1
|
# -*- conf -*-
|
2
|
# Configuration of SSH server
|
3
|
|
4
|
####
|
5
|
#### General
|
6
|
####
|
7
|
|
8
|
# On which address SSHD listen?
|
9
|
#ListenAddress ::
|
10
|
#ListenAddress 0.0.0.0
|
11
|
|
12
|
# Default SSHD port
|
13
|
Port 22
|
14
|
|
15
|
# Never use protocol version 1
|
16
|
Protocol 2
|
17
|
|
18
|
# Host keys for protocol version 2
|
19
|
# No password with 600 permission
|
20
|
# RSA key at least 2048 bits
|
21
|
# ECDSA key at least 256 bits
|
22
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
23
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
24
|
HostKey /etc/ssh/ssh_host_rsa_key
|
25
|
|
26
|
|
27
|
####
|
28
|
#### Authentication
|
29
|
####
|
30
|
|
31
|
PubkeyAuthentication yes
|
32
|
|
33
|
GSSAPIAuthentication yes
|
34
|
|
35
|
# No SSH keys => no need of ~/.ssh/know_hosts
|
36
|
GSSAPIKeyExchange yes
|
37
|
|
38
|
# Clean user cache
|
39
|
GSSAPICleanupCredentials yes
|
40
|
|
41
|
# Tunneled cleartext password
|
42
|
PasswordAuthentication no
|
43
|
|
44
|
# The argument must be “yes”, “without-password”,
|
45
|
# “forced-commands-only”, or “no”.
|
46
|
# The default is “yes”.
|
47
|
# Disable generic account for tracability
|
48
|
PermitRootLogin no
|
49
|
|
50
|
# sshd vérifie les permissions sur les fichiers de clefs et autres...
|
51
|
StrictModes yes
|
52
|
|
53
|
# Separate privilege
|
54
|
# “sandbox” does not work on Linux
|
55
|
UsePrivilegeSeparation yes
|
56
|
|
57
|
# Public keys authorized to connect
|
58
|
AuthorizedKeysFile %h/.ssh/authorized_keys
|
59
|
|
60
|
# The server disconnects after this time (in seconds) if the user has
|
61
|
# not successfully logged in
|
62
|
LoginGraceTime 30
|
63
|
|
64
|
|
65
|
####
|
66
|
#### Crypto parameters
|
67
|
####
|
68
|
|
69
|
# Types d'algorithmes de chiffrement supportés
|
70
|
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
71
|
|
72
|
# Types de hashage
|
73
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1-96,hmac-sha1
|
74
|
|
75
|
# Algorithme d’échange de clef
|
76
|
KexAlgorithms curve25519-sha256@libssh.org
|
77
|
|
78
|
|
79
|
####
|
80
|
#### Disable unsecure options
|
81
|
####
|
82
|
|
83
|
# Do not read user ~/.rhosts and ~/.shosts files
|
84
|
IgnoreRhosts yes
|
85
|
|
86
|
# Do not permit rhosts or /etc/hosts.equiv authentication together
|
87
|
# with successful public key client host authentication
|
88
|
HostbasedAuthentication no
|
89
|
|
90
|
# Do not trust ~/.ssh/known_hosts for HostbasedAuthentication
|
91
|
IgnoreUserKnownHosts yes
|
92
|
|
93
|
# Empty password must not happen
|
94
|
PermitEmptyPasswords no
|
95
|
|
96
|
# Disable s/key password
|
97
|
ChallengeResponseAuthentication no
|
98
|
|
99
|
# Do not use ~/.ssh/environment or environment= in
|
100
|
# ~/.ssh/authorized_keys
|
101
|
PermitUserEnvironment no
|
102
|
|
103
|
# Disable X11Forwarding
|
104
|
X11forwarding no
|
105
|
|
106
|
# Disable TCP forward
|
107
|
AllowTcpForwarding no
|
108
|
|
109
|
|
110
|
####
|
111
|
#### Presentation
|
112
|
####
|
113
|
|
114
|
# Disable banner to avoid giving information on the machine
|
115
|
Banner none
|
116
|
|
117
|
# Do not print entry message
|
118
|
PrintMotd no
|
119
|
|
120
|
# Print information on last connection
|
121
|
PrintLastLog yes
|
122
|
|
123
|
# Limit acceptable variables LANG et LC_*
|
124
|
AcceptEnv LANG LC_*
|
125
|
|
126
|
####
|
127
|
#### Protocol
|
128
|
####
|
129
|
|
130
|
# Compress only when user has successfully authenticated
|
131
|
Compression delayed
|
132
|
|
133
|
# Prefer to use ClientAlive* instead of impacting all TCP connection
|
134
|
TCPKeepAlive no
|
135
|
|
136
|
# Inactivity intervale after which server send alive message
|
137
|
ClientAliveInterval 30
|
138
|
|
139
|
# Number of lost alive message before considering the connection dead
|
140
|
# and disconnect
|
141
|
ClientAliveCountMax 10
|
142
|
|
143
|
MaxStartups 5:30:10
|
144
|
|
145
|
####
|
146
|
#### Logging
|
147
|
####
|
148
|
SyslogFacility AUTH
|
149
|
LogLevel INFO
|
150
|
|
151
|
####
|
152
|
#### Sous système
|
153
|
####
|
154
|
|
155
|
Subsystem sftp /usr/lib/sftp-server
|