Différences

Ci-dessous, les différences entre deux révisions de la page.

--- serveur:ssh [2024/10/29 15:42] – [Après l'installation de SSH] d2air
+++ serveur:ssh [2024/11/01 20:06] (Version actuelle) – [Fichier de configuration du client] d2air
@@ Ligne 28: / Ligne 28: @@
 mv moduli moduli-`date +"%Y%m%d"`.bak
 mv moduli-4096 moduli
+# copier les configurations personnalisées comme ci-dessous dans /etc/ssh/sshd_config.d/ et /etc/ssh/ssh_config.d/
 systemctl restart ssh.service
 </code>
 ==== Fichier de configuration du serveur ====
 Cette configuration désactive la connexion par l'utilisateur root, elle interdit l'authentification par un mot de passe et la remplace par une clef.
-<file sh sshd_config>
+Copiez la configuration suivante dans un fichier se terminant par .conf dans le répertoire : /etc/ssh/sshd_config.d/
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+<file sh sshd_config_local.conf>
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
 Port 1234
 #AddressFamily any
@@ Ligne 56: / Ligne 46: @@
 # Ciphers and keying
 #RekeyLimit default none
-#https://www.securiteinfo.com/cryptographie/renforcer-cryptage-ssh.shtml
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
-Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
-HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
 # Logging
@@ Ligne 167: / Ligne 161: @@
 </file>
 ==== Fichier de configuration du client ====
-<code>
+Copiez la configuration suivante dans un fichier se terminant par .conf dans le répertoire : /etc/ssh/ssh_config.d/
-mv ssh_config ssh_config-original-`date +"%Y%m%d"`.bak
+<file sh ssh_config_local.conf>
-vi ssh_config
-</code>
-<file sh ssh_config>
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
 Host *
-#   ForwardAgent no
+    PasswordAuthentication yes
-#   ForwardX11 no
+    PubkeyAuthentication yes
-#   ForwardX11Trusted yes
+    ChallengeResponseAuthentication no
-#   PasswordAuthentication yes
+    SendEnv LANG LC_*
-#   HostbasedAuthentication no
+    HashKnownHosts yes
-#   GSSAPIAuthentication no
+##  faster connexion
-#   GSSAPIDelegateCredentials no
+    GSSAPIAuthentication no
-#   GSSAPIKeyExchange no
+    GSSAPIKeyExchange no
-#   GSSAPITrustDNS no
+    GSSAPIRenewalForcesRekey no
-#   BatchMode no
+    GSSAPIDelegateCredentials no
-#   CheckHostIP yes
+##
-#   AddressFamily any
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
-#   ConnectTimeout 0
+    KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512
-#   StrictHostKeyChecking ask
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
-#   IdentityFile ~/.ssh/id_rsa
+    RequiredRSASize 4096
-#   IdentityFile ~/.ssh/id_dsa
+    HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
-#   IdentityFile ~/.ssh/id_ecdsa
+    CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
-#   IdentityFile ~/.ssh/id_ed25519
+    GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
-#   Port 22
+    HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
-#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+    PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
-#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
-#   VisualHostKey no
-#   ProxyCommand ssh -q -W %h:%p gateway.example.com
-#   RekeyLimit 1G 1h
-PasswordAuthentication yes
-PubkeyAuthentication yes
-ChallengeResponseAuthentication no
-SendEnv LANG LC_*
-HashKnownHosts yes
-# faster connexion
-GSSAPIAuthentication no
-GSSAPIKeyExchange no
-GSSAPIRenewalForcesRekey no
-GSSAPIDelegateCredentials no
-#
-Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com
-KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,curve25519-sha256@libssh.org
-MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss,rsa-sha2-256,rsa-sha2-512
 </file>
+Les sites [[https://www.ssh-audit.com/hardening_guides.html|SSH Audit]] et [[https://www.securiteinfo.com/cryptographie/renforcer-cryptage-ssh.shtml|Sécurité Info]] proposent des exemples de configurations adaptées.
 ==== Redémarrer SSH ====
 <code>
 systemctl restart ssh.service
 </code>