In Chapter 4, we covered many compile-time flags for building SSH distributions. Several flags should be carefully set to make your server machine maximally secure:
--sysconfdir=...
(OpenSSH, Tectia)Make sure your etc directory is on a local disk, not an NFS-mounted partition. If the SSH server reads a file via NFS, the contents are transmitted in the clear across the network, violating security. This is especially true of the host key, which is stored unencrypted in this directory.
--bindir=...
(OpenSSH, Tectia)--sbindir=...
(OpenSSH, Tectia)Likewise, make sure your SSH executables are installed on a local disk, as they can be spoofed if loaded over NFS.[139]
--disable-suid-ssh-signer
(Tectia)Our recommended serverwide configuration disables hostbased authentication, so there's no need for setuid permissions for ssh-signer.
--with-tcp-wrappers
(OpenSSH)--with-libwrap
(Tectia)libwrap affords more precise control
over which client machines are allowed to connect to your server.
It also makes port and X forwarding more flexible, since otherwise
local forwardings are available either only to the local host or
from anywhere at all. With GatewayPorts (or ssh
-g) and libwrap, you can limit
forwarding access to specific hosts. [9.2.1.1]