rtfd/docs/public/sshd/index.rst

sshd
====

====== ==============
debian openssh-server
====== ==============

.. todo:: refresh sshd_config configuration

Check options
-------------

::

 sshd -t
 sshd -T

List algorithms
---------------

::

 ssh -Q cipher
 ssh -Q cipher-auth
 ssh -Q mac
 ssh -Q kex
 ssh -Q key

Configure
---------

* /etc/ssh/moduli

Generate usable prime numbers pool.

.. warning::

  These are **VERY** long operations!

.. code:: shell

  ssh-keygen -b 4096 -G 4096.G
  ssh-keygen -f 4096.G -T moduli

* /etc/ssh/ssh_host_*_key

types: rsa/ed25519/…?

.. code:: shell

  ssh-keygen -b 4096 -f /etc/ssh/ssh_host_rsa_key

* /etc/ssh/sshd_config

::

  # daemon
  AllowTcpForwarding yes
  ClientAliveInterval 30
  Compression no
  HostKey /etc/ssh/ssh_host_rsa_key
  IgnoreRhosts yes
  LogLevel INFO
  MaxStartups 16:32:64
  PermitTunnel no
  Port 22
  Protocol 2
  Subsystem sftp internal-sftp
  TCPKeepAlive yes
  UseDNS no
  UseLogin no
  UsePAM no
  X11Forwarding no

  # authentication
  AuthorizedKeysFile .ssh/authorized_keys
  ChallengeResponseAuthentication no
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
  HostbasedAuthentication no
  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  LoginGraceTime 60
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256
  PasswordAuthentication no
  PermitEmptyPasswords no
  PermitRootLogin prohibit-password
  PubkeyAuthentication yes
  StrictModes yes
  UsePrivilegeSeparation sandbox

  # prompt
  Banner none
  DebianBanner no
  PrintLastLog yes
  PrintMotd no
  VersionAddendum none

* authorized_keys

.. todo:: about
ssh/sshd 2020-03-07 19:19:22 +00:00			`sshd`
			`====`

			`====== ==============`
			`debian openssh-server`
			`====== ==============`
ssh/algo/list 2019-08-05 14:32:00 +00:00
openssh-server 2019-08-25 09:07:35 +00:00			`.. todo:: refresh sshd_config configuration`

sshd/config/test 2019-08-05 14:37:40 +00:00			`Check options`
			`-------------`

			`::`

			`sshd -t`
			`sshd -T`

ssh/algo/list 2019-08-05 14:32:00 +00:00			`List algorithms`
			`---------------`

			`::`

			`ssh -Q cipher`
			`ssh -Q cipher-auth`
			`ssh -Q mac`
			`ssh -Q kex`
			`ssh -Q key`
ssh server 2017-12-05 19:18:59 +00:00
			`Configure`
ssh/algo/list 2019-08-05 14:32:00 +00:00			`---------`
ssh server 2017-12-05 19:18:59 +00:00
			`* /etc/ssh/moduli`

			`Generate usable prime numbers pool.`

			`.. warning::`

			`These are VERY long operations!`

			`.. code:: shell`

			`ssh-keygen -b 4096 -G 4096.G`
			`ssh-keygen -f 4096.G -T moduli`

			`* /etc/ssh/ssh_host_*_key`

			`types: rsa/ed25519/…?`

			`.. code:: shell`

			`ssh-keygen -b 4096 -f /etc/ssh/ssh_host_rsa_key`

			`* /etc/ssh/sshd_config`

			`::`

			`# daemon`
			`AllowTcpForwarding yes`
			`ClientAliveInterval 30`
			`Compression no`
			`HostKey /etc/ssh/ssh_host_rsa_key`
			`IgnoreRhosts yes`
			`LogLevel INFO`
			`MaxStartups 16:32:64`
			`PermitTunnel no`
			`Port 22`
			`Protocol 2`
			`Subsystem sftp internal-sftp`
			`TCPKeepAlive yes`
			`UseDNS no`
			`UseLogin no`
sshd use pam no 2020-04-18 23:04:40 +00:00			`UsePAM no`
ssh server 2017-12-05 19:18:59 +00:00			`X11Forwarding no`

			`# authentication`
			`AuthorizedKeysFile .ssh/authorized_keys`
			`ChallengeResponseAuthentication no`
			`Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr`
			`HostbasedAuthentication no`
			`KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256`
			`LoginGraceTime 60`
			`MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256`
			`PasswordAuthentication no`
			`PermitEmptyPasswords no`
sshd use pam no 2020-04-18 23:04:40 +00:00			`PermitRootLogin prohibit-password`
ssh server 2017-12-05 19:18:59 +00:00			`PubkeyAuthentication yes`
			`StrictModes yes`
			`UsePrivilegeSeparation sandbox`

			`# prompt`
			`Banner none`
			`DebianBanner no`
			`PrintLastLog yes`
			`PrintMotd no`
			`VersionAddendum none`

			`* authorized_keys`

_toctree 2018-05-11 19:34:48 +00:00			`.. todo:: about`