Sichere SSH Config

Aus Bluelupo's Wiki
Wechseln zu: Navigation, Suche

Sichere SSH config erstellen

Dazu muss man nur die Datei /etc/ssh/sshd_config verändern. Nachfolgende Config basiert Logins mit SSH-Public-Keys, d.h. wenn dieser nicht vorhanden ist wird der Loginversuch abgelehnt. Dazu die SSH-Keys erstellen und auf den jeweiligen Host kopieren mit dem Tool ssh-copy-id.


 1 # Port number
 2 Port 22
 3 
 4 # The default requires explicit activation of protocol 1
 5 Protocol 2
 6 
 7 # HostKeys for protocol version 2
 8 HostKey /etc/ssh/ssh_host_rsa_key
 9 HostKey /etc/ssh/ssh_host_dsa_key
10 #HostKey /etc/ssh/ssh_host_ecdsa_key
11 #HostKey /etc/ssh/ssh_host_ed25519_key
12 
13 # Lifetime and size of ephemeral version 1 server key
14 KeyRegenerationInterval 1h
15 ServerKeyBits 1024
16 
17 # Ciphers and keying
18 #RekeyLimit default none
19 
20 # Logging
21 # obsoletes QuietMode and FascistLogging
22 SyslogFacility AUTH
23 LogLevel INFO
24 
25 # Authentication:
26 LoginGraceTime 2m
27 PermitRootLogin yes
28 StrictModes yes
29 MaxAuthTries 5
30 #MaxSessions 10
31 
32 #RSAAuthentication yes
33 PubkeyAuthentication yes
34 
35 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
36 # but this is overridden so installations will only check .ssh/authorized_keys
37 AuthorizedKeysFile      .ssh/authorized_keys
38 
39 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
40 RhostsRSAAuthentication no
41 
42 # similar for protocol version 2
43 HostbasedAuthentication no
44 
45 # Change to yes if you don't trust ~/.ssh/known_hosts for
46 # RhostsRSAAuthentication and HostbasedAuthentication
47 #IgnoreUserKnownHosts no
48 
49 # Don't read the user's ~/.rhosts and ~/.shosts files
50 IgnoreRhosts yes
51 
52 # To disable tunneled clear text passwords, change to no here!
53 PasswordAuthentication no
54 PermitEmptyPasswords no
55 
56 # Change to no to disable s/key passwords
57 ChallengeResponseAuthentication no
58 
59 # Set this to 'yes' to enable PAM authentication, account processing,
60 # and session processing. If this is enabled, PAM authentication will
61 # be allowed through the ChallengeResponseAuthentication and
62 # PasswordAuthentication.  Depending on your PAM configuration,
63 # PAM authentication via ChallengeResponseAuthentication may bypass
64 # the setting of "PermitRootLogin without-password".
65 # If you just want the PAM account and session checks to run without
66 # PAM authentication, then enable this but set PasswordAuthentication
67 # and ChallengeResponseAuthentication to 'no'.
68 UsePAM yes
69 
70 #AllowAgentForwarding yes
71 #AllowTcpForwarding yes
72 #GatewayPorts no
73 X11Forwarding yes
74 X11DisplayOffset 10
75 #X11UseLocalhost yes
76 #PermitTTY yes
77 PrintMotd no # pam does that
78 PrintLastLog yes
79 TCPKeepAlive yes
80 #UseLogin no
81 
82 UsePrivilegeSeparation sandbox          # Default for new installations.
83 #PermitUserEnvironment no
84 #Compression delayed
85 #ClientAliveInterval 0
86 #ClientAliveCountMax 3
87 #UseDNS no
88 #PidFile /run/sshd.pid
89 #MaxStartups 10:30:100
90 #PermitTunnel no
91 #ChrootDirectory none
92 #VersionAddendum none
93 
94 # no default banner path
95 #Banner none
96 
97 # override default of no subsystems
98 Subsystem       sftp    /usr/lib/ssh/sftp-server