# -*- conf -*- # Configuration of SSH server #### #### General #### # On which address SSHD listen? #ListenAddress :: #ListenAddress 0.0.0.0 # Default SSHD port Port 22 # Never use protocol version 1 Protocol 2 # Host keys for protocol version 2 # No password with 600 permission # RSA key at least 2048 bits # ECDSA key at least 256 bits HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key #### #### Authentication #### PubkeyAuthentication yes GSSAPIAuthentication yes # No SSH keys => no need of ~/.ssh/know_hosts GSSAPIKeyExchange yes # Clean user cache GSSAPICleanupCredentials yes # Tunneled cleartext password PasswordAuthentication no # The argument must be “yes”, “without-password”, # “forced-commands-only”, or “no”. # The default is “yes”. # Disable generic account for tracability PermitRootLogin no # sshd vérifie les permissions sur les fichiers de clefs et autres... StrictModes yes # Separate privilege # “sandbox” does not work on Linux UsePrivilegeSeparation yes # Public keys authorized to connect AuthorizedKeysFile %h/.ssh/authorized_keys # The server disconnects after this time (in seconds) if the user has # not successfully logged in LoginGraceTime 30 #### #### Crypto parameters #### # Types d'algorithmes de chiffrement supportés Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr # Types de hashage MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1-96,hmac-sha1 # Algorithme d’échange de clef KexAlgorithms curve25519-sha256@libssh.org #### #### Disable unsecure options #### # Do not read user ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Do not permit rhosts or /etc/hosts.equiv authentication together # with successful public key client host authentication HostbasedAuthentication no # Do not trust ~/.ssh/known_hosts for HostbasedAuthentication IgnoreUserKnownHosts yes # Empty password must not happen PermitEmptyPasswords no # Disable s/key password ChallengeResponseAuthentication no # Do not use ~/.ssh/environment or environment= in # ~/.ssh/authorized_keys PermitUserEnvironment no # Disable X11Forwarding X11forwarding no # Disable TCP forward AllowTcpForwarding no #### #### Presentation #### # Disable banner to avoid giving information on the machine Banner none # Do not print entry message PrintMotd no # Print information on last connection PrintLastLog yes # Limit acceptable variables LANG et LC_* AcceptEnv LANG LC_* #### #### Protocol #### # Compress only when user has successfully authenticated Compression delayed # Prefer to use ClientAlive* instead of impacting all TCP connection TCPKeepAlive no # Inactivity intervale after which server send alive message ClientAliveInterval 30 # Number of lost alive message before considering the connection dead # and disconnect ClientAliveCountMax 10 MaxStartups 5:30:10 #### #### Logging #### SyslogFacility AUTH LogLevel INFO #### #### Sous système #### Subsystem sftp /usr/lib/sftp-server