From 7125d80aecd79950f97532b9345b7dc2e8f2f165 Mon Sep 17 00:00:00 2001 From: bserie Date: Thu, 26 Oct 2017 18:05:10 +0200 Subject: [PATCH] Strecth config --- HowtoOpenSSH.md | 154 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 110 insertions(+), 44 deletions(-) diff --git a/HowtoOpenSSH.md b/HowtoOpenSSH.md index 5f45d366..585897dc 100644 --- a/HowtoOpenSSH.md +++ b/HowtoOpenSSH.md @@ -45,8 +45,6 @@ serveur dépend du choix qui a été fait lors de l'installation. ├── moduli ├── ssh_config ├── sshd_config -├── ssh_host_dsa_key -├── ssh_host_dsa_key.pub ├── ssh_host_ecdsa_key ├── ssh_host_ecdsa_key.pub ├── ssh_host_ed25519_key @@ -59,74 +57,142 @@ La configuration de base qu'on utilise (les options commentées sont les valeurs par défaut). ~~~ -# Package generated configuration file -# See the sshd_config(5) manpage for details +# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any #ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none # Logging -SyslogFacility AUTH -LogLevel INFO +#SyslogFacility AUTH +LogLevel VERBOSE # Authentication: -LoginGraceTime 120 -PermitRootLogin no -StrictModes yes -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys +#LoginGraceTime 2m +#PermitRootLogin without-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes +#IgnoreRhosts yes -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -Subsystem sftp /usr/lib/openssh/sftp-server +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. UsePAM yes +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +#AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + AllowUsers johndoe janedoe alice bob + Match Address 192.0.2.42 PasswordAuthentication yes Match User alice bob PasswordAuthentication no - +Match Group adm + PasswordAuthentication no ~~~ +> **Note** : Les clés DSA sont dépréciés depuis Stretch. + ### Log verbeux pour SFTP Pour augmenter la verbosité du sous-système sftp-server, notamment loguer les commandes SFTP, il suffit de passer l'option -l à l'appel de sftp-server dans `sshd_config` :