ssh:configure_sshd_with_multiple_authentication_factors
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| ssh:configure_sshd_with_multiple_authentication_factors [2017/03/16 23:25] – created peter | ssh:configure_sshd_with_multiple_authentication_factors [2019/12/04 21:22] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== SSH - Configure sshd with multiple authentication factors ====== | ||
| - | |||
| - | With this setup, a user attempting to log into this OpenSSH server will need to provide a valid username, a valid PKI private key that matches the user’s authorized public key, and finally, the user’s password. | ||
| - | |||
| - | <file bash / | ||
| - | # TCP port to bind to. | ||
| - | # Change to a high/odd port if this server is exposed to the internet directly. | ||
| - | Port 22 | ||
| - | |||
| - | # Bind to all interfaces (change to specific interface if needed). | ||
| - | ListenAddress 0.0.0.0 | ||
| - | |||
| - | # Force SSHv2 Protocol. | ||
| - | Protocol 2 | ||
| - | |||
| - | # HostKeys for protocol version 2. | ||
| - | HostKey / | ||
| - | HostKey / | ||
| - | HostKey / | ||
| - | |||
| - | # Privilege Separation is turned on for security. | ||
| - | UsePrivilegeSeparation yes | ||
| - | |||
| - | # Deny all other users besides the following. | ||
| - | AllowUsers jcornutt | ||
| - | |||
| - | # Client timeout (5 minutes). | ||
| - | ClientAliveInterval 300 | ||
| - | ClientAliveCountMax 0 | ||
| - | |||
| - | # Compression (only after authentication). | ||
| - | Compression delayed | ||
| - | |||
| - | # Logging. | ||
| - | SyslogFacility AUTH | ||
| - | LogLevel VERBOSE | ||
| - | |||
| - | # Authentication must happen within 30 seconds. | ||
| - | LoginGraceTime 30 | ||
| - | |||
| - | # Disable root SSH access. | ||
| - | PermitRootLogin no | ||
| - | PermitEmptyPasswords no | ||
| - | |||
| - | # Check user folder permissions before allowing access. | ||
| - | StrictModes yes | ||
| - | |||
| - | # Public key authentication + Password authentication. | ||
| - | # Two-Factor Authentication in OpenSSH v6.2+. | ||
| - | RSAAuthentication yes | ||
| - | PubkeyAuthentication yes | ||
| - | PasswordAuthentication yes | ||
| - | AuthenticationMethods publickey, | ||
| - | |||
| - | # Change this depending on where your authorized_keys file is. | ||
| - | # This is set as a workaround when using encrypted home directories. | ||
| - | # Link: https:// | ||
| - | AuthorizedKeysFile / | ||
| - | |||
| - | # Message Authentication Code (Hash, only SHA2-512) | ||
| - | # SHA-256 included for compat with PuTTY-WinCrypt clients. | ||
| - | MACs hmac-sha2-512, | ||
| - | |||
| - | # Ciphers (only secure AES-256). | ||
| - | Ciphers aes256-cbc, | ||
| - | |||
| - | # Key Exchange algorithms (Elliptic Curve Diffie-Hellman). | ||
| - | # DH-SHA-256 included for compat with PuTTY-WinCrypt clients. | ||
| - | KexAlgorithms ecdh-sha2-nistp521, | ||
| - | |||
| - | # Don’t read the user’s ~/.rhosts and ~/.shosts files. | ||
| - | IgnoreRhosts yes | ||
| - | |||
| - | # Disable unused authentication schemes. | ||
| - | RhostsRSAAuthentication no | ||
| - | HostbasedAuthentication no | ||
| - | ChallengeResponseAuthentication no | ||
| - | KerberosAuthentication no | ||
| - | GSSAPIAuthentication no | ||
| - | UsePAM no | ||
| - | |||
| - | # X11 support. | ||
| - | X11Forwarding no | ||
| - | |||
| - | # Don’t show Message of the Day. | ||
| - | PrintMotd no | ||
| - | |||
| - | # TCPKeepAlive (non-tunneled, | ||
| - | TCPKeepAlive no | ||
| - | |||
| - | # Allow client to pass locale environment variables. | ||
| - | AcceptEnv LANG LC_* | ||
| - | </ | ||
ssh/configure_sshd_with_multiple_authentication_factors.1489706703.txt.gz · Last modified: 2020/07/15 09:30 (external edit)