Difference between revisions of "Hardening"
Jump to navigation
Jump to search
m (→/etc/ssh/sshd_config: fixed typo "replaces" ➡ "replaced") |
(publickey existiert nicht als config option) |
||
| Line 5: | Line 5: | ||
==/etc/ssh/sshd_config== | ==/etc/ssh/sshd_config== | ||
<pre> | <pre> | ||
| − | AuthenticationMethods | + | AuthenticationMethods prohibit-password |
ReKeyLimit 1G 10m | ReKeyLimit 1G 10m | ||
AllowAgentForwarding no | AllowAgentForwarding no | ||
| Line 11: | Line 11: | ||
A few remarks: | A few remarks: | ||
* Disallowing root login doesn't bring any security advantages if you're only allowing secure AuthenticationMethods anyhow. It can even decrease overall security, because if forces you to use sudo, which could be replaced with a malicious (keylogging or command injecting) shell alias within the context of the unprivileged user account you're using sudo from. | * Disallowing root login doesn't bring any security advantages if you're only allowing secure AuthenticationMethods anyhow. It can even decrease overall security, because if forces you to use sudo, which could be replaced with a malicious (keylogging or command injecting) shell alias within the context of the unprivileged user account you're using sudo from. | ||
| − | * Compared to <code>PasswordAuthentication no</code>, <code>AuthenticationMethods | + | * Compared to <code>PasswordAuthentication no</code>, <code>AuthenticationMethods prohibit-password</code> has the advantage of being more easy to check during blackbox security scans, without even requiring a user account on the machine to be scanned. A potential downside is that it will also prevent some 2FA login methods like TOTP from working. |
Revision as of 13:39, 17 November 2022
Note: This page is still work in progress, so don't use for production (yet).
SSH
/etc/ssh/sshd_config
AuthenticationMethods prohibit-password ReKeyLimit 1G 10m AllowAgentForwarding no
A few remarks:
- Disallowing root login doesn't bring any security advantages if you're only allowing secure AuthenticationMethods anyhow. It can even decrease overall security, because if forces you to use sudo, which could be replaced with a malicious (keylogging or command injecting) shell alias within the context of the unprivileged user account you're using sudo from.
- Compared to
PasswordAuthentication no,AuthenticationMethods prohibit-passwordhas the advantage of being more easy to check during blackbox security scans, without even requiring a user account on the machine to be scanned. A potential downside is that it will also prevent some 2FA login methods like TOTP from working.