Outils pour utilisateurs

Outils du site


infosec:sshd_config

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentesRévision précédente
Prochaine révision
Révision précédente
infosec:sshd_config [2016/04/29 12:20] davidguegueninfosec:sshd_config [2022/09/04 21:02] (Version actuelle) – modification externe 127.0.0.1
Ligne 1: Ligne 1:
 +==== Configuration du server SSH ====
 +
 +Présentation des options du fichier de configuration du server ssh.
 +
 +**Localisation du fichier de configuration :**
 +  * Fichier de configuration global du système : ''/etc/ssh/sshd_config''
 +c'est dans ce répertoire que l'on trouvera entre autre le fichier de configuration **sshd_config**.
 +
 +
 +==== Fichier de configuration du client SSH ====
 +**Exemple de fichier de configuration commenté :**
 +<file config ssh_config>
 +#
 +#        /etc/ssh/sshd_config
 +#
 +##############################################################
 +#
 +#         
 +#         @category    ssh config file ubuntu server 14.04 LTS
 +#         @package    openssh
 +#         @author      infosec @ mdl29.net
 +#         @copyright  2016 - choucroutage.com
 +#         @license    Attribution 4.0 International
 +#         @version    1.1
 +#         @since      1.0
 +#         @deprecated not yet
 +#         @link        not link yet
 +#         @man page    http://manpages.ubuntu.com/manpages/hardy/man5/sshd_config.5.html
 +#         @test https://tls.imirhil.fr/ssh
 +#
 +#
 +##############################################################
 +#
 +#
 +
 +Protocol 2
 +LogLevel VERBOSE
 +
 +# Change port from defaut
 +#
 +# port change. root port are below 1024
 +Port 63728
 +
 +#  IP address to accept connection
 +#
 +# Use these options to restrict which interfaces/protocols sshd will bind to
 +#ListenAddress :: ipv6
 +#ListenAddress 0.0.0.0 ipv4
 +
 +#
 +#
 +##############################################################
 +#
 +#      identification of client
 +
 + # protocol version 2 only.
 + HostbasedAuthentication no
 + # Don't read the user's ~/.rhosts and ~/.shosts files
 + IgnoreRhosts yes
 +
 + #  pasword auth
 +
 + PasswordAuthentication yes
 + # duration max time allowed for Authentication, defautl is 120.
 + LoginGraceTime 30
 + # little warning
 + # if PasswordAuthentication enabled  put MaxAuthTries to 3
 + # if PasswordAuthentication disabled put MaxAuthTries to 2
 + MaxAuthTries 3
 + PermitEmptyPasswords no
 +
 + # asymetrical auth     
 + #
 + # protocol version 2 only.
 + PubkeyAuthentication yes
 + AuthenticationMethods publickey
 + # file that contains the public keys that can be used for user authentication
 + AuthorizedKeysFile        %h/.ssh/authorized_keys
 +
 + # private host key 
 +
 +# HostKey /etc/ssh/ssh_host_rsa_key
 +# HostKey /etc/ssh/ssh_host_ecdsa_key
 + HostKey /etc/ssh/ssh_host_ed25519_key
 +
 +
 + #       two factor auth via duo.com -- see https://duo.com/docs/loginduo
 + #
 + ChallengeResponseAuthentication  yes
 + ForceCommand /usr/sbin/login_duo
 + PermitTunnel no
 + AllowTcpForwarding no
 +
 +
 + #       Whitelisting
 + #
 + # AllowUsers bourinus, david, renard
 +
 +
 +#
 +#
 +##############################################################
 +#
 +#       tunnel negotiation
 +
 + # Allow direct root login 
 + #
 + PermitRootLogin no
 +
 + # key exchange algorithms, 'kex'
 +
 +    KexAlgorithms  curve25519-sha256@libssh.org,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
 +    
 + # Symmetric cipher; 'cipher'
 + #
 + # The chosen algorithm will be the client's preferred algorithm, 
 + # the order in /etc/sshd_config is not important.
 + Ciphers aes256-gcm@openssh.com
 +
 + # Message authentication code, 'MAC' 
 + #
 +  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 +
 + # enable compression
 + #
 + # read the spec. defautl is delayed.
 + Compression delayed
 +
 +#
 +#
 +##############################################################
 +#
 +#       tunnel parameters
 +
 +        # Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.  
 + # The default is 10:30:100.
 + MaxStartups 10:30:100
 +
 + # Respect ownership
 + #
 + # check file modes and ownership of the user's files and home directory
 + StrictModes yes
 +
 + # Privilege Separation is turned on for security
 + #
 + UsePrivilegeSeparation yes
 +
 + # Max time alive I
 + #
 + # ask for response after a time of inactivity
 +        # protocol version 2 only. Default is 0.
 + ClientAliveInterval 120
 +
 + # Max time alive II
 + #
 + # disconnection after a number of inactive client non response
 +        # protocol version 2 only.
 + ClientAliveCountMax 2
 +
 +    # Rekeying
 + #
 + # protocol version 2 only. Defautl is none.
 + RekeyLimit 3G 1h
 +
 + # sftp specific
 + # protocol version 2 only.
 + Subsystem sftp /usr/lib/openssh/sftp-server
 +
 + # Specifies whether the system should send TCP keepalive messages to the other side.
 + #
 + # default is yes
 + TCPKeepAlive yes
 +
 + # Logging Gives the facility code that is used when logging messages from sshd
 +        SyslogFacility AUTH
 +
 + # Language
 + #
 + AcceptEnv LANG LC_ALL=en_US.UTF-8
 +#
 +#
 +##############################################################
 +#
 +#       disabling
 +
 + 
 + # Pluggable Authentication Modules
 + #
 + # the default is no
 + UsePAM yes
 +
 +
 + # Kerberos
 + #  
 + KerberosAuthentication no
 + KerberosOrLocalPasswd no
 + KerberosTicketCleanup no
 +
 + # GSSAPI
 + #  
 + GSSAPIAuthentication no
 +
 + # X11
 + #
 + # acces throught ssh to X11 - recquires xauth on server
 + X11Forwarding no
 + X11DisplayOffset 10
 +
 + # If UsePrivilegeSeparation is specified, it will be disabled after authentication.
 + UseLogin no
 +
 +#
 +#
 +##############################################################
 +#
 +#       visual
 +
 + # Print message of the day
 + PrintMotd no
 + PrintLastLog yes
 + #Banner /etc/issue.net
 +
 +#
 +#
 +##############################################################
 +#
 +# Retro compatibility config ie not your 'main target'
 +#
 +
 +        # number of bits in the ephemeral server key size.
 + #
 +        # protocol version 1 only. default is 1024.
 + ServerKeyBits 4096
 +
 +        #       Disable remote host based auth
 +        #
 +        # protocol version 1 only. default is no.
 +        RhostsRSAAuthentication no
 +
 + # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 + IgnoreUserKnownHosts yes
 +
 +        #       Enable public key auth
 +        #
 + # protocol version 1 only. default is yes.
 + RSAAuthentication yes  
 +
 + # Lifetime and size of ephemeral version 1 server key
 + #
 +        # protocol version 1 only. 
 + KeyRegenerationInterval 3600
 +
 +
 +#
 +#
 +# End file
 +#
 +##############################################################
 +# OpenSSH Test Mode sshd -t
 +##############################################################
 +# $HOME/.ssh must be 700 and
 +# authorized_keys readable by the owner only, i.e. mode 600:
 +</file>
 +
 +**Détail des directives :**
 +
 +^ Directive      ^ Description   ^
 +| ''host''       | ... |
 +| ''Protocol''   | ... |
 +| ''LogLevel''   | ... |
 +
  

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki