# # /etc/ssh/sshd_config # ############################################################## # # # @category ssh config file ubuntu server 14.04 LTS # @package openssh # @author infosec @ mdl29.net # @copyright 2016 - choucroutage.com # @license Attribution 4.0 International # @version 1.1 # @since 1.0 # @deprecated not yet # @link not link yet # @man page http://manpages.ubuntu.com/manpages/hardy/man5/sshd_config.5.html # @test https://tls.imirhil.fr/ssh # # ############################################################## # # Protocol 2 LogLevel VERBOSE # Change port from defaut # # port change. root port are below 1024 Port 63728 # IP address to accept connection # # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: ipv6 #ListenAddress 0.0.0.0 ipv4 # # ############################################################## # # identification of client # protocol version 2 only. HostbasedAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # pasword auth # PasswordAuthentication yes # duration max time allowed for Authentication, defautl is 120. LoginGraceTime 30 # little warning # if PasswordAuthentication enabled put MaxAuthTries to 3 # if PasswordAuthentication disabled put MaxAuthTries to 2 MaxAuthTries 3 PermitEmptyPasswords no # asymetrical auth # # protocol version 2 only. PubkeyAuthentication yes AuthenticationMethods publickey # file that contains the public keys that can be used for user authentication AuthorizedKeysFile %h/.ssh/authorized_keys # private host key # # HostKey /etc/ssh/ssh_host_rsa_key # HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # two factor auth via duo.com -- see https://duo.com/docs/loginduo # ChallengeResponseAuthentication yes ForceCommand /usr/sbin/login_duo PermitTunnel no AllowTcpForwarding no # Whitelisting # # AllowUsers bourinus, david, renard # # ############################################################## # # tunnel negotiation # Allow direct root login # PermitRootLogin no # key exchange algorithms, 'kex' # KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 # Symmetric cipher; 'cipher' # # The chosen algorithm will be the client's preferred algorithm, # the order in /etc/sshd_config is not important. Ciphers aes256-gcm@openssh.com # Message authentication code, 'MAC' # MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com # enable compression # # read the spec. defautl is delayed. Compression delayed # # ############################################################## # # tunnel parameters # Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. # The default is 10:30:100. MaxStartups 10:30:100 # Respect ownership # # check file modes and ownership of the user's files and home directory StrictModes yes # Privilege Separation is turned on for security # UsePrivilegeSeparation yes # Max time alive I # # ask for response after a time of inactivity # protocol version 2 only. Default is 0. ClientAliveInterval 120 # Max time alive II # # disconnection after a number of inactive client non response # protocol version 2 only. ClientAliveCountMax 2 # Rekeying # # protocol version 2 only. Defautl is none. RekeyLimit 3G 1h # sftp specific # protocol version 2 only. Subsystem sftp /usr/lib/openssh/sftp-server # Specifies whether the system should send TCP keepalive messages to the other side. # # default is yes TCPKeepAlive yes # Logging Gives the facility code that is used when logging messages from sshd SyslogFacility AUTH # Language # AcceptEnv LANG LC_ALL=en_US.UTF-8 # # ############################################################## # # disabling # Pluggable Authentication Modules # # the default is no UsePAM yes # Kerberos # KerberosAuthentication no KerberosOrLocalPasswd no KerberosTicketCleanup no # GSSAPI # GSSAPIAuthentication no # X11 # # acces throught ssh to X11 - recquires xauth on server X11Forwarding no X11DisplayOffset 10 # If UsePrivilegeSeparation is specified, it will be disabled after authentication. UseLogin no # # ############################################################## # # visual # Print message of the day PrintMotd no PrintLastLog yes #Banner /etc/issue.net # # ############################################################## # # Retro compatibility config ie not your 'main target' # # number of bits in the ephemeral server key size. # # protocol version 1 only. default is 1024. ServerKeyBits 4096 # Disable remote host based auth # # protocol version 1 only. default is no. RhostsRSAAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication IgnoreUserKnownHosts yes # Enable public key auth # # protocol version 1 only. default is yes. RSAAuthentication yes # Lifetime and size of ephemeral version 1 server key # # protocol version 1 only. KeyRegenerationInterval 3600 # # # End file # ############################################################## # OpenSSH Test Mode sshd -t ############################################################## # $HOME/.ssh must be 700 and # authorized_keys readable by the owner only, i.e. mode 600: