# WARNING: make sure any password authentication module is disabled. It is therefore very important to check your PAM configuration so that PAM disallow password authentication for OpenSSH. This MAY allow for password authentication to work. It requires additional setup, such as using the OATH Toolkit or DuoSecurity.ĪTTENTION In order to allow using one time passwords (OTPs) and any other text input, Keyboard-interactive is enabled in OpenSSH. Recent versions of OpenSSH support MFA (Multi-Factor Authentication). To deactivate weak moduli in two commands: awk '$5 >= 2047' /etc/ssh/moduli > /etc/ssh/moduli.tmp mv /etc/ssh/moduli.tmp /etc/ssh/moduli Multi-Factor Authentication (OpenSSH 6.3+) From the structure of moduli files, this means the fifth field of all lines in this file should be greater than or equal to 2047. # In this is your case, use this instead:Īll Diffie-Hellman moduli in use should be at least 2048-bit-long. # RequiredAuthentications2 not work on official OpenSSH 5.3 portable. # Password based logins are disabled - only public key based logins are allowed. KexAlgorithms diffie-hellman-group-exchange-sha256 This is mainly for use by RHEL6, CentOS6, etc. To deactivate short moduli in two commands: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp & mv /etc/ssh/moduli.tmp /etc/ssh/moduli Intermediate (OpenSSH 5.3) # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.Īll Diffie-Hellman moduli in use should be at least 3072-bit-long (they are used for diffie-hellman-group-exchange-sha256) as per our Key management Guidelines recommendations. # On other OSes, the user session id is not necessarily recorded at all kernel-side. # Additionally, only tools such as systemd and auditd record the process session id. # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. This is because it's difficult to track which process belongs to which root user: # Root login is not allowed for auditing reasons. Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. Needed to have a clear audit track of which key was using to log in. # LogLevel VERBOSE logs user's key fingerprint on login. KexAlgorithms Password based logins are disabled - only public key based logins are allowed. # Supported HostKey algorithms by order of preference. This guide shows settings for the most commonly deployed OpenSSH versions at Mozilla - however, using the latest version of OpenSSH is recommended. | OpenSSH server Configurationĭifferent versions of OpenSSH support different options which are not always compatible. See man sshd_config, man ssh_config for more information on specific settings if you nevertheless need to change them. This also assumes that you are keeping OpenSSH up-to-date with security patches. For example, these guidelines assume only SSH protocol 2 is configured in the server, and SSH protocol 1 is disabled. Most default OpenSSH settings that are security-related already provide good security, thus changing them is at your own risk and is not documented here. Only non-default settings are listed in this document
The Security Assurance and Security Operations teams maintain this document as a reference guide. The goal of this document is to help operational teams with the configuration of OpenSSH server and client.Īll Mozilla sites and deployment should follow the recommendations below.
0 kommentar(er)
