OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. This page shows how to secure your OpenSSH server running on a Linux or Unix-like system to improve sshd security.
For regular user accounts, a properly configured chroot jail is a rock solid security system. I’ve already written about chrooting sftp session using rssh. According to OpenBSD journal OpenSSH devs Damien Miller and Markus Friedl have recently added a chroot security feature to openssh itself:
Unfortunately, setting up a chroot(2) environment is complicated, fragile and annoying to maintain. The most frequent reason our users have given when asking for chroot support in sshd is so they can set up file servers that limit semi-trusted users to be able to access certain files only. Because of this, we have made this particular case very easy to configure.
This commit adds a chroot(2) facility to sshd, controlled by a new sshd_config(5) option “ChrootDirectory”. This can be used to “jail” users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.