SSH Security
I've recently started experimenting with SSH, more out of interest/as a learning point than having any serious use in mind at present (short of sending files between my PC and netbook), and was curious about which security options exist for it beyond those I've implemented, and how relatively secure my current set-up would be considered - obviously more secure than a vanilla SSH service, but how much more?
The steps I've taken so far are:
- Having passphrase-enabled 2048-bit RSA keys on my netbook and PC
- Only having Protocol 2 enabled (sshd_config)
- Changing the default listening port (sshd_config)
- Denying root login (sshd_config)
- Reducing LoginGraceTime to 30s (sshd_config)
- Setting HostbasedAuthentication and RhostsRSAAuthentication to 'no' (sshd_config)
- Only turning the sshd service on when I'm using it!
Everything else is as per the F16 default settings. Are there any glaring omissions from this list that immediately stand out? For instance, is there an option that prevents login without having exchanged public keys, and is it recommended that it be used? (I know there'd be a security versus convenience trade-off there, if I wanted to sign in to my home PC from a remote PC I hadn't exchanged keys with yet e.g. at a friend's house)
Thinking further down the line, would this setup be considered secure enough to reasonably have sshd run on startup, rather than having to turn it on and off with each use? I'm just a home user, rather than securing a business/government organisation's connection, but it doesn't hurt to do a job at least reasonably well!
I generally use two tools - trial and error. They fix most things eventually!