Outils pour utilisateurs

Outils du site


infosec:sshd_config

Configuration du server SSH

Présentation des options du fichier de configuration du server ssh.

Localisation du fichier de configuration :

  • Fichier de configuration global du système : /etc/ssh/sshd_config

c'est dans ce répertoire que l'on trouvera entre autre le fichier de configuration sshd_config.

Fichier de configuration du client SSH

Exemple de fichier de configuration commenté :

ssh_config
#
#        /etc/ssh/sshd_config
#
##############################################################
#
#         
#         @category   	ssh config file ubuntu server 14.04 LTS
#         @package    	openssh
#         @author     	infosec @ mdl29.net
#         @copyright  	2016 - choucroutage.com
#         @license    	Attribution 4.0 International
#         @version    	1.1
#         @since      	1.0
#         @deprecated 	not yet
#         @link       	not link yet
#         @man page    	http://manpages.ubuntu.com/manpages/hardy/man5/sshd_config.5.html
#         @test 	https://tls.imirhil.fr/ssh
#
#
##############################################################
#
#
 
Protocol 2
LogLevel VERBOSE
 
# Change port from defaut
#
# port change. root port are below 1024
Port 63728
 
#  IP address to accept connection
#
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress :: ipv6
#ListenAddress 0.0.0.0 ipv4
 
#
#
##############################################################
#
#     	identification of client
 
	# protocol version 2 only.
	HostbasedAuthentication no
	# Don't read the user's ~/.rhosts and ~/.shosts files
	IgnoreRhosts yes
 
	#  	pasword auth
	# 
	PasswordAuthentication yes
	# duration max time allowed for Authentication, defautl is 120.
	LoginGraceTime 30
	# little warning
	# if PasswordAuthentication enabled  put MaxAuthTries to 3
	# if PasswordAuthentication disabled put MaxAuthTries to 2
	MaxAuthTries 3
	PermitEmptyPasswords no	
 
	#	asymetrical auth     	
	#
	# protocol version 2 only.
	PubkeyAuthentication yes
	AuthenticationMethods publickey
	# file that contains the public keys that can be used for user authentication
	AuthorizedKeysFile        %h/.ssh/authorized_keys
 
	# 	private host key 
	# 
#	HostKey /etc/ssh/ssh_host_rsa_key
#	HostKey /etc/ssh/ssh_host_ecdsa_key
	HostKey /etc/ssh/ssh_host_ed25519_key
 
 
	#       two factor auth via duo.com -- see https://duo.com/docs/loginduo
	#
	ChallengeResponseAuthentication  yes
	ForceCommand /usr/sbin/login_duo
	PermitTunnel no
	AllowTcpForwarding no
 
 
	#       Whitelisting
	#
	#	AllowUsers bourinus, david, renard
 
 
#
#
##############################################################
#
#       tunnel negotiation
 
	#	Allow direct root login 
	#
	PermitRootLogin no
 
	# 	key exchange algorithms, 'kex'
	# 
    	KexAlgorithms  curve25519-sha256@libssh.org,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
 
	# 	Symmetric cipher; 'cipher'
	#
	# The chosen algorithm will be the client's preferred algorithm, 
	# the order in /etc/sshd_config is not important.
	Ciphers aes256-gcm@openssh.com
 
	# 	Message authentication code, 'MAC' 
	#
 	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 
	# 	enable compression
	#
	# read the spec. defautl is delayed.
	Compression delayed	
 
#
#
##############################################################
#
#       tunnel parameters
 
        # Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.  
	# The default is 10:30:100.
	MaxStartups 10:30:100
 
	# 	Respect ownership
	#	
	# check file modes and ownership of the user's files and home directory
	StrictModes yes
 
	#	Privilege Separation is turned on for security
	#
	UsePrivilegeSeparation yes
 
	# 	Max time alive I
	#
	# ask for response after a time of inactivity
        # protocol version 2 only. Default is 0.
	ClientAliveInterval 120
 
	# 	Max time alive II
	#
	# disconnection after a number of inactive client non response
        # protocol version 2 only.
	ClientAliveCountMax 2
 
    	# 	Rekeying
	#
	# protocol version 2 only. Defautl is none.
	RekeyLimit 3G 1h
 
	# sftp specific
	# protocol version 2 only.
	Subsystem sftp /usr/lib/openssh/sftp-server
 
	# Specifies whether the system should send TCP keepalive messages to the other side.
	#	
	# default is yes
	TCPKeepAlive yes
 
	# Logging Gives the facility code that is used when logging messages from sshd
        SyslogFacility AUTH
 
	# 	Language
	#
	AcceptEnv LANG LC_ALL=en_US.UTF-8
#
#
##############################################################
#
#       disabling
 
 
	# 	Pluggable Authentication Modules
	#
	# the default is no
	UsePAM yes
 
 
	# 	Kerberos
	#  
	KerberosAuthentication no
	KerberosOrLocalPasswd no
	KerberosTicketCleanup no
 
	# 	GSSAPI
	#  
	GSSAPIAuthentication no
 
	# 	X11
	#	
	# acces throught ssh to X11 - recquires xauth on server
	X11Forwarding no
	X11DisplayOffset 10
 
	# If UsePrivilegeSeparation is specified, it will be disabled after authentication.
	UseLogin no
 
#
#
##############################################################
#
#       visual
 
	# Print message of the day
	PrintMotd no
	PrintLastLog yes
	#Banner /etc/issue.net
 
#
#
##############################################################
#
# 	Retro compatibility config ie not your 'main target'
#
 
        # number of bits in the ephemeral server key size.
	#
        # protocol version 1 only. default is 1024.
	ServerKeyBits 4096
 
        #       Disable remote host based auth
        #
        # protocol version 1 only. default is no.
        RhostsRSAAuthentication no
 
	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	IgnoreUserKnownHosts yes
 
        #       Enable public key auth
        #
	# protocol version 1 only. default is yes.
	RSAAuthentication yes  
 
	# Lifetime and size of ephemeral version 1 server key
	#
        # protocol version 1 only. 
	KeyRegenerationInterval 3600
 
 
#
#
# 			End file
#
##############################################################
# OpenSSH Test Mode sshd -t
##############################################################
# $HOME/.ssh must be 700 and
# authorized_keys readable by the owner only, i.e. mode 600:

Détail des directives :

Directive Description
host
Protocol
LogLevel
infosec/sshd_config.txt · Dernière modification: 2016/07/19 15:36 (modification externe)