![]() ![]() Recent versions of OpenSSH support MFA (Multi-Factor Authentication). To deactivate weak moduli in two commands: awk '$5 >= 2047' /etc/ssh/moduli > /etc/ssh/moduli.tmp mv /etc/ssh/moduli.tmp /etc/ssh/moduli Multi-Factor Authentication (OpenSSH 6.3+) ![]() From the structure of moduli files, this means the fifth field of all lines in this file should be greater than or equal to 2047. # In this is your case, use this instead:Īll Diffie-Hellman moduli in use should be at least 2048-bit-long. # RequiredAuthentications2 not work on official OpenSSH 5.3 portable. # Password based logins are disabled - only public key based logins are allowed. KexAlgorithms diffie-hellman-group-exchange-sha256 This is mainly for use by RHEL6, CentOS6, etc. To deactivate short moduli in two commands: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp & mv /etc/ssh/moduli.tmp /etc/ssh/moduli Intermediate (OpenSSH 5.3) # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.Īll Diffie-Hellman moduli in use should be at least 3072-bit-long (they are used for diffie-hellman-group-exchange-sha256) as per our Key management Guidelines recommendations. # On other OSes, the user session id is not necessarily recorded at all kernel-side. ![]() # Additionally, only tools such as systemd and auditd record the process session id. # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. This is because it's difficult to track which process belongs to which root user: ![]() # Root login is not allowed for auditing reasons. Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. Needed to have a clear audit track of which key was using to log in. # LogLevel VERBOSE logs user's key fingerprint on login. KexAlgorithms Password based logins are disabled - only public key based logins are allowed. # Supported HostKey algorithms by order of preference. This guide shows settings for the most commonly deployed OpenSSH versions at Mozilla - however, using the latest version of OpenSSH is recommended. | OpenSSH server Configurationĭifferent versions of OpenSSH support different options which are not always compatible. See man sshd_config, man ssh_config for more information on specific settings if you nevertheless need to change them. This also assumes that you are keeping OpenSSH up-to-date with security patches. For example, these guidelines assume only SSH protocol 2 is configured in the server, and SSH protocol 1 is disabled. Most default OpenSSH settings that are security-related already provide good security, thus changing them is at your own risk and is not documented here. Only non-default settings are listed in this document The Security Assurance and Security Operations teams maintain this document as a reference guide. The goal of this document is to help operational teams with the configuration of OpenSSH server and client.Īll Mozilla sites and deployment should follow the recommendations below. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |