====== Configuration de SSH ======
===== Générer de l'entropie =====
==== RNG-Tools ====
Avant de générer des clefs, il est nécessaire de créer de l'entropie sur le système. La solution est d'installer le paquet ''rng-tools'' (sous Debian).
sudo apt update && sudo apt install rng-tools
Pour configuer ''rng-tools'' il faut éditer le fichier ''/etc/default/rng-tools'', mais c'est normalement inutile celui-ci pouvant reconnaître seul les sources d'entropie. Il faudra surtout éviter de le configurer avec ''/dev/urandom'' comme source (voir [[https://lwn.net/Articles/525459/|cet article]]).
===== Installer Open-SSH Server =====
apt install openssh-server
===== Après l'installation de SSH =====
cd /etc/ssh/
rm ssh_host_*key*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null
ssh-keygen -G moduli-4096.candidates -b 4096
ssh-keygen -T moduli-4096 -f moduli-4096.candidates
mv moduli moduli-`date +"%Y%m%d"`.bak
mv moduli-4096 moduli
mv sshd_config sshd_config-original-`date +"%Y%m%d"`.bak
vi sshd_config
# modifier la config du serveur comme ci-dessous
vi ssh_config
# modifier la config du client comme ci-dessous
systemctl restart ssh.service
==== Fichier de configuration du serveur ====
Cette configuration désactive la connexion par l'utilisateur root, elle interdit l'authentification par un mot de passe et la remplace par une clef.
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 1234
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Ciphers and keying
#RekeyLimit default none
#https://www.securiteinfo.com/cryptographie/renforcer-cryptage-ssh.shtml
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com
KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,curve25519-sha256@libssh.org
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss,rsa-sha2-256,rsa-sha2-512
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
AllowUsers user1 user2
#MaxAuthTries 6
#MaxSessions 10
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
# Activer X11 suivant l'usage de la machine
# https://www.skyminds.net/serveur-dedie-activer-x11-forwarding-pour-ssh/
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
#Subsystem sftp /usr/lib/openssh/sftp-server
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
#Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
==== Fichier de configuration du client ====
mv ssh_config ssh_config-original-`date +"%Y%m%d"`.bak
vi ssh_config
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
PasswordAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
SendEnv LANG LC_*
HashKnownHosts yes
# faster connexion
GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPIRenewalForcesRekey no
GSSAPIDelegateCredentials no
#
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com
KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,curve25519-sha256@libssh.org
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss,rsa-sha2-256,rsa-sha2-512
==== Redémarrer SSH ====
systemctl restart ssh.service