Compile-Time Configuration

• -- with-etcdir=... (SSH1, SSH2)
• Make sure your etc directory is on a local disk, not an NFS-mounted partition. If the SSH server reads a file via NFS, the contents are transmitted in the clear across the network, violating security. This is especially true of the host key, which is stored unencrypted in this directory.
• -- prefix=... (SSH1, SSH2, OpenSSH)
• Likewise, make sure your SSH executables are installed on a local disk, as they can be spoofed if loaded over NFS.
• -- disable-suid-ssh (SSH1)
• -- disable-suid-ssh-signer (SSH2)
• Our recommended serverwide configuration disables trusted-host authentication, so there's no need for setuid permissions for ssh1 and ssh-signer2.
• -- without-none (SSH1)
• You should disable the "none" cipher that permits unencrypted transmissions. An intruder with access to a user account for 10 seconds can add "Ciphers None" to its client configuration file, silently disabling encryption for the user's clients. If you need the none cipher for testing, build a separate server using -- with-none and make it executable only by the system administrator.
• -- without-rsh (SSH1, OpenSSH)
• We don't recommend allowing ssh to fall back to rsh. You can enforce this restriction at compile time using -- without-rsh, or at runtime in the serverwide configuration file. The choice is yours.
• -- with-libwrap (SSH1, SSH2)
• -- with-tcp-wrappers (OpenSSH)
• libwrap affords more precise control over which client machines are allowed to connect to your server. It also makes port and X forwarding more flexible, since otherwise local forwardings are available either only to the local host or from anywhere at all. With GatewayPorts (or ssh -g) and libwrap, you can limit forwarding access to specific hosts. ["Local forwarding and GatewayPorts"]