Debian
Debian-France
Debian-Facile
Debian-fr.org
Forum-Debian.fr
Debian ?
Communautés
Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format
PDF et la grise au format ODT →
Ci-dessous, les différences entre deux révisions de la page.
| Les deux révisions précédentes Révision précédente | |||
|
utilisateurs:celp:config:sshd [18/09/2018 13:14] celp supprimée |
— (Version actuelle) | ||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| - | ====== Un ssh bien protégé ====== | ||
| - | * Objet : Fichier sshd qui protege bien le ssh. | ||
| - | * Niveau requis : expert | ||
| - | |||
| - | ===== Fichier ===== | ||
| - | |||
| - | <code> | ||
| - | # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ | ||
| - | |||
| - | # This is the sshd server system-wide configuration file. See | ||
| - | # sshd_config(5) for more information. | ||
| - | |||
| - | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
| - | |||
| - | # The strategy used for options in the default sshd_config shipped with | ||
| - | # OpenSSH is to specify options with their default value where | ||
| - | # possible, but leave them commented. Uncommented options override the | ||
| - | # default value. | ||
| - | |||
| - | # Port par defaut 22 | ||
| - | #Port 22 | ||
| - | #AddressFamily any | ||
| - | # On ecoute partout ( 0.0.0.0) | ||
| - | #ListenAddress 0.0.0.0 | ||
| - | # On ecoute partout sur l'ipv6 | ||
| - | #ListenAddress :: | ||
| - | |||
| - | #HostKey /etc/ssh/ssh_host_rsa_key | ||
| - | #HostKey /etc/ssh/ssh_host_ecdsa_key | ||
| - | #HostKey /etc/ssh/ssh_host_ed25519_key | ||
| - | |||
| - | # Ciphers and keying | ||
| - | #RekeyLimit default none | ||
| - | |||
| - | # Logging | ||
| - | #SyslogFacility AUTH | ||
| - | #LogLevel INFO | ||
| - | |||
| - | # Authentication: | ||
| - | |||
| - | # Ne pas oublier de créer le groupe et d'y ajouter l'user. | ||
| - | AllowGroups sshusers | ||
| - | # 5sec pour s'identifier | ||
| - | LoginGraceTime 5s | ||
| - | # Pas de root login | ||
| - | PermitRootLogin no | ||
| - | #StrictModes yes | ||
| - | # en cas d'erreur une seule fois pour le ressaie | ||
| - | MaxAuthTries 1 | ||
| - | #MaxSessions Specifies the maximum number of open sessions permitted per network connection | ||
| - | MaxSessions 2 | ||
| - | |||
| - | #PubkeyAuthentication yes | ||
| - | |||
| - | # Expect .ssh/authorized_keys2 to be disregarded by default in future. | ||
| - | #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 | ||
| - | |||
| - | #AuthorizedPrincipalsFile none | ||
| - | |||
| - | #AuthorizedKeysCommand none | ||
| - | #AuthorizedKeysCommandUser nobody | ||
| - | |||
| - | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
| - | #HostbasedAuthentication no | ||
| - | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
| - | # HostbasedAuthentication | ||
| - | #IgnoreUserKnownHosts no | ||
| - | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
| - | #IgnoreRhosts yes | ||
| - | |||
| - | # To disable tunneled clear text passwords, change to no here! | ||
| - | PasswordAuthentication no | ||
| - | #PermitEmptyPasswords no | ||
| - | |||
| - | # Change to yes to enable challenge-response passwords (beware issues with | ||
| - | # some PAM modules and threads) | ||
| - | ChallengeResponseAuthentication no | ||
| - | |||
| - | # Kerberos options | ||
| - | KerberosAuthentication no | ||
| - | #KerberosOrLocalPasswd yes | ||
| - | #KerberosTicketCleanup yes | ||
| - | #KerberosGetAFSToken no | ||
| - | |||
| - | # GSSAPI options | ||
| - | GSSAPIAuthentication no | ||
| - | #GSSAPICleanupCredentials yes | ||
| - | #GSSAPIStrictAcceptorCheck yes | ||
| - | #GSSAPIKeyExchange no | ||
| - | |||
| - | # Set this to 'yes' to enable PAM authentication, account processing, | ||
| - | # and session processing. If this is enabled, PAM authentication will | ||
| - | # be allowed through the ChallengeResponseAuthentication and | ||
| - | # PasswordAuthentication. Depending on your PAM configuration, | ||
| - | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
| - | # the setting of "PermitRootLogin yes | ||
| - | # If you just want the PAM account and session checks to run without | ||
| - | # PAM authentication, then enable this but set PasswordAuthentication | ||
| - | # and ChallengeResponseAuthentication to 'no'. | ||
| - | UsePAM no | ||
| - | |||
| - | RSAAuthentication no | ||
| - | |||
| - | #AllowAgentForwarding yes | ||
| - | #AllowTcpForwarding yes | ||
| - | #GatewayPorts no | ||
| - | X11Forwarding yes | ||
| - | #X11DisplayOffset 10 | ||
| - | #X11UseLocalhost yes | ||
| - | #PermitTTY yes | ||
| - | PrintMotd yes | ||
| - | #PrintLastLog yes | ||
| - | #TCPKeepAlive yes | ||
| - | #UseLogin no | ||
| - | #UsePrivilegeSeparation sandbox | ||
| - | #PermitUserEnvironment no | ||
| - | #Compression delayed | ||
| - | #ClientAliveInterval 0 | ||
| - | #ClientAliveCountMax 3 | ||
| - | #UseDNS no | ||
| - | #PidFile /var/run/sshd.pid | ||
| - | #MaxStartups 10:30:100 | ||
| - | #PermitTunnel no | ||
| - | #ChrootDirectory none | ||
| - | #VersionAddendum none | ||
| - | |||
| - | # no default banner path | ||
| - | #Banner none | ||
| - | Banner /etc/issue.net | ||
| - | |||
| - | # Allow client to pass locale environment variables | ||
| - | AcceptEnv LANG LC_* | ||
| - | |||
| - | # override default of no subsystems | ||
| - | Subsystem sftp /usr/lib/openssh/sftp-server | ||
| - | |||
| - | # Example of overriding settings on a per-user basis | ||
| - | #Match User anoncvs | ||
| - | # X11Forwarding no | ||
| - | # AllowTcpForwarding no | ||
| - | # PermitTTY no | ||
| - | # ForceCommand cvs server | ||
| - | </code> | ||
