DarkNet SSH Policy

Date: 8 August 2008
  To: DarkNet SAs (System Administrators)

SUBJECT: DarkNet Secure Shell Policy

PURPOSE: The purpose of this document is to outline the baseline
         policy for configuring and securing secure shell access.

SCOPE: 
        o Configuration
        o Maintaining Availability
        o Maintaining Security
        o Providing Support 


CONFIGURATION

I.  The following configuration will be used in /etc/ssh/sshd_config:

    Port 7888
    Listen Address x.x.x.x // limit bound interface
    HostKey /etc/ssh/ssh_host_rsa_key
    UsePrivillegeSeparation yes
    KeyRegenerationInterval 3600
    ServerKeyBits 768
    Strict Modes yes
    LoginGraceTime 30
    AllowUser username1 username2 username3
    PubkeyAuthentication yes
    AuthorizedKeysFile %h/.ssh/authorized_keys2
    IgnoreRhosts yes
    HostbasedAuthentication no
    IgnoreUserKnownHosts yes
    PermitEmptyPasswords no
    PermitRootLogin no
    PasswordAuthentication no
    RhostsRSAAuthentication no
    X11Forwarding no
    TCPKeepAlive yes

II.  The remaining configuration options should be deleted which
     will preserve the default setting and remove clutter.

III.  



MAINTAINING AVAILABILITY
[---------------------------------------------------------------------------]
I.  In order to maximize access availability to the DarkNet (DN) each SA is
    reponsible for monitoring connectivity, configuration, and security of
    their respective secure shell daemon.