Best practices using ssh


Disable SSHprotocol 1

In the Protocol section of /etc/ssh/sshd_config, enable ONLY protocol 2. Protocol 1 isn't secure and there is a risk of a man in the middle attack.
In order to test SSH deployment, tools like the Cisco content engine and Ettercap (http://ettercap.sourceforge.net) can be used to simulate man in the middle attacks.

Only enable PubkeyAuthentication

In the Authentication section of /etc/ssh/sshd_config, only enable PubkeyAuthentication. This option grants access only to an user who has a RSA or DSA private certificate in his HOME/.ssh directory and the correspondent public certificate in server's HOME/.ssh/ directory.  If either certificate doesn't exist the user can't login.