This way, the key fingerprint for any SSH key used for login is logged. It is strongly recommended that LogLevel be set to VERBOSE. However, restricting this value could abruptly break business-critical connections, and we recommend only setting it after analyzing all existing authorized keys for the algorithms they use. Same value as for HostKeyAlgorithms would make sense. Some organizations may also want to set policy for PubkeyAcceptedKeyTypes. Ciphers aes128-ctr,aes192-ctr,aes256-ctr HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1 If it is not needed for compatibility, we recommend disabling it. Its use is questionable from a security perspective. We have included the sha-1 algorithm in the above sets only for compatibility. A good value is hmac-sha2-256,hmac-sha2-512,hmac-sha1.
#Windows 10 openssh server code
Message authentication code algorithms are configured using the MACs option. Using it could expose connections to man-in-the-middle attacks when faced with such adversaries. It uses a 768 bit prime number, which is too small by today's standards and may be breakable by intelligence agencies in real time.
In particular, we do not recommend allowing diffie-hellman-group1-sha1, unless needed for compatibility. We recommend ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256.
Key exchange algorithms are selected by the KexAlgorithms option. A good value is ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ss/ssh/sshd_config/ h-dss. Host key algorithms are selected by the HostKeyAlgorithms option. This should also provide good interoperability. A good value is aes128-ctr,aes192-ctr,aes256-ctr. Symmetric algorithms for encrypting the bulk of transferred data are configured using the Ciphers option. Larger enterprises, or others wanting to run a tight security policy for certain servers, may want to configure the following configuration options. X11Forwarding yes AllowAgentForwarding yes PermitRootLogin yes Common configuration changes for the enterprise For important systems even such organizations should follow the guidelines for configuring enterprise servers. For such use, we recommend the following settings for homes, development servers, and universities. Many individual developers and power users wish to maximize their convenience rather than go for maximum security. Common configuration options for individual use It may also refer to a number of other files. The sshd_config file specifies the locations of one or more host key files (mandatory) and the location of authorized_keys files for users. The SSH server actually reads several configuration files. Contents Relationship of configuration files Common configuration options for individual use Common configuration changes for the enterprise Cryptographic policy Verbose logging AuthorizedKeysFile location Root login Login banner Port forwarding Certificate-based authentication Detailed sshd_config file format Relationship of configuration files
0 kommentar(er)
