Installation of an SSH server, allowing a secure connection to a
computer. The only authentication mechanism that will be authorized is
the ssh key. So to secure a little more the server, protection against
brute force attacks will be set up, and ssh fingerprints will be
published using the DNS.
Only version 2 of the SSH protocol is allowed to connect, version 1 is
now obsolete. Additionally, X11 port forwarding is prohibited, as we
consider a server where no graphical applications are hosted.
Only login which identify the user with an ssh key is allowed, this is
more reliable than a simple password that can be easily guessed or
found through a brute force attack. If the user root
need to be able to login, the PermitRootLogin directive
need to be set to prohibit-password.
To keep the user informed of his previous connections (allowing it to
detect fraudulent login) and to get information about the status of
the server, the following information is submitted to each connection:
the date and origin (IP address) of his last connection
status or server-specific message (entered by the administrator in
/etc/issue.net)
sshd_config
1
2
3
4
5
# Information about connections
#--------------------------------------------------
PrintLastLogyesPrintMotdyesBanner /etc/issue.net
Sub-system (sftp)
Allows the use of the sftp command, which is a kind of
ftp client but for ssh.