Distribution EOLE » Commun » eole-common

# -*- conf -*-

# Configuration of SSH server

####

#### General

####

# On which address SSHD listen?

#ListenAddress ::

#ListenAddress 0.0.0.0

# Default SSHD port

Port 22

# Never use protocol version 1

Protocol 2

# Host keys for protocol version 2

# No password with 600 permission

# RSA key at least 2048 bits

# ECDSA key at least 256 bits

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

HostKey /etc/ssh/ssh_host_rsa_key

####

#### Authentication

####

PubkeyAuthentication yes

GSSAPIAuthentication yes

# No SSH keys => no need of ~/.ssh/know_hosts

GSSAPIKeyExchange yes

# Clean user cache

GSSAPICleanupCredentials yes

# Tunneled cleartext password

PasswordAuthentication no

# The argument must be “yes”, “without-password”,

# “forced-commands-only”, or “no”.

# The default is “yes”.

# Disable generic account for tracability

PermitRootLogin no

# sshd vérifie les permissions sur les fichiers de clefs et autres...

StrictModes yes

# Separate privilege

# “sandbox” does not work on Linux

UsePrivilegeSeparation yes

# Public keys authorized to connect

AuthorizedKeysFile %h/.ssh/authorized_keys

# The server disconnects after this time (in seconds) if the user has

# not successfully logged in

LoginGraceTime 30

####

#### Crypto parameters

####

# Types d'algorithmes de chiffrement supportés

Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Types de hashage

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1-96,hmac-sha1

# Algorithme d’échange de clef

KexAlgorithms curve25519-sha256@libssh.org

####

#### Disable unsecure options

####

# Do not read user ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# Do not permit rhosts or /etc/hosts.equiv authentication together

# with successful public key client host authentication

HostbasedAuthentication no

# Do not trust ~/.ssh/known_hosts for HostbasedAuthentication

IgnoreUserKnownHosts yes

# Empty password must not happen

PermitEmptyPasswords no

# Disable s/key password

ChallengeResponseAuthentication no

# Do not use ~/.ssh/environment or environment= in

# ~/.ssh/authorized_keys

PermitUserEnvironment no

# Disable X11Forwarding

X11forwarding no

# Disable TCP forward

AllowTcpForwarding no

####

#### Presentation

####

# Disable banner to avoid giving information on the machine

Banner none

# Do not print entry message

PrintMotd no

# Print information on last connection

PrintLastLog yes

# Limit acceptable variables LANG et LC_*

AcceptEnv LANG LC_*

####

#### Protocol

####

# Compress only when user has successfully authenticated

Compression delayed

# Prefer to use ClientAlive* instead of impacting all TCP connection

TCPKeepAlive no

# Inactivity intervale after which server send alive message

ClientAliveInterval 30

# Number of lost alive message before considering the connection dead

# and disconnect

ClientAliveCountMax 10

MaxStartups 5:30:10

####

#### Logging

####

SyslogFacility AUTH

LogLevel INFO

####

#### Sous système

####

Subsystem	sftp	/usr/lib/sftp-server