
> outside. Any hints on this?

SSH v2 is more secure than SSH v1, or so I'm told.  So, if you are
paranoid about security, I suggest requiring SSH v2.

I also suggest requiring key-based authentication and enabling some sort
of mechanism to deny SSH connections except from certain IPs.  However,
both of these can be set within the sshd_config

To answer your initial question, I use:
./configure --with-pam --with-md5-passwords --with-tcp-wrappers

This is because my machine uses PAM and MD5 passwords... And TCP wrappers
is an all around good idea, I think.  (I could be wrong.)

I hope this helps.

Sincerely,


Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)


---------------------------------------------------------------------------
----------------------------------------------------------------------------