Outils pour utilisateurs

Outils du site


infosec:ssh_config

Configuration du client SSH

Présentation des options du fichier de configuration du client ssh.

Localisation du fichier de configuration :

  • Fichier de configuration global du système : /etc/ssh/ssh_config

c'est dans ce répertoire que l'on trouvera entre autre le fichier de configuration ssh_config.

  • Fichier de configuration par utilisateur : $HOME/.ssh/ssh_config

c'est dans ce répertoire que l'on trouvera les jeux ce clef publiques/privés de l'utilisateur.

Fichier de configuration du client SSH

http://manpages.ubuntu.com/manpages/precise/man5/ssh_config.5.html

Exemple de fichier de configuration commenté :

ssh_config
#
# /etc/ssh/ssh_config
#
##############################################################
#
#
#   @category   ssh config file ubuntu desktop 14.04 LTS
#   @package    openssh
#   @author     infosec @ mdl29.net
#   @copyright  2016 - choucroutage.com
#   @license    Attribution 4.0 International
#   @version    1.1
#   @since      1.0
#   @deprecated not yet
#   @link       not link yet
#   @man page   http://manpages.ubuntu.com/manpages/precise/man5/ssh_config.5.html
#
#
##############################################################
#
#
Host *
 
Protocol 2
LogLevel VERBOSE
 
# Change port from defaut
#
# port change. root port are below 1024
Port 63728
 
#
#
##############################################################
#
#       identification of host
 
  # Verify IP of  host is in the known_hosts file
  #
  # protocol version 2 only. default is no.
  CheckHostIP yes
 
  # Disable remote host based auth
  #
  # protocol version 2 only. default is no.
  # allows hosts to authenticate on behalf of all or some of the system's users
  HostbasedAuthentication no
 
  StrictHostKeyChecking ask
  HashKnownHosts yes
 
#
#
##############################################################
#
#       tunnel negotiation
 
  # Auth
  #
  PasswordAuthentication yes
  PubkeyAuthentication yes
  PreferredAuthentications keyboard-interactive,publickey,password
 
  # Public key, 'key'
  #
  IdentityFile ~/.ssh/this_is_my_key
 
  # key exchange algorithms, 'kex'
  #
  KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
 
  # Symmetric cipher; 'cipher'
  #
  # The chosen algorithm will be the client's preferred algorithm,
  # the order in /etc/sshd_config is not important.
  Ciphers aes256-gcm@openssh.com
 
  # Message authentication code, 'MAC'
  #
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 
  # enable compression
  #
  # read the spec. defautl is no.
  Compression delayed
 
#
#
##############################################################
#
#       tunnel parameters
 
  # Rekeying
  #
  RekeyLimit 3G 1h
 
  # timeout
  #
  ConnectTimeout 30
 
  # timer
  #
  ServerAliveInterval 60
 
  # Max
  #
  ServerAliveCountMax 30
 
  SendEnv LANG LC_*
 
#
#
##############################################################
#
#       disabling
 
  # disable gssapi kerberos
  #
  GSSAPIAuthentication no
  GSSAPIDelegateCredentials no
  GSSAPIKeyExchange no
  GSSAPITrustDNS no
 
  # Disable any forwarding
  #
  ForwardAgent no
  ForwardX11 no
 
  BatchMode no
 
  # Disable command trough tunnel
  #
  PermitLocalCommand no
 
  # AddressFamily any
  # Tunnel no
  # TunnelDevice any:any
 
  # Disbale command trough tunnel
  #
  PermitLocalCommand no
 
  # VisualHostKey no
  # auto proxi
  # ProxyCommand ssh -q -W %h:%p gateway.example.com
 
#
#
##############################################################
#
#       Retro compatibility config ie not your 'main target'
#
 
  # Disable remote host based auth
  #
  # protocol version 1 only. default is no.
  RhostsRSAAuthentication no
 
  # Enable public key auth
  #
  # protocol version 1 only. default is yes.
  RSAAuthentication yes
 
  # enable compression
  #
  # protocol version 1 only. default is 6.
  CompressionLevel 6
 
#
#       End file
#
##############################################################
# $HOME/.ssh must be 700 and
# authorized_keys readable by the owner only, i.e. mode 600:

Détail des directives :

Directive Description
host
Protocol
LogLevel
infosec/ssh_config.txt · Dernière modification: 2016/07/19 15:36 (modification externe)