infosec:sshd_config
Différences
Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente | ||
infosec:sshd_config [2016/04/29 14:20] – créée davidgueguen | infosec:sshd_config [2024/04/16 22:19] (Version actuelle) – modification externe 127.0.0.1 | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | ==== Configuration du server SSH ==== | ||
+ | |||
+ | Présentation des options du fichier de configuration du server ssh. | ||
+ | |||
+ | **Localisation du fichier de configuration :** | ||
+ | * Fichier de configuration global du système : ''/ | ||
+ | c'est dans ce répertoire que l'on trouvera entre autre le fichier de configuration **sshd_config**. | ||
+ | |||
+ | |||
+ | ==== Fichier de configuration du client SSH ==== | ||
+ | **Exemple de fichier de configuration commenté :** | ||
+ | <file config ssh_config> | ||
+ | # | ||
+ | # / | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # @man page http:// | ||
+ | # @test https:// | ||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | Protocol 2 | ||
+ | LogLevel VERBOSE | ||
+ | |||
+ | # Change port from defaut | ||
+ | # | ||
+ | # port change. root port are below 1024 | ||
+ | Port 63728 | ||
+ | |||
+ | # IP address to accept connection | ||
+ | # | ||
+ | # Use these options to restrict which interfaces/ | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # protocol version 2 only. | ||
+ | HostbasedAuthentication no | ||
+ | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
+ | IgnoreRhosts yes | ||
+ | |||
+ | # pasword auth | ||
+ | # | ||
+ | PasswordAuthentication yes | ||
+ | # duration max time allowed for Authentication, | ||
+ | LoginGraceTime 30 | ||
+ | # little warning | ||
+ | # if PasswordAuthentication enabled | ||
+ | # if PasswordAuthentication disabled put MaxAuthTries to 2 | ||
+ | MaxAuthTries 3 | ||
+ | PermitEmptyPasswords no | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # protocol version 2 only. | ||
+ | PubkeyAuthentication yes | ||
+ | AuthenticationMethods publickey | ||
+ | # file that contains the public keys that can be used for user authentication | ||
+ | AuthorizedKeysFile | ||
+ | |||
+ | # private host key | ||
+ | # | ||
+ | # HostKey / | ||
+ | # HostKey / | ||
+ | HostKey / | ||
+ | |||
+ | |||
+ | # two factor auth via duo.com -- see https:// | ||
+ | # | ||
+ | ChallengeResponseAuthentication | ||
+ | ForceCommand / | ||
+ | PermitTunnel no | ||
+ | AllowTcpForwarding no | ||
+ | |||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Allow direct root login | ||
+ | # | ||
+ | PermitRootLogin no | ||
+ | |||
+ | # key exchange algorithms, ' | ||
+ | # | ||
+ | KexAlgorithms | ||
+ | | ||
+ | # Symmetric cipher; ' | ||
+ | # | ||
+ | # The chosen algorithm will be the client' | ||
+ | # the order in / | ||
+ | Ciphers aes256-gcm@openssh.com | ||
+ | |||
+ | # Message authentication code, ' | ||
+ | # | ||
+ | MACs hmac-sha2-512-etm@openssh.com, | ||
+ | |||
+ | # enable compression | ||
+ | # | ||
+ | # read the spec. defautl is delayed. | ||
+ | Compression delayed | ||
+ | |||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. | ||
+ | # The default is 10:30:100. | ||
+ | MaxStartups 10:30:100 | ||
+ | |||
+ | # Respect ownership | ||
+ | # | ||
+ | # check file modes and ownership of the user's files and home directory | ||
+ | StrictModes yes | ||
+ | |||
+ | # | ||
+ | # | ||
+ | UsePrivilegeSeparation yes | ||
+ | |||
+ | # Max time alive I | ||
+ | # | ||
+ | # ask for response after a time of inactivity | ||
+ | # protocol version 2 only. Default is 0. | ||
+ | ClientAliveInterval 120 | ||
+ | |||
+ | # Max time alive II | ||
+ | # | ||
+ | # disconnection after a number of inactive client non response | ||
+ | # protocol version 2 only. | ||
+ | ClientAliveCountMax 2 | ||
+ | |||
+ | # Rekeying | ||
+ | # | ||
+ | # protocol version 2 only. Defautl is none. | ||
+ | RekeyLimit 3G 1h | ||
+ | |||
+ | # sftp specific | ||
+ | # protocol version 2 only. | ||
+ | Subsystem sftp / | ||
+ | |||
+ | # Specifies whether the system should send TCP keepalive messages to the other side. | ||
+ | # | ||
+ | # default is yes | ||
+ | TCPKeepAlive yes | ||
+ | |||
+ | # Logging Gives the facility code that is used when logging messages from sshd | ||
+ | SyslogFacility AUTH | ||
+ | |||
+ | # Language | ||
+ | # | ||
+ | AcceptEnv LANG LC_ALL=en_US.UTF-8 | ||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | # Pluggable Authentication Modules | ||
+ | # | ||
+ | # the default is no | ||
+ | UsePAM yes | ||
+ | |||
+ | |||
+ | # Kerberos | ||
+ | # | ||
+ | KerberosAuthentication no | ||
+ | KerberosOrLocalPasswd no | ||
+ | KerberosTicketCleanup no | ||
+ | |||
+ | # GSSAPI | ||
+ | # | ||
+ | GSSAPIAuthentication no | ||
+ | |||
+ | # X11 | ||
+ | # | ||
+ | # acces throught ssh to X11 - recquires xauth on server | ||
+ | X11Forwarding no | ||
+ | X11DisplayOffset 10 | ||
+ | |||
+ | # If UsePrivilegeSeparation is specified, it will be disabled after authentication. | ||
+ | UseLogin no | ||
+ | |||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Print message of the day | ||
+ | PrintMotd no | ||
+ | PrintLastLog yes | ||
+ | #Banner / | ||
+ | |||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # Retro compatibility config ie not your 'main target' | ||
+ | # | ||
+ | |||
+ | # number of bits in the ephemeral server key size. | ||
+ | # | ||
+ | # protocol version 1 only. default is 1024. | ||
+ | ServerKeyBits 4096 | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # protocol version 1 only. default is no. | ||
+ | RhostsRSAAuthentication no | ||
+ | |||
+ | # Uncomment if you don't trust ~/ | ||
+ | IgnoreUserKnownHosts yes | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # protocol version 1 only. default is yes. | ||
+ | RSAAuthentication yes | ||
+ | |||
+ | # Lifetime and size of ephemeral version 1 server key | ||
+ | # | ||
+ | # protocol version 1 only. | ||
+ | KeyRegenerationInterval 3600 | ||
+ | |||
+ | |||
+ | # | ||
+ | # | ||
+ | # End file | ||
+ | # | ||
+ | ############################################################## | ||
+ | # OpenSSH Test Mode sshd -t | ||
+ | ############################################################## | ||
+ | # $HOME/.ssh must be 700 and | ||
+ | # authorized_keys readable by the owner only, i.e. mode 600: | ||
+ | </ | ||
+ | |||
+ | **Détail des directives :** | ||
+ | |||
+ | ^ Directive | ||
+ | | '' | ||
+ | | '' | ||
+ | | '' | ||
+ | |||