Configuration SSH

Via : SSH. On crée en local et on upload : 

ssh-keygen -t ed25519 -C "Commentaire sur ma clé" # "-f ~/my-key" pour spécificer le nom et chemin
ssh-copy-id -i /home/liandri/.ssh/id_ed25519.pub liandri@server.ip

Si on se trouve dans un container style LXC cloné, supprimer et régénérer les clés SSH locales : 

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

On edit la configuration SSH : 

nano /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 27022
ListenAddress 0.0.0.0
# Écoute sur ports multiples, via https://blog.zwindler.fr/2018/06/19/openssh-ecouter-sur-des-ports-differents-en-fonction-de-linterface/
# avec écoute du port 27022 sur toutes les connexions, et sure le port 22 sur la connexion locale
# Port 27022
# ListenAddress 0.0.0.0
# ListenAddress 10.1.1.101:22

Protocol 2
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation sandbox

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

#New version from Mozilla https://infosec.mozilla.org/guidelines/openssh
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
AllowUsers liandri
#Temps avant déconnexion auto
ClientAliveInterval 1800
#Methode d'auth
AuthenticationMethods publickey
#algo
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs umac-128-etm@openssh.com,umac-128@openssh.com

On redémarre SSH : 

service ssh restart

ou 

systemctl restart ssh

On pourrait aller plus loin avec RSSH (https://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html), pour restreindre certains utilisateurs à des dossiers spécifiques avec ssh/sftp.

Gadget : installer un MotD

On se basera sur la source : https://github.com/ldidry/dynamic-motd
On peut aussi regarder du côté de https://github.com/rda0/motd
On commence par installer les dépendances et cloner la source : 

apt-get install figlet lsb-release python-utmp bc git
# Si l'on souhaite une alerte  savoir si le serveur nécessite un redémarrage de certains services (détection plus rapide)
apt-get install debian-goodies
# Si l'on souhaite une alerte savoir si le serveur nécessite un redémarrage machine (détection assez lente)
apt-get install needrestart
git clone https://github.com/ldidry/dynamic-motd

On déploie les fichiers nécessaires : 

cd dynamic-motd
cp -r update-motd.d/ /etc
rm /etc/motd
ln -s /var/run/motd /etc/motd

Ce qui au final, donne un rendu : 

\ \ /\ / /\ \ /\ / /\ \ /\ / /
   \ V  V /  \ V  V /  \ V  V /
    \_/\_/    \_/\_/    \_/\_/


  Debian GNU/Linux 9.4 (stretch) (kernel 4.9.0-6-amd64)


  System information as of Sun May 20 17:17:06 2018

  System load:  0.05                 Processes:           189
  Memory usage: 36%                  Users logged in:     1
  Swap usage:   0%
  Disk Usage:
    Usage of /                       : 71.3% of 46.53GB
  Inode Usage:
    Usage of /                       : 33.0% of 3115056

  Logged in users:
  root       from :0                        at Sun May 20 16:35:56 2018

  2 services need to be restarted.
  Use checkrestart to list and restart them.

Last login: Sun May 20 17:12:04 2018 from 192.168.7.10
  • system/linux/debian/1-ssh.txt
  • Dernière modification: 2023/08/05 16:22
  • (modification externe)