system/arch/openssh.md

SFTP setup

# groupadd ht
# echo "Ce compte n'est accessible qu'en SFTP, pas en SSH.
This account is only available over SFTP, not over SSH." > /etc/nologin.txt
# ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/keys/ed25519
# ssh-keygen -q -N "" -t rsa -b 3072 -f /etc/ssh/keys/rsa-3072
# awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
# mv /etc/ssh/moduli.safe /etc/ssh/moduli

To get the ASCII art and SHA-256 fingerprints:

# ssh-keygen -vlf /etc/ssh/keys/ed25519.pub
# ssh-keygen -vlf /etc/ssh/keys/rsa-3072.pub

To generate SSHFP records:

# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/ed25519.pub
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/rsa-3072.pub

Don't use the first record, which is SHA-1, use the second, which is SHA-256. SSHFP <pkey-algorithm> <hash-algorithm> <fingerprint> For pkey-algorithm:

• 1 means RSA
• 2 means DSA (must not be used)
• 3 means ECDSA (should not be used)
• 4 means Ed25519 For hash-algorithm:
• 1 means SHA-1 (must not be used)
• 2 means SHA-256