Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente | |||
utilisateurs:celp:config:sshd [18/09/2018 13:14] celp supprimée |
— (Version actuelle) | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | ====== Un ssh bien protégé ====== | ||
- | * Objet : Fichier sshd qui protege bien le ssh. | ||
- | * Niveau requis : expert | ||
- | |||
- | ===== Fichier ===== | ||
- | |||
- | <code> | ||
- | # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ | ||
- | |||
- | # This is the sshd server system-wide configuration file. See | ||
- | # sshd_config(5) for more information. | ||
- | |||
- | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
- | |||
- | # The strategy used for options in the default sshd_config shipped with | ||
- | # OpenSSH is to specify options with their default value where | ||
- | # possible, but leave them commented. Uncommented options override the | ||
- | # default value. | ||
- | |||
- | # Port par defaut 22 | ||
- | #Port 22 | ||
- | #AddressFamily any | ||
- | # On ecoute partout ( 0.0.0.0) | ||
- | #ListenAddress 0.0.0.0 | ||
- | # On ecoute partout sur l'ipv6 | ||
- | #ListenAddress :: | ||
- | |||
- | #HostKey /etc/ssh/ssh_host_rsa_key | ||
- | #HostKey /etc/ssh/ssh_host_ecdsa_key | ||
- | #HostKey /etc/ssh/ssh_host_ed25519_key | ||
- | |||
- | # Ciphers and keying | ||
- | #RekeyLimit default none | ||
- | |||
- | # Logging | ||
- | #SyslogFacility AUTH | ||
- | #LogLevel INFO | ||
- | |||
- | # Authentication: | ||
- | |||
- | # Ne pas oublier de créer le groupe et d'y ajouter l'user. | ||
- | AllowGroups sshusers | ||
- | # 5sec pour s'identifier | ||
- | LoginGraceTime 5s | ||
- | # Pas de root login | ||
- | PermitRootLogin no | ||
- | #StrictModes yes | ||
- | # en cas d'erreur une seule fois pour le ressaie | ||
- | MaxAuthTries 1 | ||
- | #MaxSessions Specifies the maximum number of open sessions permitted per network connection | ||
- | MaxSessions 2 | ||
- | |||
- | #PubkeyAuthentication yes | ||
- | |||
- | # Expect .ssh/authorized_keys2 to be disregarded by default in future. | ||
- | #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 | ||
- | |||
- | #AuthorizedPrincipalsFile none | ||
- | |||
- | #AuthorizedKeysCommand none | ||
- | #AuthorizedKeysCommandUser nobody | ||
- | |||
- | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
- | #HostbasedAuthentication no | ||
- | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
- | # HostbasedAuthentication | ||
- | #IgnoreUserKnownHosts no | ||
- | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
- | #IgnoreRhosts yes | ||
- | |||
- | # To disable tunneled clear text passwords, change to no here! | ||
- | PasswordAuthentication no | ||
- | #PermitEmptyPasswords no | ||
- | |||
- | # Change to yes to enable challenge-response passwords (beware issues with | ||
- | # some PAM modules and threads) | ||
- | ChallengeResponseAuthentication no | ||
- | |||
- | # Kerberos options | ||
- | KerberosAuthentication no | ||
- | #KerberosOrLocalPasswd yes | ||
- | #KerberosTicketCleanup yes | ||
- | #KerberosGetAFSToken no | ||
- | |||
- | # GSSAPI options | ||
- | GSSAPIAuthentication no | ||
- | #GSSAPICleanupCredentials yes | ||
- | #GSSAPIStrictAcceptorCheck yes | ||
- | #GSSAPIKeyExchange no | ||
- | |||
- | # Set this to 'yes' to enable PAM authentication, account processing, | ||
- | # and session processing. If this is enabled, PAM authentication will | ||
- | # be allowed through the ChallengeResponseAuthentication and | ||
- | # PasswordAuthentication. Depending on your PAM configuration, | ||
- | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
- | # the setting of "PermitRootLogin yes | ||
- | # If you just want the PAM account and session checks to run without | ||
- | # PAM authentication, then enable this but set PasswordAuthentication | ||
- | # and ChallengeResponseAuthentication to 'no'. | ||
- | UsePAM no | ||
- | |||
- | RSAAuthentication no | ||
- | |||
- | #AllowAgentForwarding yes | ||
- | #AllowTcpForwarding yes | ||
- | #GatewayPorts no | ||
- | X11Forwarding yes | ||
- | #X11DisplayOffset 10 | ||
- | #X11UseLocalhost yes | ||
- | #PermitTTY yes | ||
- | PrintMotd yes | ||
- | #PrintLastLog yes | ||
- | #TCPKeepAlive yes | ||
- | #UseLogin no | ||
- | #UsePrivilegeSeparation sandbox | ||
- | #PermitUserEnvironment no | ||
- | #Compression delayed | ||
- | #ClientAliveInterval 0 | ||
- | #ClientAliveCountMax 3 | ||
- | #UseDNS no | ||
- | #PidFile /var/run/sshd.pid | ||
- | #MaxStartups 10:30:100 | ||
- | #PermitTunnel no | ||
- | #ChrootDirectory none | ||
- | #VersionAddendum none | ||
- | |||
- | # no default banner path | ||
- | #Banner none | ||
- | Banner /etc/issue.net | ||
- | |||
- | # Allow client to pass locale environment variables | ||
- | AcceptEnv LANG LC_* | ||
- | |||
- | # override default of no subsystems | ||
- | Subsystem sftp /usr/lib/openssh/sftp-server | ||
- | |||
- | # Example of overriding settings on a per-user basis | ||
- | #Match User anoncvs | ||
- | # X11Forwarding no | ||
- | # AllowTcpForwarding no | ||
- | # PermitTTY no | ||
- | # ForceCommand cvs server | ||
- | </code> |