1.0 KiB
Executable File
1.0 KiB
Executable File
SFTP setup
# groupadd ht
# echo "Ce compte n'est accessible qu'en SFTP, pas en SSH.
This account is only available over SFTP, not over SSH." > /etc/nologin.txt
# ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/keys/ed25519
# ssh-keygen -q -N "" -t rsa -b 3072 -f /etc/ssh/keys/rsa-3072
# awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
# mv /etc/ssh/moduli.safe /etc/ssh/moduli
To get the ASCII art and SHA-256 fingerprints:
# ssh-keygen -vlf /etc/ssh/keys/ed25519.pub
# ssh-keygen -vlf /etc/ssh/keys/rsa-3072.pub
To generate SSHFP records:
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/ed25519.pub
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/rsa-3072.pub
Don't use the first record, which is SHA-1, use the second, which is SHA-256.
SSHFP <pkey-algorithm> <hash-algorithm> <fingerprint>
For pkey-algorithm
:
1
means RSA2
means DSA (must not be used)3
means ECDSA (should not be used)4
means Ed25519 Forhash-algorithm
:1
means SHA-1 (must not be used)2
means SHA-256