diff options
| author | Pacien TRAN-GIRARD | 2016-11-08 17:03:03 +0100 |
|---|---|---|
| committer | Pacien TRAN-GIRARD | 2016-11-08 17:03:03 +0100 |
| commit | 3ff8396faddc994b180e7836764728cb03d4dc79 (patch) | |
| tree | b2aa84e7a83cbfaacfdd6111a147da04dd2ae174 | |
| parent | 037b59eb7fe8d3f90b577f3397b6018d83e66e7b (diff) | |
| download | ssh-hardened-3ff8396faddc994b180e7836764728cb03d4dc79.tar.gz | |
Enforce "Secure Secure Shell" recommendations
| -rw-r--r-- | ssh_config | 14 | ||||
| -rw-r--r-- | sshd_config | 17 |
2 files changed, 23 insertions, 8 deletions
| @@ -20,7 +20,19 @@ | |||
| 20 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 | 20 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 |
| 21 | # to maintain compatibility with RFC4419, but should be set higher. | 21 | # to maintain compatibility with RFC4419, but should be set higher. |
| 22 | # Upstream default is identical to setting this to 2048. | 22 | # Upstream default is identical to setting this to 2048. |
| 23 | #KexDHMin 1024 | 23 | #KexDHMin 4096 |
| 24 | |||
| 25 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | ||
| 26 | HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa | ||
| 27 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | ||
| 28 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com | ||
| 29 | |||
| 30 | ChallengeResponseAuthentication no | ||
| 31 | PasswordAuthentication no | ||
| 32 | PubkeyAuthentication yes | ||
| 33 | |||
| 34 | UseRoaming no | ||
| 35 | ForwardX11Trusted no | ||
| 24 | 36 | ||
| 25 | Host * | 37 | Host * |
| 26 | # ForwardAgent no | 38 | # ForwardAgent no |
diff --git a/sshd_config b/sshd_config index a67aa8a..cb6a645 100644 --- a/sshd_config +++ b/sshd_config | |||
| @@ -16,20 +16,21 @@ | |||
| 16 | #ListenAddress :: | 16 | #ListenAddress :: |
| 17 | 17 | ||
| 18 | # The default requires explicit activation of protocol 1 | 18 | # The default requires explicit activation of protocol 1 |
| 19 | #Protocol 2 | 19 | Protocol 2 |
| 20 | 20 | ||
| 21 | # HostKey for protocol version 1 | 21 | # HostKey for protocol version 1 |
| 22 | #HostKey /etc/ssh/ssh_host_key | 22 | #HostKey /etc/ssh/ssh_host_key |
| 23 | # HostKeys for protocol version 2 | 23 | # HostKeys for protocol version 2 |
| 24 | #HostKey /etc/ssh/ssh_host_rsa_key | 24 | HostKey /etc/ssh/ssh_host_rsa_key |
| 25 | #HostKey /etc/ssh/ssh_host_dsa_key | 25 | #HostKey /etc/ssh/ssh_host_dsa_key |
| 26 | #HostKey /etc/ssh/ssh_host_ecdsa_key | 26 | #HostKey /etc/ssh/ssh_host_ecdsa_key |
| 27 | #HostKey /etc/ssh/ssh_host_ed25519_key | 27 | HostKey /etc/ssh/ssh_host_ed25519_key |
| 28 | 28 | ||
| 29 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 | 29 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 |
| 30 | # to maintain compatibility with RFC4419, but should be set higher. | 30 | # to maintain compatibility with RFC4419, but should be set higher. |
| 31 | # Upstream default is identical to setting this to 2048. | 31 | # Upstream default is identical to setting this to 2048. |
| 32 | #KexDHMin 1024 | 32 | #KexDHMin 4096 |
| 33 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | ||
| 33 | 34 | ||
| 34 | # Lifetime and size of ephemeral version 1 server key | 35 | # Lifetime and size of ephemeral version 1 server key |
| 35 | #KeyRegenerationInterval 1h | 36 | #KeyRegenerationInterval 1h |
| @@ -46,13 +47,13 @@ | |||
| 46 | # Authentication: | 47 | # Authentication: |
| 47 | 48 | ||
| 48 | #LoginGraceTime 2m | 49 | #LoginGraceTime 2m |
| 49 | #PermitRootLogin yes | 50 | PermitRootLogin yes |
| 50 | #StrictModes yes | 51 | #StrictModes yes |
| 51 | #MaxAuthTries 6 | 52 | #MaxAuthTries 6 |
| 52 | #MaxSessions 10 | 53 | #MaxSessions 10 |
| 53 | 54 | ||
| 54 | #RSAAuthentication yes | 55 | #RSAAuthentication yes |
| 55 | #PubkeyAuthentication yes | 56 | PubkeyAuthentication yes |
| 56 | 57 | ||
| 57 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | 58 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
| 58 | # but this is overridden so installations will only check .ssh/authorized_keys | 59 | # but this is overridden so installations will only check .ssh/authorized_keys |
| @@ -78,7 +79,7 @@ PasswordAuthentication no | |||
| 78 | #PermitEmptyPasswords no | 79 | #PermitEmptyPasswords no |
| 79 | 80 | ||
| 80 | # Change to no to disable s/key passwords | 81 | # Change to no to disable s/key passwords |
| 81 | #ChallengeResponseAuthentication yes | 82 | ChallengeResponseAuthentication no |
| 82 | 83 | ||
| 83 | # Kerberos options | 84 | # Kerberos options |
| 84 | #KerberosAuthentication no | 85 | #KerberosAuthentication no |
| @@ -150,3 +151,5 @@ AcceptEnv LC_IDENTIFICATION LC_ALL | |||
| 150 | # AllowTcpForwarding no | 151 | # AllowTcpForwarding no |
| 151 | # PermitTTY no | 152 | # PermitTTY no |
| 152 | # ForceCommand cvs server | 153 | # ForceCommand cvs server |
| 154 | |||
| 155 | AllowGroups ssh-user | ||