Sofern möglich, weisen alle VMware-Appliances eine standardmäßige gehärtete Konfiguration auf. Benutzer können die ausreichende Härtung ihrer Konfiguration überprüfen, indem Sie die Server- und Clienteinstellungen im Abschnitt mit globalen Optionen der Konfigurationsdatei untersuchen.
Prozedur
- ♦ Öffnen Sie die Konfigurationsdatei /etc/ssh/sshd_config auf der VMware-Appliance und stellen Sie sicher, dass die Einstellungen korrekt sind.
Einstellung Einstellungswert in sshd_config Client-Gateway-Ports GatewayPorts no GSSAPI-Authentifizierung GSSAPIAuthentication no CBC-Verschlüsselungen Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr Meldungsauthentifizierungscodes MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1
Beispiel: ssh_config-Beispieldatei
# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. # Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_ecdsa # IdentityFile ~/.ssh/id_ed25519 # Port 22 # FipsMode no # Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1 GatewayPorts no GSSAPIAuthentication no