From 3ff8396faddc994b180e7836764728cb03d4dc79 Mon Sep 17 00:00:00 2001 From: Pacien TRAN-GIRARD Date: Tue, 8 Nov 2016 17:03:03 +0100 Subject: Enforce "Secure Secure Shell" recommendations --- sshd_config | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'sshd_config') diff --git a/sshd_config b/sshd_config index a67aa8a..cb6a645 100644 --- a/sshd_config +++ b/sshd_config @@ -16,20 +16,21 @@ #ListenAddress :: # The default requires explicit activation of protocol 1 -#Protocol 2 +Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ed25519_key # Minimum accepted size of the DH parameter p. By default this is set to 1024 # to maintain compatibility with RFC4419, but should be set higher. # Upstream default is identical to setting this to 2048. -#KexDHMin 1024 +#KexDHMin 4096 +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h @@ -46,13 +47,13 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes -#PubkeyAuthentication yes +PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys @@ -78,7 +79,7 @@ PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no @@ -150,3 +151,5 @@ AcceptEnv LC_IDENTIFICATION LC_ALL # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server + +AllowGroups ssh-user -- cgit v1.2.3