Présentation des options du fichier de configuration du server ssh.
Localisation du fichier de configuration :
/etc/ssh/sshd_configc'est dans ce répertoire que l'on trouvera entre autre le fichier de configuration sshd_config.
Exemple de fichier de configuration commenté :
#
# /etc/ssh/sshd_config
#
##############################################################
#
#
# @category ssh config file ubuntu server 14.04 LTS
# @package openssh
# @author infosec @ mdl29.net
# @copyright 2016 - choucroutage.com
# @license Attribution 4.0 International
# @version 1.1
# @since 1.0
# @deprecated not yet
# @link not link yet
# @man page http://manpages.ubuntu.com/manpages/hardy/man5/sshd_config.5.html
# @test https://tls.imirhil.fr/ssh
#
#
##############################################################
#
#
Protocol 2
LogLevel VERBOSE
# Change port from defaut
#
# port change. root port are below 1024
Port 63728
# IP address to accept connection
#
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress :: ipv6
#ListenAddress 0.0.0.0 ipv4
#
#
##############################################################
#
# identification of client
# protocol version 2 only.
HostbasedAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# pasword auth
#
PasswordAuthentication yes
# duration max time allowed for Authentication, defautl is 120.
LoginGraceTime 30
# little warning
# if PasswordAuthentication enabled put MaxAuthTries to 3
# if PasswordAuthentication disabled put MaxAuthTries to 2
MaxAuthTries 3
PermitEmptyPasswords no
# asymetrical auth
#
# protocol version 2 only.
PubkeyAuthentication yes
AuthenticationMethods publickey
# file that contains the public keys that can be used for user authentication
AuthorizedKeysFile %h/.ssh/authorized_keys
# private host key
#
# HostKey /etc/ssh/ssh_host_rsa_key
# HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# two factor auth via duo.com -- see https://duo.com/docs/loginduo
#
ChallengeResponseAuthentication yes
ForceCommand /usr/sbin/login_duo
PermitTunnel no
AllowTcpForwarding no
# Whitelisting
#
# AllowUsers bourinus, david, renard
#
#
##############################################################
#
# tunnel negotiation
# Allow direct root login
#
PermitRootLogin no
# key exchange algorithms, 'kex'
#
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
# Symmetric cipher; 'cipher'
#
# The chosen algorithm will be the client's preferred algorithm,
# the order in /etc/sshd_config is not important.
Ciphers aes256-gcm@openssh.com
# Message authentication code, 'MAC'
#
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# enable compression
#
# read the spec. defautl is delayed.
Compression delayed
#
#
##############################################################
#
# tunnel parameters
# Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
# The default is 10:30:100.
MaxStartups 10:30:100
# Respect ownership
#
# check file modes and ownership of the user's files and home directory
StrictModes yes
# Privilege Separation is turned on for security
#
UsePrivilegeSeparation yes
# Max time alive I
#
# ask for response after a time of inactivity
# protocol version 2 only. Default is 0.
ClientAliveInterval 120
# Max time alive II
#
# disconnection after a number of inactive client non response
# protocol version 2 only.
ClientAliveCountMax 2
# Rekeying
#
# protocol version 2 only. Defautl is none.
RekeyLimit 3G 1h
# sftp specific
# protocol version 2 only.
Subsystem sftp /usr/lib/openssh/sftp-server
# Specifies whether the system should send TCP keepalive messages to the other side.
#
# default is yes
TCPKeepAlive yes
# Logging Gives the facility code that is used when logging messages from sshd
SyslogFacility AUTH
# Language
#
AcceptEnv LANG LC_ALL=en_US.UTF-8
#
#
##############################################################
#
# disabling
# Pluggable Authentication Modules
#
# the default is no
UsePAM yes
# Kerberos
#
KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup no
# GSSAPI
#
GSSAPIAuthentication no
# X11
#
# acces throught ssh to X11 - recquires xauth on server
X11Forwarding no
X11DisplayOffset 10
# If UsePrivilegeSeparation is specified, it will be disabled after authentication.
UseLogin no
#
#
##############################################################
#
# visual
# Print message of the day
PrintMotd no
PrintLastLog yes
#Banner /etc/issue.net
#
#
##############################################################
#
# Retro compatibility config ie not your 'main target'
#
# number of bits in the ephemeral server key size.
#
# protocol version 1 only. default is 1024.
ServerKeyBits 4096
# Disable remote host based auth
#
# protocol version 1 only. default is no.
RhostsRSAAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
IgnoreUserKnownHosts yes
# Enable public key auth
#
# protocol version 1 only. default is yes.
RSAAuthentication yes
# Lifetime and size of ephemeral version 1 server key
#
# protocol version 1 only.
KeyRegenerationInterval 3600
#
#
# End file
#
##############################################################
# OpenSSH Test Mode sshd -t
##############################################################
# $HOME/.ssh must be 700 and
# authorized_keys readable by the owner only, i.e. mode 600:
Détail des directives :
| Directive | Description |
|---|---|
host | … |
Protocol | … |
LogLevel | … |