SSH服務器端/etc/ssh/sshd_conf配置文件詳解
阿新 • • 發佈:2018-05-22
sshd_conf 22 sshd #Port 22 監聽端口,默認監聽22端口 【默認可修改】
#AddressFamily any IPV4和IPV6協議家族用哪個,any表示二者均有
#ListenAddress 0.0.0.0 指明監控的地址,0.0.0.0表示本機的所有地址 【默認可修改】
#ListenAddress :: 指明監聽的IPV6的所有地址格式
#Protocol 2 使用SSH第二版本,centos7默認第一版本已拒絕
#HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key rsa私鑰認證 【默認】
#HostKey /etc/ssh/ssh_host_dsa_key dsa私鑰認證
HostKey /etc/ssh/ssh_host_ecdsa_key ecdsa私鑰認證
HostKey /etc/ssh/ssh_host_ed25519_key ed25519私鑰認證
#KeyRegenerationInterval 1h
#ServerKeyBits 1024 主機秘鑰長度
#RekeyLimit default none
#SyslogFacility AUTH
SyslogFacility AUTHPRIV 當有人使用ssh登錄系統的時候,SSH會記錄信息,信息保存在/var/log/secure裏面
#LogLevel INFO 日誌的等級
#LoginGraceTime 2m 登錄的寬限時間,默認2分鐘沒有輸入密碼,則自動斷開連接
#PermitRootLogin no
PermitRootLogin yes 是否允許管理員直接登錄,‘yes‘表示允許
#StrictModes yes 是否讓sshd去檢查用戶主目錄或相關文件的權限數據
#MaxAuthTries 6 最大認證嘗試次數,最多可以嘗試6次輸入密碼。之後需要等待某段時間後才能再次輸入密碼
#MaxSessions 10 允許的最大會話數
#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys 服務器生成一對公私鑰之後,會將公鑰放到.ssh/authorizd_keys裏面,將私鑰發給客戶端
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
#RhostsRSAAuthentication no
#HostbasedAuthentication no
#IgnoreUserKnownHosts no
#IgnoreRhosts yes
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes 是否允許支持基於口令的認證
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no 是否允許任何的密碼認證
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes 是否允許x11轉發,可以讓窗口的數據通過SSH連接來傳遞(請查看ssh -X 參數):#ssh -X user@IP
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes 是否反解DNS,如果想讓客戶端連接服務器端快一些,這個可以改為no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
#Banner none
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server 支持 SFTP ,如果註釋掉,則不支持sftp連接
#Match User anoncvs
AllowUsers user1 user2 登錄白名單(默認沒有這個配置,需要自己手動添加),允許遠程登錄的用戶。如果名單中沒有的用戶,則提示拒絕登錄
The default requires explicit activation of protocol 1
HostKey for protocol version 1 一版的SSH支持以下一種秘鑰形式
HostKeys for protocol version 2 使用第二版本發送秘鑰,支持以下四種秘鑰認證的存放位置:(centos6只支持rsa和dsa兩種)
Lifetime and size of ephemeral version 1 server key
Ciphers and keying
Logging
obsoletes QuietMode and FascistLogging
Authentication:
The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
but this is overridden so installations will only check .ssh/authorized_keys
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
similar for protocol version 2
Change to yes if you don‘t trust ~/.ssh/known_hosts for
RhostsRSAAuthentication and HostbasedAuthentication
Don‘t read the user‘s ~/.rhosts and ~/.shosts files
To disable tunneled clear text passwords, change to no here!
Change to no to disable s/key passwords
Kerberos options 是否支持kerberos(基於第三方的認證,如LDAP)認證的方式,默認為no
GSSAPI options
Set this to ‘yes‘ to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to ‘no‘.
WARNING: ‘UsePAM no‘ is not supported in Red Hat Enterprise Linux and may cause several
problems.
no default banner path
Accept locale-related environment variables
override default of no subsystems
Example of overriding settings on a per-user basis
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server
SSH服務器端/etc/ssh/sshd_conf配置文件詳解