Différences

Ci-dessous, les différences entre deux révisions de la page.

@@ Ligne 1: / Ligne 1: @@
+==== Configuration du server SSH ====
+Présentation des options du fichier de configuration du server ssh.
+**Localisation du fichier de configuration :**
+  * Fichier de configuration global du système : ''/etc/ssh/sshd_config''
+c'est dans ce répertoire que l'on trouvera entre autre le fichier de configuration **sshd_config**.
+==== Fichier de configuration du client SSH ====
+**Exemple de fichier de configuration commenté :**
+<file config ssh_config>
+#
+#        /etc/ssh/sshd_config
+#
+##############################################################
+#
+#
+#         @category   	ssh config file ubuntu server 14.04 LTS
+#         @package    	openssh
+#         @author     	infosec @ mdl29.net
+#         @copyright  	2016 - choucroutage.com
+#         @license    	Attribution 4.0 International
+#         @version    	1.1
+#         @since      	1.0
+#         @deprecated 	not yet
+#         @link       	not link yet
+#         @man page    	http://manpages.ubuntu.com/manpages/hardy/man5/sshd_config.5.html
+#         @test 	https://tls.imirhil.fr/ssh
+#
+#
+##############################################################
+#
+#
+Protocol 2
+LogLevel VERBOSE
+# Change port from defaut
+#
+# port change. root port are below 1024
+Port 63728
+#  IP address to accept connection
+#
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress :: ipv6
+#ListenAddress 0.0.0.0 ipv4
+#
+#
+##############################################################
+#
+#     	identification of client
+	# protocol version 2 only.
+	HostbasedAuthentication no
+	# Don't read the user's ~/.rhosts and ~/.shosts files
+	IgnoreRhosts yes
+	#  	pasword auth
+	#
+	PasswordAuthentication yes
+	# duration max time allowed for Authentication, defautl is 120.
+	LoginGraceTime 30
+	# little warning
+	# if PasswordAuthentication enabled  put MaxAuthTries to 3
+	# if PasswordAuthentication disabled put MaxAuthTries to 2
+	MaxAuthTries 3
+	PermitEmptyPasswords no
+	#	asymetrical auth
+	#
+	# protocol version 2 only.
+	PubkeyAuthentication yes
+	AuthenticationMethods publickey
+	# file that contains the public keys that can be used for user authentication
+	AuthorizedKeysFile        %h/.ssh/authorized_keys
+	# 	private host key
+	#
+#	HostKey /etc/ssh/ssh_host_rsa_key
+#	HostKey /etc/ssh/ssh_host_ecdsa_key
+	HostKey /etc/ssh/ssh_host_ed25519_key
+	#       two factor auth via duo.com -- see https://duo.com/docs/loginduo
+	#
+	ChallengeResponseAuthentication  yes
+	ForceCommand /usr/sbin/login_duo
+	PermitTunnel no
+	AllowTcpForwarding no
+	#       Whitelisting
+	#
+	#	AllowUsers bourinus, david, renard
+#
+#
+##############################################################
+#
+#       tunnel negotiation
+	#	Allow direct root login
+	#
+	PermitRootLogin no
+	# 	key exchange algorithms, 'kex'
+	#
+    	KexAlgorithms  curve25519-sha256@libssh.org,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
+	# 	Symmetric cipher; 'cipher'
+	#
+	# The chosen algorithm will be the client's preferred algorithm,
+	# the order in /etc/sshd_config is not important.
+	Ciphers aes256-gcm@openssh.com
+	# 	Message authentication code, 'MAC'
+	#
+ 	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+	# 	enable compression
+	#
+	# read the spec. defautl is delayed.
+	Compression delayed
+#
+#
+##############################################################
+#
+#       tunnel parameters
+        # Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
+	# The default is 10:30:100.
+	MaxStartups 10:30:100
+	# 	Respect ownership
+	#
+	# check file modes and ownership of the user's files and home directory
+	StrictModes yes
+	#	Privilege Separation is turned on for security
+	#
+	UsePrivilegeSeparation yes
+	# 	Max time alive I
+	#
+	# ask for response after a time of inactivity
+        # protocol version 2 only. Default is 0.
+	ClientAliveInterval 120
+	# 	Max time alive II
+	#
+	# disconnection after a number of inactive client non response
+        # protocol version 2 only.
+	ClientAliveCountMax 2
+    	# 	Rekeying
+	#
+	# protocol version 2 only. Defautl is none.
+	RekeyLimit 3G 1h
+	# sftp specific
+	# protocol version 2 only.
+	Subsystem sftp /usr/lib/openssh/sftp-server
+	# Specifies whether the system should send TCP keepalive messages to the other side.
+	#
+	# default is yes
+	TCPKeepAlive yes
+	# Logging Gives the facility code that is used when logging messages from sshd
+        SyslogFacility AUTH
+	# 	Language
+	#
+	AcceptEnv LANG LC_ALL=en_US.UTF-8
+#
+#
+##############################################################
+#
+#       disabling
+	# 	Pluggable Authentication Modules
+	#
+	# the default is no
+	UsePAM yes
+	# 	Kerberos
+	#
+	KerberosAuthentication no
+	KerberosOrLocalPasswd no
+	KerberosTicketCleanup no
+	# 	GSSAPI
+	#
+	GSSAPIAuthentication no
+	# 	X11
+	#
+	# acces throught ssh to X11 - recquires xauth on server
+	X11Forwarding no
+	X11DisplayOffset 10
+	# If UsePrivilegeSeparation is specified, it will be disabled after authentication.
+	UseLogin no
+#
+#
+##############################################################
+#
+#       visual
+	# Print message of the day
+	PrintMotd no
+	PrintLastLog yes
+	#Banner /etc/issue.net
+#
+#
+##############################################################
+#
+# 	Retro compatibility config ie not your 'main target'
+#
+        # number of bits in the ephemeral server key size.
+	#
+        # protocol version 1 only. default is 1024.
+	ServerKeyBits 4096
+        #       Disable remote host based auth
+        #
+        # protocol version 1 only. default is no.
+        RhostsRSAAuthentication no
+	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+	IgnoreUserKnownHosts yes
+        #       Enable public key auth
+        #
+	# protocol version 1 only. default is yes.
+	RSAAuthentication yes
+	# Lifetime and size of ephemeral version 1 server key
+	#
+        # protocol version 1 only.
+	KeyRegenerationInterval 3600
+#
+#
+# 			End file
+#
+##############################################################
+# OpenSSH Test Mode sshd -t
+##############################################################
+# $HOME/.ssh must be 700 and
+# authorized_keys readable by the owner only, i.e. mode 600:
+</file>
+**Détail des directives :**
+^ Directive      ^ Description   ^
+| ''host''       | ... |
+| ''Protocol''   | ... |
+| ''LogLevel''   | ... |