I FINALLY got openssh-2.9p2 to work this week and before I open up its external port to the world, I have one thing to ask? How can I make it more secure? Currently I'm using the system passwords to login, but I think there is something better I'm not sure. Anyway here is my ssh_conig:

# This sshd was compiled with PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/libexec/openssh/sftp-server



If you can help in anyway, thanks in advance.

Some general measures:
- Use public key authentication (harder to crack, use pass phrases not paswords),
- don't use fallback (Protocol 2,1), just use "protocol 2" (Prot 1 should be phased out as "less secure"),
- When you know your users will be coming in from specific addresses, add 'em to hosts.allow when ssh is compiled with --with-libwrap (TCP Wrappers), or add em to your firewall (better trust relation with remote hosts).

For the truely (and right so) paranoid:
- Lower login grace time (less guessing time),
- Lower keyregen interval (grabbed key when used for decoding traffic will change more often=better,
- Set maxstartups (basically the direcitve's name is misleading, its value gives you some form of connection throttling)
- reversemapping=yes (check by resolving remote host credentials)

I changed these values from my previuos post to these in my sshd_config file:

Protocol 2
LoginGraceTime 30
ServerKeyBits 1024
KeyRegenerationInterval 1800
RSAAuthentication yes
ReverseMappingCheck yes

The I issued these commands as the user loggging in not as root:

ssh-keygen -t dsa
ssh-keygen -t rsa
ssh-keygen
I used passphrases and saved the files in the default locations.

When I tried to connect using PuTTY from Windows I got this:

Server refused our key
No supported authentication methods left to try!


If you can help, Thanks in advance.

You probably didn't read man ssh(d) well. For public key with Protocol 2 auth you will need to add the contents of public key ~/.ssh/id_dsa.pub to/from your remote account. Also the "ssh-keygen -t rsa" isn't necessary, it's only public keygenning for Protocol 1. Also look into the PreferredAuthentication directive (man sshd, IIRC).