To make the host-based authentication more secure, you may want to consider the following optional configuration settings:
With the AllowSHosts and DenySHosts keywords in the sshd2_config file you can filter the .shosts, .rhosts, /etc/hosts.equiv and /etc/shosts.equiv entries.
If you want to allow only global configuration files (/etc/hosts.equiv and /etc/shosts.equiv), make sure that you have the following entry in your sshd2_config file:
After this modification the .shosts and .rhosts files will not be used in host-based authentication.
To force an exact match between the host name that the client sends to the server and the client's DNS entry, make sure that you have the following definition in your /opt/tectia/etc/sshd2_config file:
In this case, make sure the /etc/hosts file has the fully qualified domain name listed before the short host name, for example:
220.127.116.11 client.example.com client
Even if you are not using /etc/hosts as your primary resolver, you may need to add entries to it for the client and the server to allow them to resolve each other's fully qualified domain names (if they are not able to do so otherwise).
Copyright 2017 SSH Communications Security Corporation This software is protected by international copyright laws. All rights reserved. Contact Information
Highlights from the SSH.COM blog:
Cryptomining with the SSH protocol: what big enterprises need to know about it
Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency. Read more
SLAM the door shut on traditional privileged access management
Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity? Read more
We broke the IT security perimeter
Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so. Read more