34 lines
1.0 KiB
Markdown
34 lines
1.0 KiB
Markdown
|
### SFTP setup
|
||
|
|
|
||
|
|
```
|
||
|
|
# groupadd ht
|
||
|
|
# echo "Ce compte n'est accessible qu'en SFTP, pas en SSH.
|
||
|
|
This account is only available over SFTP, not over SSH." > /etc/nologin.txt
|
||
|
|
# ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/keys/ed25519
|
||
|
|
# ssh-keygen -q -N "" -t rsa -b 3072 -f /etc/ssh/keys/rsa-3072
|
||
|
|
# awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
|
||
|
|
# mv /etc/ssh/moduli.safe /etc/ssh/moduli
|
||
|
|
```
|
||
|
|
|
||
|
|
To get the ASCII art and SHA-256 fingerprints:
|
||
|
|
```
|
||
|
|
# ssh-keygen -vlf /etc/ssh/keys/ed25519.pub
|
||
|
|
# ssh-keygen -vlf /etc/ssh/keys/rsa-3072.pub
|
||
|
|
```
|
||
|
|
|
||
|
|
To generate SSHFP records:
|
||
|
|
```
|
||
|
|
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/ed25519.pub
|
||
|
|
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/rsa-3072.pub
|
||
|
|
```
|
||
|
|
Don't use the first record, which is SHA-1, use the second, which is SHA-256.
|
||
|
|
`SSHFP <pkey-algorithm> <hash-algorithm> <fingerprint>`
|
||
|
|
For `pkey-algorithm`:
|
||
|
|
* `1` means RSA
|
||
|
|
* `2` means DSA (must not be used)
|
||
|
|
* `3` means ECDSA (should not be used)
|
||
|
|
* `4` means Ed25519
|
||
|
|
For `hash-algorithm`:
|
||
|
|
* `1` means SHA-1 (must not be used)
|
||
|
|
* `2` means SHA-256
|