From 8360d96d62a8d6253a98911052109ba1191cd4dc Mon Sep 17 00:00:00 2001 From: Marc Beninca Date: Tue, 5 Dec 2017 20:18:59 +0100 Subject: [PATCH] ssh server --- source/openssh-server/index.rst | 78 +++++++++++++++++++++++++++++++++ source/security.rst | 1 + 2 files changed, 79 insertions(+) create mode 100644 source/openssh-server/index.rst diff --git a/source/openssh-server/index.rst b/source/openssh-server/index.rst new file mode 100644 index 0000000..af4c650 --- /dev/null +++ b/source/openssh-server/index.rst @@ -0,0 +1,78 @@ +############## +OpenSSH server +############## + +********* +Configure +********* + +* /etc/ssh/moduli + +Generate usable prime numbers pool. + +.. warning:: + + These are **VERY** long operations! + +.. code:: shell + + ssh-keygen -b 4096 -G 4096.G + ssh-keygen -f 4096.G -T moduli + +* /etc/ssh/ssh_host_*_key + +types: rsa/ed25519/…? + +.. code:: shell + + ssh-keygen -b 4096 -f /etc/ssh/ssh_host_rsa_key + +* /etc/ssh/sshd_config + +:: + + # daemon + AllowTcpForwarding yes + ClientAliveInterval 30 + Compression no + HostKey /etc/ssh/ssh_host_rsa_key + IgnoreRhosts yes + LogLevel INFO + MaxStartups 16:32:64 + PermitTunnel no + Port 22 + Protocol 2 + Subsystem sftp internal-sftp + TCPKeepAlive yes + UseDNS no + UseLogin no + UsePAM yes + X11Forwarding no + + # authentication + AuthorizedKeysFile .ssh/authorized_keys + ChallengeResponseAuthentication no + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr + HostbasedAuthentication no + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + LoginGraceTime 60 + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256 + PasswordAuthentication no + PermitEmptyPasswords no + PermitRootLogin without-password + PubkeyAuthentication yes + StrictModes yes + UsePrivilegeSeparation sandbox + + # prompt + Banner none + DebianBanner no + PrintLastLog yes + PrintMotd no + VersionAddendum none + +* authorized_keys + +:: + + TODO diff --git a/source/security.rst b/source/security.rst index c4ae72d..b53d51c 100644 --- a/source/security.rst +++ b/source/security.rst @@ -6,4 +6,5 @@ Security :maxdepth: 2 openssh-client/index + openssh-server/index openssl/index