Securing SSH on Solaris 10
SSH is a secure, encrypted replacement for common login services like, telnet, rlogin and rsh.
Out of the box SSH Server running on Solaris 10 is pretty secure and most of the default settings can be taken as is with a few exceptions.
SSH Parameters
The table below outlines changes to a couple of entries to make SSH more secure:
| Parameter | Value | Description / Rationale |
|---|---|---|
| Protocol | 2 | SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. Secure Shell version 2 (SSH2) is more secure than the legacy SSH1 version, which is being deprecated. |
| X11Forwarding | no | The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. The default value is yes
Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled that users can may be able to install their own forwarders. |
| MaxAuthTries | 3 | The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. The default value is 6.
Setting the MaxAuthTries parameter to a lower number will minimize the risk of successful brute force attacks to the SSH server. |
| MaxAuthTriesLog | 0 | The MaxAuthTriesLog parameter specifies the maximum number of failed authorization attempts before a syslog error message is generated. The default value is 3.
Setting this parameter to 0 ensures that every failed authorization is logged. |
| IgnoreRhosts | yes | The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
Setting this parameter forces users to enter a password when authenticating with SSH. |
| RhostsAuthentication | no | The RhostsAuthentication parameter specifies if authentication using rhosts or /etc/hosts.equiv is permitted. The default is no.
Rhosts authentication is insecure and should not be permitted.
Note that this parameter only applies to SSH protocol version 1. |
| RhostsRSAAuthentication | no | The RhostsRSAAuthentication parameter specifies if rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is permitted. The default is no.
Note that this parameter only applies to SSH protocol version 1.
Rhosts authentication is insecure and should not be permitted, even with RSA host authentication. |
| PermitRootLogin | no | The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no.
The root user must be restricted from directly logging in from any location other than the console. |
| PermitEmptyPasswords | no | The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings.
All users must be required to have a password. |
| Banner | The Banner parameter specifies a file whose contents must sent to the remote user before authentication is permitted. By default, no banner is displayed.
Banners are used to warn connecting users of the particular site's policy regarding connection. |
Changing SSH Server configuration
To make any changes to the SSH server configuration, edit the /etc/ssh/sshd_config file to set the required parameters and then restart the SSH Server. For example:
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig # vi /etc/ssh/sshd_config (make your changes) # svcadm restart svc:/network/ssh
References
- For more information on the status of the SSH1 protocol, see the SSH web site http://www.ssh.com/company/newsroom/article/210/.
- Sun Blueprints, http://www.sun.com/blueprints