infosec:ssh_config
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
infosec:ssh_config [2016/04/29 14:17] – davidgueguen | infosec:ssh_config [2024/04/16 22:19] (Version actuelle) – modification externe 127.0.0.1 | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | ==== Configuration du client SSH ==== | ||
+ | |||
+ | Présentation des options du fichier de configuration du client ssh. | ||
+ | |||
+ | **Localisation du fichier de configuration :** | ||
+ | * Fichier de configuration global du système : ''/ | ||
+ | c'est dans ce répertoire que l'on trouvera entre autre le fichier de configuration **ssh_config**. | ||
+ | |||
+ | * Fichier de configuration par utilisateur : '' | ||
+ | c'est dans ce répertoire que l'on trouvera les jeux ce clef publiques/ | ||
+ | |||
+ | ==== Fichier de configuration du client SSH ==== | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | **Exemple de fichier de configuration commenté :** | ||
+ | <file config ssh_config> | ||
+ | # | ||
+ | # / | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # @man page | ||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | Host * | ||
+ | |||
+ | Protocol 2 | ||
+ | LogLevel VERBOSE | ||
+ | |||
+ | # Change port from defaut | ||
+ | # | ||
+ | # port change. root port are below 1024 | ||
+ | Port 63728 | ||
+ | |||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Verify IP of host is in the known_hosts file | ||
+ | # | ||
+ | # protocol version 2 only. default is no. | ||
+ | CheckHostIP yes | ||
+ | |||
+ | # Disable remote host based auth | ||
+ | # | ||
+ | # protocol version 2 only. default is no. | ||
+ | # allows hosts to authenticate on behalf of all or some of the system' | ||
+ | HostbasedAuthentication no | ||
+ | |||
+ | StrictHostKeyChecking ask | ||
+ | HashKnownHosts yes | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Auth | ||
+ | # | ||
+ | PasswordAuthentication yes | ||
+ | PubkeyAuthentication yes | ||
+ | PreferredAuthentications keyboard-interactive, | ||
+ | |||
+ | # Public key, ' | ||
+ | # | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | # key exchange algorithms, ' | ||
+ | # | ||
+ | KexAlgorithms ecdh-sha2-nistp521, | ||
+ | |||
+ | # Symmetric cipher; ' | ||
+ | # | ||
+ | # The chosen algorithm will be the client' | ||
+ | # the order in / | ||
+ | Ciphers aes256-gcm@openssh.com | ||
+ | |||
+ | # Message authentication code, ' | ||
+ | # | ||
+ | MACs hmac-sha2-512-etm@openssh.com, | ||
+ | |||
+ | # enable compression | ||
+ | # | ||
+ | # read the spec. defautl is no. | ||
+ | Compression delayed | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Rekeying | ||
+ | # | ||
+ | RekeyLimit 3G 1h | ||
+ | |||
+ | # timeout | ||
+ | # | ||
+ | ConnectTimeout 30 | ||
+ | |||
+ | # timer | ||
+ | # | ||
+ | ServerAliveInterval 60 | ||
+ | |||
+ | # Max | ||
+ | # | ||
+ | ServerAliveCountMax 30 | ||
+ | |||
+ | SendEnv LANG LC_* | ||
+ | |||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # disable gssapi kerberos | ||
+ | # | ||
+ | GSSAPIAuthentication no | ||
+ | GSSAPIDelegateCredentials no | ||
+ | GSSAPIKeyExchange no | ||
+ | GSSAPITrustDNS no | ||
+ | |||
+ | # Disable any forwarding | ||
+ | # | ||
+ | ForwardAgent no | ||
+ | ForwardX11 no | ||
+ | |||
+ | BatchMode no | ||
+ | | ||
+ | # Disable command trough tunnel | ||
+ | # | ||
+ | PermitLocalCommand no | ||
+ | |||
+ | # AddressFamily any | ||
+ | # Tunnel no | ||
+ | # TunnelDevice any:any | ||
+ | |||
+ | # Disbale command trough tunnel | ||
+ | # | ||
+ | PermitLocalCommand no | ||
+ | |||
+ | # VisualHostKey no | ||
+ | # auto proxi | ||
+ | # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | ############################################################## | ||
+ | # | ||
+ | # Retro compatibility config ie not your 'main target' | ||
+ | # | ||
+ | |||
+ | # Disable remote host based auth | ||
+ | # | ||
+ | # protocol version 1 only. default is no. | ||
+ | RhostsRSAAuthentication no | ||
+ | |||
+ | # Enable public key auth | ||
+ | # | ||
+ | # protocol version 1 only. default is yes. | ||
+ | RSAAuthentication yes | ||
+ | |||
+ | # enable compression | ||
+ | # | ||
+ | # protocol version 1 only. default is 6. | ||
+ | CompressionLevel 6 | ||
+ | | ||
+ | # | ||
+ | # End file | ||
+ | # | ||
+ | ############################################################## | ||
+ | # $HOME/.ssh must be 700 and | ||
+ | # authorized_keys readable by the owner only, i.e. mode 600: | ||
+ | </ | ||
+ | |||
+ | **Détail des directives :** | ||
+ | |||
+ | ^ Directive | ||
+ | | '' | ||
+ | | '' | ||
+ | | '' | ||
+ | |||