Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.4

Exit Print View

Updated: June 2019

Security Considerations in Secure Shell

    Consider the following security issues when configuring Secure Shell:

  • Protect the /etc/ssh/ssh_known_hosts file.

    Each host that needs to communicate securely with another host must have the server's public key stored in the local host's /etc/ssh/ssh_known_hosts file. Although a script could be used to update the /etc/ssh/ssh_known_hosts files, such a practice is heavily discouraged because a script opens a major security vulnerability.

      The /etc/ssh/ssh_known_hosts file should be distributed only by a secure mechanism as follows:

    • Over a secure connection, such as Secure Shell, IPsec, or Kerberized ftp from a known and trusted system

    • At system install time

    To avoid the possibility of an intruder gaining access by inserting bogus public keys into a known_hosts file, you should use a known and trusted source of the ssh_known_hosts file. The ssh_known_hosts file can be distributed during installation. Later, scripts that use the scp command can be used to copy the latest version.

    Use the man command to view the ssh_config (5) man page.

  • Use the DisableBanner keyword with caution.

    Do not disable the default banner message without careful planning in accordance with your company's security policies. For example, you might disable the banner for repeated logins within an internal network, while maintaining the default banner for connections from outside the company, if that is consistent with your company's security policies.