diff options
author | Pacien TRAN-GIRARD | 2016-11-08 17:03:03 +0100 |
---|---|---|
committer | Pacien TRAN-GIRARD | 2016-11-08 17:03:03 +0100 |
commit | 3ff8396faddc994b180e7836764728cb03d4dc79 (patch) | |
tree | b2aa84e7a83cbfaacfdd6111a147da04dd2ae174 /sshd_config | |
parent | 037b59eb7fe8d3f90b577f3397b6018d83e66e7b (diff) | |
download | ssh-hardened-3ff8396faddc994b180e7836764728cb03d4dc79.tar.gz |
Enforce "Secure Secure Shell" recommendations
Diffstat (limited to 'sshd_config')
-rw-r--r-- | sshd_config | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/sshd_config b/sshd_config index a67aa8a..cb6a645 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -16,20 +16,21 @@ | |||
16 | #ListenAddress :: | 16 | #ListenAddress :: |
17 | 17 | ||
18 | # The default requires explicit activation of protocol 1 | 18 | # The default requires explicit activation of protocol 1 |
19 | #Protocol 2 | 19 | Protocol 2 |
20 | 20 | ||
21 | # HostKey for protocol version 1 | 21 | # HostKey for protocol version 1 |
22 | #HostKey /etc/ssh/ssh_host_key | 22 | #HostKey /etc/ssh/ssh_host_key |
23 | # HostKeys for protocol version 2 | 23 | # HostKeys for protocol version 2 |
24 | #HostKey /etc/ssh/ssh_host_rsa_key | 24 | HostKey /etc/ssh/ssh_host_rsa_key |
25 | #HostKey /etc/ssh/ssh_host_dsa_key | 25 | #HostKey /etc/ssh/ssh_host_dsa_key |
26 | #HostKey /etc/ssh/ssh_host_ecdsa_key | 26 | #HostKey /etc/ssh/ssh_host_ecdsa_key |
27 | #HostKey /etc/ssh/ssh_host_ed25519_key | 27 | HostKey /etc/ssh/ssh_host_ed25519_key |
28 | 28 | ||
29 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 | 29 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 |
30 | # to maintain compatibility with RFC4419, but should be set higher. | 30 | # to maintain compatibility with RFC4419, but should be set higher. |
31 | # Upstream default is identical to setting this to 2048. | 31 | # Upstream default is identical to setting this to 2048. |
32 | #KexDHMin 1024 | 32 | #KexDHMin 4096 |
33 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | ||
33 | 34 | ||
34 | # Lifetime and size of ephemeral version 1 server key | 35 | # Lifetime and size of ephemeral version 1 server key |
35 | #KeyRegenerationInterval 1h | 36 | #KeyRegenerationInterval 1h |
@@ -46,13 +47,13 @@ | |||
46 | # Authentication: | 47 | # Authentication: |
47 | 48 | ||
48 | #LoginGraceTime 2m | 49 | #LoginGraceTime 2m |
49 | #PermitRootLogin yes | 50 | PermitRootLogin yes |
50 | #StrictModes yes | 51 | #StrictModes yes |
51 | #MaxAuthTries 6 | 52 | #MaxAuthTries 6 |
52 | #MaxSessions 10 | 53 | #MaxSessions 10 |
53 | 54 | ||
54 | #RSAAuthentication yes | 55 | #RSAAuthentication yes |
55 | #PubkeyAuthentication yes | 56 | PubkeyAuthentication yes |
56 | 57 | ||
57 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | 58 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
58 | # but this is overridden so installations will only check .ssh/authorized_keys | 59 | # but this is overridden so installations will only check .ssh/authorized_keys |
@@ -78,7 +79,7 @@ PasswordAuthentication no | |||
78 | #PermitEmptyPasswords no | 79 | #PermitEmptyPasswords no |
79 | 80 | ||
80 | # Change to no to disable s/key passwords | 81 | # Change to no to disable s/key passwords |
81 | #ChallengeResponseAuthentication yes | 82 | ChallengeResponseAuthentication no |
82 | 83 | ||
83 | # Kerberos options | 84 | # Kerberos options |
84 | #KerberosAuthentication no | 85 | #KerberosAuthentication no |
@@ -150,3 +151,5 @@ AcceptEnv LC_IDENTIFICATION LC_ALL | |||
150 | # AllowTcpForwarding no | 151 | # AllowTcpForwarding no |
151 | # PermitTTY no | 152 | # PermitTTY no |
152 | # ForceCommand cvs server | 153 | # ForceCommand cvs server |
154 | |||
155 | AllowGroups ssh-user | ||