Restrictions
For security considerations, you are advised to perform the following security hardening operations on the server connected in SSH mode:
- The SHA-256 or SHA-512 algorithm is recommended for encrypting the passwords of Linux system users.
- In the configuration file of the SSH server, harden the following configuration options:
- MACs: selects the message digest algorithm (or algorithms separated by commas) for data verification in SSH-2. Currently, algorithms hmac-sha2-256, hmac-sha2-512, hmac-sha2-256-etm@openssh.com, and hmac-sha2-512-etm@openssh.com are supported.
- Ciphers: selects the encryption algorithm (or algorithms separated by commas) of SSH-2. Do not use CBC encryption algorithms (such as AES128-CBC and AES256-CBC) in the SSH2.0 protocol. Currently, algorithms aes128-gcm@openssh.com and aes256-gcm@openssh.com are supported.
- HostkeyAlgorithms: selects the public key authentication algorithm (or algorithms separated by commas) of SSH-2. Currently, algorithms ssh-ed25519 (for OpenSSH 6.5 or later), rsa-sha2-512, and rsa-sha2-256 are supported. The length of RSA must be greater than or equal to 3,072 bits.
- KexAlgorithms: selects the key encryption algorithm (or algorithms separated by commas) of SSH-2. Currently, algorithms curve25519-sha256, curve25519-sha256@libssh.org, and diffie-hellman-group-exchange-sha256 are supported. OpenSSH 6.7 and later versions support the Curve25519 key exchange algorithm.
- PermitRootLogin: allows root login. You are advised not to allow root login.
- MindStudio does not verify the file type in the project. You need to ensure that the type of the file to be uploaded is correct.
- To ensure that the MindStudio client can be connected, configure the following algorithms on the server:
ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
hostkeyalgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
The modification method on the server is as follows:
- Run the following command to edit the configuration file:
vi /etc/ssh/sshd_config
Modify the corresponding lines in the file. If a line cannot be found, add it.
- Restart the SSH service.
- For Red Hat and openEuler OSs:
service sshd restart
- For Ubuntu OSs:
service ssh restart
- For Red Hat and openEuler OSs:
- Run the following command to edit the configuration file:
- Keep the SSH username and password secure. Do not share them with untrusted users to avoid environment damage.
- To prevent brute force cracking of SSH, you are advised to set a login control policy on the SSH client.
Parent topic: SSH Connection Management