Outils pour utilisateurs

Outils du site


infosec:sshd_config

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision
Révision précédente
infosec:sshd_config [2016/04/29 12:22]
davidgueguen [Fichier de configuration du client SSH]
infosec:sshd_config [2016/07/19 15:36] (Version actuelle)
Ligne 1: Ligne 1:
 +==== Configuration du server SSH ====
 +
 +Présentation des options du fichier de configuration du server ssh.
 +
 +**Localisation du fichier de configuration :**
 +  * Fichier de configuration global du système : ''/​etc/​ssh/​sshd_config''​
 +c'est dans ce répertoire que l'on trouvera entre autre le fichier de configuration **sshd_config**.
 +
 +
 +==== Fichier de configuration du client SSH ====
 +**Exemple de fichier de configuration commenté :**
 +<file config ssh_config>​
 +#
 +#        /​etc/​ssh/​sshd_config
 +#
 +##############################################################​
 +#
 +#         
 +#         ​@category ​   ssh config file ubuntu server 14.04 LTS
 +#         ​@package ​   openssh
 +#         ​@author ​    ​ infosec @ mdl29.net
 +#         ​@copyright ​ 2016 - choucroutage.com
 +#         ​@license ​   Attribution 4.0 International
 +#         ​@version ​   1.1
 +#         ​@since ​     1.0
 +#         ​@deprecated not yet
 +#         ​@link ​       not link yet
 +#         @man page    http://​manpages.ubuntu.com/​manpages/​hardy/​man5/​sshd_config.5.html
 +#         @test https://​tls.imirhil.fr/​ssh
 +#
 +#
 +##############################################################​
 +#
 +#
 +
 +Protocol 2
 +LogLevel VERBOSE
 +
 +# Change port from defaut
 +#
 +# port change. root port are below 1024
 +Port 63728
 +
 +#  IP address to accept connection
 +#
 +# Use these options to restrict which interfaces/​protocols sshd will bind to
 +#​ListenAddress :: ipv6
 +#​ListenAddress 0.0.0.0 ipv4
 +
 +#
 +#
 +##############################################################​
 +#
 +#     ​ identification of client
 +
 + # protocol version 2 only.
 + HostbasedAuthentication no
 + # Don't read the user's ~/.rhosts and ~/.shosts files
 + IgnoreRhosts yes
 +
 + #  pasword auth
 +
 + PasswordAuthentication yes
 + # duration max time allowed for Authentication,​ defautl is 120.
 + LoginGraceTime 30
 + # little warning
 + # if PasswordAuthentication enabled ​ put MaxAuthTries to 3
 + # if PasswordAuthentication disabled put MaxAuthTries to 2
 + MaxAuthTries 3
 + PermitEmptyPasswords no
 +
 + #​ asymetrical auth     
 + #
 + # protocol version 2 only.
 + PubkeyAuthentication yes
 + AuthenticationMethods publickey
 + # file that contains the public keys that can be used for user authentication
 + AuthorizedKeysFile ​       %h/​.ssh/​authorized_keys
 +
 + # private host key 
 +
 +# HostKey /​etc/​ssh/​ssh_host_rsa_key
 +# HostKey /​etc/​ssh/​ssh_host_ecdsa_key
 + HostKey /​etc/​ssh/​ssh_host_ed25519_key
 +
 +
 + #       two factor auth via duo.com -- see https://​duo.com/​docs/​loginduo
 + #
 + ChallengeResponseAuthentication ​ yes
 + ForceCommand /​usr/​sbin/​login_duo
 + PermitTunnel no
 + AllowTcpForwarding no
 +
 +
 + #       ​Whitelisting
 + #
 + #​ AllowUsers bourinus, david, renard
 +
 +
 +#
 +#
 +##############################################################​
 +#
 +#       ​tunnel negotiation
 +
 + # Allow direct root login 
 + #
 + PermitRootLogin no
 +
 + # key exchange algorithms, '​kex'​
 +
 +    KexAlgorithms ​ curve25519-sha256@libssh.org,​ecdh-sha2-nistp521,​diffie-hellman-group-exchange-sha256
 +    ​
 + # Symmetric cipher; '​cipher'​
 + #
 + # The chosen algorithm will be the client'​s preferred algorithm, ​
 + # the order in /​etc/​sshd_config is not important.
 + Ciphers aes256-gcm@openssh.com
 +
 + # Message authentication code, '​MAC' ​
 + #
 +  MACs hmac-sha2-512-etm@openssh.com,​hmac-sha2-256-etm@openssh.com
 +
 + # enable compression
 + #
 + # read the spec. defautl is delayed.
 + Compression delayed
 +
 +#
 +#
 +##############################################################​
 +#
 +#       ​tunnel parameters
 +
 +        # Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.  ​
 + # The default is 10:30:100.
 + MaxStartups 10:30:100
 +
 + # Respect ownership
 + #
 + # check file modes and ownership of the user's files and home directory
 + StrictModes yes
 +
 + #​ Privilege Separation is turned on for security
 + #
 + UsePrivilegeSeparation yes
 +
 + # Max time alive I
 + #
 + # ask for response after a time of inactivity
 +        # protocol version 2 only. Default is 0.
 + ClientAliveInterval 120
 +
 + # Max time alive II
 + #
 + # disconnection after a number of inactive client non response
 +        # protocol version 2 only.
 + ClientAliveCountMax 2
 +
 +    # Rekeying
 + #
 + # protocol version 2 only. Defautl is none.
 + RekeyLimit 3G 1h
 +
 + # sftp specific
 + # protocol version 2 only.
 + Subsystem sftp /​usr/​lib/​openssh/​sftp-server
 +
 + # Specifies whether the system should send TCP keepalive messages to the other side.
 + #
 + # default is yes
 + TCPKeepAlive yes
 +
 + # Logging Gives the facility code that is used when logging messages from sshd
 +        SyslogFacility AUTH
 +
 + # Language
 + #
 + AcceptEnv LANG LC_ALL=en_US.UTF-8
 +#
 +#
 +##############################################################​
 +#
 +#       ​disabling
 +
 + 
 + # Pluggable Authentication Modules
 + #
 + # the default is no
 + UsePAM yes
 +
 +
 + # Kerberos
 + #  ​
 + KerberosAuthentication no
 + KerberosOrLocalPasswd no
 + KerberosTicketCleanup no
 +
 + # GSSAPI
 + #  ​
 + GSSAPIAuthentication no
 +
 + # X11
 + #
 + # acces throught ssh to X11 - recquires xauth on server
 + X11Forwarding no
 + X11DisplayOffset 10
 +
 + # If UsePrivilegeSeparation is specified, it will be disabled after authentication.
 + UseLogin no
 +
 +#
 +#
 +##############################################################​
 +#
 +#       ​visual
 +
 + # Print message of the day
 + PrintMotd no
 + PrintLastLog yes
 + #Banner /​etc/​issue.net
 +
 +#
 +#
 +##############################################################​
 +#
 +# Retro compatibility config ie not your 'main target'​
 +#
 +
 +        # number of bits in the ephemeral server key size.
 + #
 +        # protocol version 1 only. default is 1024.
 + ServerKeyBits 4096
 +
 +        #       ​Disable remote host based auth
 +        #
 +        # protocol version 1 only. default is no.
 +        RhostsRSAAuthentication no
 +
 + # Uncomment if you don't trust ~/​.ssh/​known_hosts for RhostsRSAAuthentication
 + IgnoreUserKnownHosts yes
 +
 +        #       ​Enable public key auth
 +        #
 + # protocol version 1 only. default is yes.
 + RSAAuthentication yes  ​
 +
 + # Lifetime and size of ephemeral version 1 server key
 + #
 +        # protocol version 1 only. 
 + KeyRegenerationInterval 3600
 +
 +
 +#
 +#
 +# End file
 +#
 +##############################################################​
 +# OpenSSH Test Mode sshd -t
 +##############################################################​
 +# $HOME/.ssh must be 700 and
 +# authorized_keys readable by the owner only, i.e. mode 600:
 +</​file>​
 +
 +**Détail des directives :**
 +
 +^ Directive ​     ^ Description ​  ^
 +| ''​host'' ​      | ... |
 +| ''​Protocol'' ​  | ... |
 +| ''​LogLevel'' ​  | ... |
 +
  
infosec/sshd_config.txt · Dernière modification: 2016/07/19 15:36 (modification externe)