OpenSSH is a FREE version of the SSH suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.OpenSSH FAQ
Most operating systems come with one version or another of OpenSSH. You may want to make sure you have the latest version on your machine. Check the OpenSSH site for the latest source code. You can also look to the package maintainers of your OS revision to see if they make a premade package for you to install. The directives and options listing in the following config files apply to the latest official OpenSSH release.
SECURITY NOTE: Notice that we have specified the "Ciphers" for the client and server config files. It is important to only use the Advanced Encryption Standard (AES) encryption with stateful-decryption counter (CTR) only. AES with CBC is vulnerable to the Plaintext Recovery Attack Against SSH. AES is the strongest encryption available in openssl and all others are too weak to trust. We are also specifying the "MACs" or Hash-based Message Authentication Code to use. Again, we want the strongest security model available.
Client side ssh config options (/etc/ssh/ssh_config)
This config is for the client side options. You can specify directives here and the client will negotiate them with the server. Only if the server allows them will they will take effect.#######################################################
### Calomel.org CLIENT /etc/ssh/ssh_config
#######################################################
Host *
AddressFamily inet
CheckHostIP yes
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Compression no
ConnectionAttempts 1
ConnectTimeout 10
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
EscapeChar ~
ForwardAgent no
ForwardX11 no
ForwardX11Trusted no
HashKnownHosts yes
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
IdentitiesOnly yes
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
PermitLocalCommand no
Port 22
Protocol 2
RekeyLimit 1G
ServerAliveInterval 15
ServerAliveCountMax 3
StrictHostKeyChecking ask
TCPKeepAlive no
Tunnel no
TunnelDevice any:any
VisualHostKey no
#######################################################
### Calomel.org CLIENT /etc/ssh/ssh_config
#######################################################
Server side sshd config options (/etc/ssh/sshd_config)
These directives are for sshd. Permissions should be "chmod 755". We want to restrict access with the following options to better protect the server.#######################################################
### Calomel.org SERVER /etc/ssh/sshd_config
#######################################################
#
Port 22
Protocol 2
AddressFamily inet
#ListenAddress 127.0.0.1
#See the questions section for setting up the gatekeeper
#ForceCommand /tools/ssh_gatekeeper.sh
AllowUsers calomel@10.10.10.3 calomel@192.168.*
AllowGroups calomel
AllowTcpForwarding yes
#AuthorizedKeysFile .ssh/authorized_keys (need to be be commented for OpenSSH 5.4)
Banner /etc/banner
ChallengeResponseAuthentication no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
ClientAliveInterval 15
ClientAliveCountMax 3
Compression yes
GatewayPorts no
LogLevel VERBOSE
LoginGraceTime 50s
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
MaxAuthTries 6
MaxStartups 10
PasswordAuthentication yes
PermitEmptyPasswords no
#PermitOpen localhost:80
PermitRootLogin no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /usr/libexec/sftp-server
SyslogFacility AUTH
TCPKeepAlive no
UseDNS no
UseLogin no
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
#
#######################################################
### Calomel.org SERVER /etc/ssh/sshd_config
#######################################################
Courtesy : https://calomel.org/openssh.html
