0xmachos/commands.md

## commands.md

      
    Raw
  

              commands.md
            
          
    sudo sshd -t

sudo systemctl restart sshd

sudo systemctl status sshd


## sshd_config
# /etc/ssh/sshd_config
# sshd_config(5)
# https://man.openbsd.org/sshd_config
# https://www.openssh.com/legacy.html

AddressFamily inet
# Only use IPv4

ListenAddress x.x.x.x
# Default is to listen on all local addresses
# Better to specify an actual IP address to listen on

Protocol 2
# Only use protocol version 2

LogLevel VERBOSE
# Logs user's key fingerprint on login

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
# Key files cannot be group/world-accessible

PermitRootLogin no
# root user cannot login via SSH

AuthenticationMethods publickey
# Only allow public key authentication for login

Subsystem sftp internal-sftp
# Use sshd internal SFTP server code (plays nicer with Chroot)
# See https://serverfault.com/a/660325 for differences with
# Subsystem sftp /usr/libexec/openssh/sftp-server
# If you just scp files you can disable this to reduce attack surface

# Cryptography

KexAlgorithms curve25519-sha256
# Allow only curve25519

HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256
# Allow only ed25519 or ECDSA keys for client authentication
# ECDSA for Secretive/ Secure Enclave keys
# ed25519 for everything else

Ciphers chacha20-poly1305@openssh.com
# Only use chacha20-poly1305
# Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does
#   not encrypt message sizes when GCM (or EtM) is in use.
#   This allows some traffic analysis even without decrypting the data.
#   See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
# Only use encrypt then mac (etm) MACs
# Allow only HMAC-SHA2-512/256 or UMAC-128
#   https://crypto.stackexchange.com/a/56432
	# /etc/ssh/sshd_config
	# sshd_config(5)
	# https://man.openbsd.org/sshd_config
	# https://www.openssh.com/legacy.html

	AddressFamily inet
	# Only use IPv4

	ListenAddress x.x.x.x
	# Default is to listen on all local addresses
	# Better to specify an actual IP address to listen on

	Protocol 2
	# Only use protocol version 2

	LogLevel VERBOSE
	# Logs user's key fingerprint on login

	HostKey /etc/ssh/ssh_host_ed25519_key
	HostKey /etc/ssh/ssh_host_ecdsa_key
	# Key files cannot be group/world-accessible

	PermitRootLogin no
	# root user cannot login via SSH

	AuthenticationMethods publickey
	# Only allow public key authentication for login

	Subsystem sftp internal-sftp
	# Use sshd internal SFTP server code (plays nicer with Chroot)
	# See https://serverfault.com/a/660325 for differences with
	# Subsystem sftp /usr/libexec/openssh/sftp-server
	# If you just scp files you can disable this to reduce attack surface

	# Cryptography

	KexAlgorithms curve25519-sha256
	# Allow only curve25519

	HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256
	# Allow only ed25519 or ECDSA keys for client authentication
	# ECDSA for Secretive/ Secure Enclave keys
	# ed25519 for everything else

	Ciphers chacha20-poly1305@openssh.com
	# Only use chacha20-poly1305
	# Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does
	# not encrypt message sizes when GCM (or EtM) is in use.
	# This allows some traffic analysis even without decrypting the data.
	# See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html

	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
	# Only use encrypt then mac (etm) MACs
	# Allow only HMAC-SHA2-512/256 or UMAC-128
	# https://crypto.stackexchange.com/a/56432