aboutsummaryrefslogtreecommitdiff
path: root/sshd_config
diff options
context:
space:
mode:
authorPacien TRAN-GIRARD2016-11-08 17:03:03 +0100
committerPacien TRAN-GIRARD2016-11-08 17:03:03 +0100
commit3ff8396faddc994b180e7836764728cb03d4dc79 (patch)
treeb2aa84e7a83cbfaacfdd6111a147da04dd2ae174 /sshd_config
parent037b59eb7fe8d3f90b577f3397b6018d83e66e7b (diff)
downloadssh-hardened-3ff8396faddc994b180e7836764728cb03d4dc79.tar.gz
Enforce "Secure Secure Shell" recommendations
Diffstat (limited to 'sshd_config')
-rw-r--r--sshd_config17
1 files changed, 10 insertions, 7 deletions
diff --git a/sshd_config b/sshd_config
index a67aa8a..cb6a645 100644
--- a/sshd_config
+++ b/sshd_config
@@ -16,20 +16,21 @@
16#ListenAddress :: 16#ListenAddress ::
17 17
18# The default requires explicit activation of protocol 1 18# The default requires explicit activation of protocol 1
19#Protocol 2 19Protocol 2
20 20
21# HostKey for protocol version 1 21# HostKey for protocol version 1
22#HostKey /etc/ssh/ssh_host_key 22#HostKey /etc/ssh/ssh_host_key
23# HostKeys for protocol version 2 23# HostKeys for protocol version 2
24#HostKey /etc/ssh/ssh_host_rsa_key 24HostKey /etc/ssh/ssh_host_rsa_key
25#HostKey /etc/ssh/ssh_host_dsa_key 25#HostKey /etc/ssh/ssh_host_dsa_key
26#HostKey /etc/ssh/ssh_host_ecdsa_key 26#HostKey /etc/ssh/ssh_host_ecdsa_key
27#HostKey /etc/ssh/ssh_host_ed25519_key 27HostKey /etc/ssh/ssh_host_ed25519_key
28 28
29# Minimum accepted size of the DH parameter p. By default this is set to 1024 29# Minimum accepted size of the DH parameter p. By default this is set to 1024
30# to maintain compatibility with RFC4419, but should be set higher. 30# to maintain compatibility with RFC4419, but should be set higher.
31# Upstream default is identical to setting this to 2048. 31# Upstream default is identical to setting this to 2048.
32#KexDHMin 1024 32#KexDHMin 4096
33KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
33 34
34# Lifetime and size of ephemeral version 1 server key 35# Lifetime and size of ephemeral version 1 server key
35#KeyRegenerationInterval 1h 36#KeyRegenerationInterval 1h
@@ -46,13 +47,13 @@
46# Authentication: 47# Authentication:
47 48
48#LoginGraceTime 2m 49#LoginGraceTime 2m
49#PermitRootLogin yes 50PermitRootLogin yes
50#StrictModes yes 51#StrictModes yes
51#MaxAuthTries 6 52#MaxAuthTries 6
52#MaxSessions 10 53#MaxSessions 10
53 54
54#RSAAuthentication yes 55#RSAAuthentication yes
55#PubkeyAuthentication yes 56PubkeyAuthentication yes
56 57
57# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 58# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
58# but this is overridden so installations will only check .ssh/authorized_keys 59# but this is overridden so installations will only check .ssh/authorized_keys
@@ -78,7 +79,7 @@ PasswordAuthentication no
78#PermitEmptyPasswords no 79#PermitEmptyPasswords no
79 80
80# Change to no to disable s/key passwords 81# Change to no to disable s/key passwords
81#ChallengeResponseAuthentication yes 82ChallengeResponseAuthentication no
82 83
83# Kerberos options 84# Kerberos options
84#KerberosAuthentication no 85#KerberosAuthentication no
@@ -150,3 +151,5 @@ AcceptEnv LC_IDENTIFICATION LC_ALL
150# AllowTcpForwarding no 151# AllowTcpForwarding no
151# PermitTTY no 152# PermitTTY no
152# ForceCommand cvs server 153# ForceCommand cvs server
154
155AllowGroups ssh-user