Per-Account Configuration
Users should be instructed not to create rhosts files. If trusted-host authentication is enabled in the local SSH server, advise users to create shosts files instead of rhosts.For SSH1 and OpenSSH, each key in ~/.ssh/authorized_keys should be restricted by appropriate options. First, use thefrom option to restrict access to particular keys by particular hosts when appropriate. For example, suppose your authorized_keys file contains a public key for your home PC, myhome.isp.net. No other machine will ever authenticate using this key, so make the relationship explicit:
from="myhome.isp.net" ...key...
Also set idle timeouts for appropriate keys:
from="myhome.isp.net",idle-timeout=5m ...key...
Finally, for each key, consider whether port forwarding, agent forwarding, and tty allocation are ever necessary for incoming connections. If not, disable these features with
no-port-forwarding, no-agent-forwarding, and no-pty, respectively:
from="myhome.isp.net",idle-timeout=5m,no-agent-forwarding ...key...