Avant de générer des clefs, il est nécessaire de créer de l'entropie sur le système. La solution est d'installer le paquet rng-tools (sous Debian).
sudo apt update && sudo apt install rng-tools
Pour configuer rng-tools il faut éditer le fichier /etc/default/rng-tools, mais c'est normalement inutile celui-ci pouvant reconnaître seul les sources d'entropie. Il faudra surtout éviter de le configurer avec /dev/urandom comme source (voir cet article).
apt install openssh-server
cd /etc/ssh/ rm ssh_host_*key* ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null ssh-keygen -G moduli-4096.candidates -b 4096 ssh-keygen -T moduli-4096 -f moduli-4096.candidates mv moduli moduli-`date +"%Y%m%d"`.bak mv moduli-4096 moduli mv sshd_config sshd_config-original-`date +"%Y%m%d"`.bak vi sshd_config # modifier la config du serveur comme ci-dessous vi ssh_config # modifier la config du client comme ci-dessous systemctl restart ssh.service
Cette configuration désactive la connexion par l'utilisateur root, elle interdit l'authentification par un mot de passe et la remplace par une clef.
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Port 1234 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Ciphers and keying #RekeyLimit default none #https://www.securiteinfo.com/cryptographie/renforcer-cryptage-ssh.shtml Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,curve25519-sha256@libssh.org MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss,rsa-sha2-256,rsa-sha2-512 # Logging SyslogFacility AUTH LogLevel VERBOSE # Authentication: LoginGraceTime 30 PermitRootLogin no StrictModes yes AllowUsers user1 user2 #MaxAuthTries 6 #MaxSessions 10 # Password based logins are disabled - only public key based logins are allowed. AuthenticationMethods publickey PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no # Activer X11 suivant l'usage de la machine # https://www.skyminds.net/serveur-dedie-activer-x11-forwarding-pour-ssh/ X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no PrintLastLog yes TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems #Subsystem sftp /usr/lib/openssh/sftp-server # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. #Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
mv ssh_config ssh_config-original-`date +"%Y%m%d"`.bak vi ssh_config
# This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * # ForwardAgent no # ForwardX11 no # ForwardX11Trusted yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_ecdsa # IdentityFile ~/.ssh/id_ed25519 # Port 22 # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h PasswordAuthentication yes PubkeyAuthentication yes ChallengeResponseAuthentication no SendEnv LANG LC_* HashKnownHosts yes # faster connexion GSSAPIAuthentication no GSSAPIKeyExchange no GSSAPIRenewalForcesRekey no GSSAPIDelegateCredentials no # Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,curve25519-sha256@libssh.org MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss,rsa-sha2-256,rsa-sha2-512
systemctl restart ssh.service