serveur:ssh

Configuration de SSH

Avant de générer des clefs, il est nécessaire de créer de l'entropie sur le système. La solution est d'installer le paquet rng-tools (sous Debian).

sudo apt update && sudo apt install rng-tools

Pour configuer rng-tools il faut éditer le fichier /etc/default/rng-tools, mais c'est normalement inutile celui-ci pouvant reconnaître seul les sources d'entropie. Il faudra surtout éviter de le configurer avec /dev/urandom comme source (voir cet article).

Si vous avez un module TPM vous pouvez aussi ajouter tpm-rng dans le fichier de configuration /etc/initramfs-tools/modules :

sudo vi /etc/initramfs-tools/modules
sudo update-initramfs -u
sudo systemctl reboot
apt install openssh-server
cd /etc/ssh/
rm ssh_host_*key*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null
ssh-keygen -M generate -O bits=4096 moduli-4096.candidates
ssh-keygen -M screen -f moduli-4096.candidates moduli-4096
mv moduli moduli-`date +"%Y%m%d"`.bak
mv moduli-4096 moduli
# copier les configurations personnalisées comme ci-dessous dans /etc/ssh/sshd_config.d/ et /etc/ssh/ssh_config.d/
systemctl restart ssh.service

Cette configuration désactive la connexion par l'utilisateur root, elle interdit l'authentification par un mot de passe et la remplace par une clef. Copiez la configuration suivante dans un fichier se terminant par .conf dans le répertoire : /etc/ssh/sshd_config.d/

sshd_config_local.conf
Port 1234
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
 
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
 
# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
 
 
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
 
# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
AllowUsers user1 user2
#MaxAuthTries 6
#MaxSessions 10
 
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
PubkeyAuthentication yes
 
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
 
#AuthorizedPrincipalsFile none
 
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
 
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
 
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
 
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
 
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
 
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
 
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
 
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
# Activer X11 suivant l'usage de la machine
# https://www.skyminds.net/serveur-dedie-activer-x11-forwarding-pour-ssh/
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
 
# no default banner path
#Banner none
 
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
 
# override default of no subsystems
#Subsystem	sftp	/usr/lib/openssh/sftp-server
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
#Subsystem	sftp	/usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
 
# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Copiez la configuration suivante dans un fichier se terminant par .conf dans le répertoire : /etc/ssh/ssh_config.d/

ssh_config_local.conf
Host *
    PasswordAuthentication yes
    PubkeyAuthentication yes
    ChallengeResponseAuthentication no
    SendEnv LANG LC_*
    HashKnownHosts yes
##  faster connexion
    GSSAPIAuthentication no
    GSSAPIKeyExchange no
    GSSAPIRenewalForcesRekey no
    GSSAPIDelegateCredentials no
##    
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
    KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
    RequiredRSASize 4096
    HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
    CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
    GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
    HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
    PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

Les sites SSH Audit et Sécurité Info proposent des exemples de configurations adaptées.

systemctl restart ssh.service
  • serveur/ssh.txt
  • Dernière modification : 2024/11/01 20:06
  • de d2air