Configuration de SSH

Avant de générer des clefs, il est nécessaire de créer de l'entropie sur le système. La solution est d'installer le paquet rng-tools (sous Debian).

sudo apt update && sudo apt install rng-tools

Pour configuer rng-tools il faut éditer le fichier /etc/default/rng-tools, mais c'est normalement inutile celui-ci pouvant reconnaître seul les sources d'entropie. Il faudra surtout éviter de le configurer avec /dev/urandom comme source (voir cet article).

Si vous avez un module TPM vous pouvez aussi ajouter tpm-rng dans le fichier de configuration /etc/initramfs-tools/modules :

sudo vi /etc/initramfs-tools/modules
sudo update-initramfs -u
sudo systemctl reboot

apt install openssh-server

cd /etc/ssh/
rm ssh_host_*key*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null
ssh-keygen -M generate -O bits=4096 moduli-4096.candidates
ssh-keygen -M screen -f moduli-4096.candidates moduli-4096
mv moduli moduli-`date +"%Y%m%d"`.bak
mv moduli-4096 moduli
# copier les configurations personnalisées comme ci-dessous dans /etc/ssh/sshd_config.d/ et /etc/ssh/ssh_config.d/
systemctl restart ssh.service

Cette configuration désactive la connexion par l'utilisateur root, elle interdit l'authentification par un mot de passe et la remplace par une clef. Copiez ce fichier dans /etc/ssh/sshd_config.d/

sshd_config

#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
 
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
 
Port 1234
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
 
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
 
# Ciphers and keying
#RekeyLimit default none
#https://www.securiteinfo.com/cryptographie/renforcer-cryptage-ssh.shtml
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
 
# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
AllowUsers user1 user2
#MaxAuthTries 6
#MaxSessions 10
 
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
PubkeyAuthentication yes
 
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
 
#AuthorizedPrincipalsFile none
 
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
 
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
 
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
 
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
 
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
 
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
 
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
 
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
# Activer X11 suivant l'usage de la machine
# https://www.skyminds.net/serveur-dedie-activer-x11-forwarding-pour-ssh/
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
 
# no default banner path
#Banner none
 
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
 
# override default of no subsystems
#Subsystem	sftp	/usr/lib/openssh/sftp-server
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
#Subsystem	sftp	/usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
 
# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

mv ssh_config ssh_config-original-`date +"%Y%m%d"`.bak
vi ssh_config

ssh_config

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
 
# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
 
# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
 
Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
PasswordAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
SendEnv LANG LC_*
HashKnownHosts yes
# faster connexion
GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPIRenewalForcesRekey no
GSSAPIDelegateCredentials no
#
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com
KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,curve25519-sha256@libssh.org
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss,rsa-sha2-256,rsa-sha2-512

systemctl restart ssh.service