10.2. Compile-Time Configuration

In Chapter 4, "Installation and Compile-Time Configuration", we covered many compile-time flags for building SSH distributions. Several flags should be carefully set to make your server machine maximally secure:

-- with-etcdir=... (SSH1, SSH2)

Make sure your etc directory is on a local disk, not an NFS-mounted partition. If the SSH server reads a file via NFS, the contents are transmitted in the clear across the network, violating security. This is especially true of the host key, which is stored unencrypted in this directory.

-- prefix=... (SSH1, SSH2, OpenSSH)

Likewise, make sure your SSH executables are installed on a local disk, as they can be spoofed if loaded over NFS.

-- disable-suid-ssh (SSH1)

-- disable-suid-ssh-signer (SSH2)

Our recommended serverwide configuration disables trusted-host authentication, so there's no need for setuid permissions for ssh1 and ssh-signer2.

-- without-none (SSH1)

You should disable the "none" cipher that permits unencrypted transmissions. An intruder with access to a user account for 10 seconds can add "Ciphers None" to its client configuration file, silently disabling encryption for the user's clients. If you need the none cipher for testing, build a separate server using -- with-none and make it executable only by the system administrator.

-- without-rsh (SSH1, OpenSSH)

We don't recommend allowing ssh to fall back to rsh. You can enforce this restriction at compile time using -- without-rsh, or at runtime in the serverwide configuration file. The choice is yours.

-- with-libwrap (SSH1, SSH2)

-- with-tcp-wrappers (OpenSSH)

libwrap affords more precise control over which client machines are allowed to connect to your server. It also makes port and X forwarding more flexible, since otherwise local forwardings are available either only to the local host or from anywhere at all. With GatewayPorts (or ssh -g) and libwrap, you can limit forwarding access to specific hosts. [Section 9.2.1.1, "Local forwarding and GatewayPorts"]

---