Project

General

Profile

sshd_config.txt

Daniel Dehennin, 06/15/2015 03:34 PM

Download (3.08 KB)

 
1
# -*- conf -*-
2
# Configuration of SSH server
3

    
4
####
5
#### General
6
####
7

    
8
# On which address SSHD listen?
9
#ListenAddress ::
10
#ListenAddress 0.0.0.0
11

    
12
# Default SSHD port
13
Port 22
14

    
15
# Never use protocol version 1
16
Protocol 2
17

    
18
# Host keys for protocol version 2
19
# No password with 600 permission
20
# RSA key at least 2048 bits
21
# ECDSA key at least 256 bits
22
HostKey /etc/ssh/ssh_host_ecdsa_key
23
HostKey /etc/ssh/ssh_host_ed25519_key
24
HostKey /etc/ssh/ssh_host_rsa_key
25

    
26

    
27
####
28
#### Authentication
29
####
30

    
31
PubkeyAuthentication yes
32

    
33
GSSAPIAuthentication yes
34

    
35
# No SSH keys => no need of ~/.ssh/know_hosts
36
GSSAPIKeyExchange yes
37

    
38
# Clean user cache
39
GSSAPICleanupCredentials yes
40

    
41
# Tunneled cleartext password
42
PasswordAuthentication no
43

    
44
# The argument must be “yes”, “without-password”,
45
# “forced-commands-only”, or “no”.
46
# The default is “yes”.
47
# Disable generic account for tracability
48
PermitRootLogin no
49

    
50
# sshd vérifie les permissions sur les fichiers de clefs et autres...
51
StrictModes yes
52

    
53
# Separate privilege
54
# “sandbox” does not work on Linux
55
UsePrivilegeSeparation yes
56

    
57
# Public keys authorized to connect
58
AuthorizedKeysFile %h/.ssh/authorized_keys
59

    
60
# The server disconnects after this time (in seconds) if the user has
61
# not successfully logged in
62
LoginGraceTime 30
63

    
64

    
65
####
66
#### Crypto parameters
67
####
68

    
69
# Types d'algorithmes de chiffrement supportés
70
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
71

    
72
# Types de hashage
73
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1-96,hmac-sha1
74

    
75
# Algorithme d’échange de clef
76
KexAlgorithms curve25519-sha256@libssh.org
77

    
78

    
79
####
80
#### Disable unsecure options
81
####
82

    
83
# Do not read user ~/.rhosts and ~/.shosts files
84
IgnoreRhosts yes
85

    
86
# Do not permit rhosts or /etc/hosts.equiv authentication together
87
# with successful public key client host authentication
88
HostbasedAuthentication no
89

    
90
# Do not trust ~/.ssh/known_hosts for HostbasedAuthentication
91
IgnoreUserKnownHosts yes
92

    
93
# Empty password must not happen
94
PermitEmptyPasswords no
95

    
96
# Disable s/key password
97
ChallengeResponseAuthentication no
98

    
99
# Do not use ~/.ssh/environment or environment= in
100
# ~/.ssh/authorized_keys
101
PermitUserEnvironment no
102

    
103
# Disable X11Forwarding
104
X11forwarding no
105

    
106
# Disable TCP forward
107
AllowTcpForwarding no
108

    
109

    
110
####
111
#### Presentation
112
####
113

    
114
# Disable banner to avoid giving information on the machine
115
Banner none
116

    
117
# Do not print entry message
118
PrintMotd no
119

    
120
# Print information on last connection
121
PrintLastLog yes
122

    
123
# Limit acceptable variables LANG et LC_*
124
AcceptEnv LANG LC_*
125

    
126
####
127
#### Protocol
128
####
129

    
130
# Compress only when user has successfully authenticated
131
Compression delayed
132

    
133
# Prefer to use ClientAlive* instead of impacting all TCP connection
134
TCPKeepAlive no
135

    
136
# Inactivity intervale after which server send alive message
137
ClientAliveInterval 30
138

    
139
# Number of lost alive message before considering the connection dead
140
# and disconnect
141
ClientAliveCountMax 10
142

    
143
MaxStartups 5:30:10
144

    
145
####
146
#### Logging
147
####
148
SyslogFacility AUTH
149
LogLevel INFO
150

    
151
####
152
#### Sous système
153
####
154

    
155
Subsystem	sftp	/usr/lib/sftp-server