如何在 OpenSSH 配置中强制执行最大身份验证时间?

如何在 OpenSSH 配置中强制执行最大身份验证时间?

我试图通过强制实施最大身份验证时间限制来增强 OpenSSH 服务器配置的安全性。但是,当我尝试通过向MaxAuthAge文件添加选项来实现这sshd_config一点时,我遇到了一个错误,表明该选项无法识别。尽管搜索了 OpenSSH 文档,但我找不到设置最大身份验证时间的直接方法。

在 OpenSSH 中强制实施最大身份验证时间限制的推荐方法是什么?是否有其他方法或配置可以有效实现此目标?任何见解或建议都将不胜感激。

这是我尝试验证配置时遇到的错误消息:

$ /usr/sbin/sshd -tT

  /etc/ssh/sshd_config: line 100: Bad configuration option: MaxAuthAge
  /etc/ssh/sshd_config: terminating, 1 bad configuration options
  • sshd_config
    # NAME: LALATENDU HARDENED OPENSSH CONFIGURATION
    # AUTHOR: LALATENDU
    # DATE CREATED: MARCH 02, 2024
    # LAST UPDATED: MARCH 02, 2024
    
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS
    
    Protocol 2
    
    PermitRootLogin no
    
    PermitTunnel no
    
    Subsystem sftp internal-sftp
    
    PasswordAuthentication no
    
    ClientAliveInterval 180
    ClientAliveCountMax 2
    
    GatewayPorts no
    
    DisableForwarding yes
    
    AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2
    AllowUsers lalatendu
    
    AllowStreamLocalForwarding no
    
    Ciphers [email protected],aes256-ctr,aes192-ctr,aes128-ctr,[email protected]
    MACs [email protected],[email protected]
    KexAlgorithms [email protected]
    HostKeyAlgorithms [email protected],[email protected]
    PubkeyAcceptedKeyTypes ssh-ed25519
    
    MaxSessionsPerUser 2
    MaxAuthTries 3
    MaxSessions 2
    MaxAuthAge 600
    LoginGraceTime 30
    MaxStartups 3:50:10
    
    PermitEmptyPasswords no
    PubkeyAuthentication yes
    ChallengeResponseAuthentication no
    HostbasedAuthentication no
    UsePrivilegeSeparation sandbox
    
    StrictModes yes
    
    X11Forwarding no
    
    AllowTcpForwarding no
    
    StrictModes yes
    
    IgnoreRhosts yes
    
    PrintMotd yes
    PrintLastLog yes
    Banner /etc/issue.net
    
    Compression no
    
    LogLevel VERBOSE
    
    AllowAgentForwarding no
    
    TCPKeepAlive no
    
    UseDNS no
    
    Match Address 192.168.1.100
        AllowUsers lalatendu
        PermitOpen any
        PermitRootLogin no
        X11Forwarding yes
        PasswordAuthentication no
    
    DenyUsers ubuntu centos admin
    DenyGroups docker
    

相关内容