Configuration de ssh

 

Durcissement de SSH

Je me suis basé sur l’article de Stéphane HUC , pour durcire la configuration du service.

cd /etc/ssh
ls
sudo cp /etc/ssh/moduli /etc/ssh/moduli.bckp
sudo chmod 0400 /etc/ssh/moduli.bckp
sudo awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe

rm ssh_host_*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" -o -a 64
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" -o -a 64

Configuration du service sshd

Partie serveur

# vi /etc/ssh/sshd_config

#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 2022
AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 5
MaxSessions 3

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
# Autoriser l'authentification par mot de passe pour permettre le ssh-copy-id , puis basculer à no
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

Partie client

  • Génération d’une paire de clé
    • ssh-keygen -o -a 100 -t ed25519 -f ./ssh/id_ed25519_ordinatous -C "ordinatous@computerclub.local"

    • Une clé privé et une clé public sont crées, c’est la clé public publickey se terminant par .pub qu’il faut copier vers le serveur.
    • Au passage on voit que zsh permet de corriger les fautes de frappes… Je vous refait une création de clé avec l’ensemble du message.
    ssh-keygen -o -a 100 -t ed25519 -f ./ssh/id_ed25519_test -C "test@computerclub.local"
    zsh: correct './ssh/id_ed25519_test' to './.ssh/id_ed25519_test' [nyae]? y
    Generating public/private ed25519 key pair.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in ./.ssh/id_ed25519_test.
    Your public key has been saved in ./.ssh/id_ed25519_test.pub.
    The key fingerprint is:
    SHA256:HcNANpJZW8a7K9mcFaU/LiAdrHS/fLDot9UHlfZwu/E test@computerclub.local
    The key's randomart image is:
    +--[ED25519 256]--+
    |      .=*.o      |
    |      oo B.   . .|
    |        ..+. o.oo|
    |        ..=oo .+o|
    |       .S+.+ o.o.|
    |        o + + oo+|
    |         = B =.oE|
    |        o * *.o .|
    |         o...+   |
    +----[SHA256]-----+
    
    
  • Copie de la clé publique
  • Pour permettre la copie avec ssh-copy-id , il faut autoriser la connexion par mot de passe la première fois.
    ssh-copy-id -i ~/.ssh/id_ed25519_ordinatous.pub -p 2022 192.168.200.76
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ordinatous/.ssh/id_ed25519_ordinatous.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    Number of key(s) added: 1
    Now try logging into the machine, with:   "ssh -p '2022' '192.168.200.76'"
    and check to make sure that only the key(s) you wanted were added.
    
  • Creation du fichier config de l’utilisateur
    • Pour plus de confort à la connexion autant se créer un fichier de configuration , ou toutes les informations de connexions sont renseignés .

    vi ~/.ssh/config

Host debian10-tuto.computerclub.local
    Compression yes
    Hostname 192.168.200.76
    port 2022
    user ordinatous
    IdentityFile ~/.ssh/id_ed25519_ordinatous
    IdentitiesOnly yes
  • Connexion
ssh debian10-tuto.computerclub.local
Linux debian10-tuto 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 26 12:12:34 2020 from 192.168.200.1
  • Je suis maintenant connecté à debian10-tuto, il ne reste plus qu’à modifier le fichier /etc/ssh/sshd_config et basculer PasswordAuthentication yes à PasswordAuthentication no
    ordinatous@debian10-tuto:~$ sudo service ssh status
    [sudo] Mot de passe de ordinatous : 
    ● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2020-09-26 12:14:26 CEST; 45min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 4674 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
     Main PID: 4675 (sshd)
      Tasks: 1 (limit: 1138)
     Memory: 5.1M
     CGroup: /system.slice/ssh.service
             └─4675 /usr/sbin/sshd -D
    sept. 26 12:14:26 debian10-tuto systemd[1]: Starting OpenBSD Secure Shell server...
    sept. 26 12:14:26 debian10-tuto sshd[4675]: Server listening on 0.0.0.0 port 2022.
    sept. 26 12:14:26 debian10-tuto systemd[1]: Started OpenBSD Secure Shell server.
    sept. 26 12:59:32 debian10-tuto sshd[4743]: Accepted publickey for ordinatous from 192.168.200.1 port 50934 ssh2: ED25519 SH
    sept. 26 12:59:32 debian10-tuto sshd[4743]: pam_unix(sshd:session): session opened for user ordinatous by (uid=0)
    lines 1-17/17 (END)