Configuration de ssh
Durcissement de SSH
Je me suis basé sur l’article de StéphaneHUC , pour durcir la configuration du service.
cd /etc/ssh
ls
sudo cp /etc/ssh/moduli /etc/ssh/moduli.bckp
sudo chmod 0400 /etc/ssh/moduli.bckp
sudo awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
rm ssh_host_*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" -o -a 64
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" -o -a 64
Configuration du service sshd
Partie serveur
# vi /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 2022
AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 5
MaxSessions 3
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
# Autoriser l'authentification par mot de passe pour permettre le ssh-copy-id , puis basculer à no
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
Partie client
-
Génération d’une paire de clé
-
ssh-keygen -o -a 100 -t ed25519 -f ./ssh/id_ed25519_ordinatous -C "ordinatous@computerclub.local" -
Une clé privé et une clé public sont crées, c’est la clé public
publickeyse terminant par.pubqu’il faut copier vers le serveur. -
Au passage on voit que
zshpermet de corriger les fautes de frappes… Je vous refait une création de clé avec l’ensemble du message.
ssh-keygen -o -a 100 -t ed25519 -f ./ssh/id_ed25519_test -C "test@computerclub.local" zsh: correct './ssh/id_ed25519_test' to './.ssh/id_ed25519_test' [nyae]? y Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./.ssh/id_ed25519_test. Your public key has been saved in ./.ssh/id_ed25519_test.pub. The key fingerprint is: SHA256:HcNANpJZW8a7K9mcFaU/LiAdrHS/fLDot9UHlfZwu/E test@computerclub.local The key's randomart image is: +--[ED25519 256]--+ | .=*.o | | oo B. . .| | ..+. o.oo| | ..=oo .+o| | .S+.+ o.o.| | o + + oo+| | = B =.oE| | o * *.o .| | o...+ | +----[SHA256]-----+ -
-
Copie de la clé publique
-
Pour permettre la copie avec
ssh-copy-id, il faut autoriser la connexion par mot de passe la première fois.ssh-copy-id -i ~/.ssh/id_ed25519_ordinatous.pub -p 2022 192.168.200.76 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ordinatous/.ssh/id_ed25519_ordinatous.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Number of key(s) added: 1 Now try logging into the machine, with: "ssh -p '2022' '192.168.200.76'" and check to make sure that only the key(s) you wanted were added. -
Creation du fichier config de l’utilisateur
- Pour plus de confort à la connexion autant se créer un fichier de configuration , ou toutes les informations de connexions sont renseignés .
vi ~/.ssh/config
Host debian10-tuto.computerclub.local
Compression yes
Hostname 192.168.200.76
port 2022
user ordinatous
IdentityFile ~/.ssh/id_ed25519_ordinatous
IdentitiesOnly yes
- Connexion
ssh debian10-tuto.computerclub.local
Linux debian10-tuto 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 26 12:12:34 2020 from 192.168.200.1
-
Je suis maintenant connecté à
debian10-tuto, il ne reste plus qu’à modifier le fichier/etc/ssh/sshd_configet basculerPasswordAuthentication yesàPasswordAuthentication noordinatous@debian10-tuto:~$ sudo service ssh status [sudo] Mot de passe de ordinatous : ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2020-09-26 12:14:26 CEST; 45min ago Docs: man:sshd(8) man:sshd_config(5) Process: 4674 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 4675 (sshd) Tasks: 1 (limit: 1138) Memory: 5.1M CGroup: /system.slice/ssh.service └─4675 /usr/sbin/sshd -D sept. 26 12:14:26 debian10-tuto systemd[1]: Starting OpenBSD Secure Shell server... sept. 26 12:14:26 debian10-tuto sshd[4675]: Server listening on 0.0.0.0 port 2022. sept. 26 12:14:26 debian10-tuto systemd[1]: Started OpenBSD Secure Shell server. sept. 26 12:59:32 debian10-tuto sshd[4743]: Accepted publickey for ordinatous from 192.168.200.1 port 50934 ssh2: ED25519 SH sept. 26 12:59:32 debian10-tuto sshd[4743]: pam_unix(sshd:session): session opened for user ordinatous by (uid=0) lines 1-17/17 (END)
Ce travail est sous licence Attribution-NonCommercial 4.0
International.
