[[email protected] ~]$cat /etc/ssh/sshd_config

1. #Port 22                                          監聽埠，預設監聽22埠   【預設可修改】
2. #AddressFamily any                        IPV4和IPV6協議家族用哪個，any表示二者均有
3. #ListenAddress 0.0.0.0                   指明監控的地址，0.0.0.0表示本機的所有地址  【預設可修改】
4. #ListenAddress ::                            指明監聽的IPV6的所有地址格式
5. # The default requires explicit activation of protocol 1   
6. #Protocol 2                                      使用SSH第二版本，centos7預設第一版本已拒絕
7. # HostKey for protocol version 1      一版的SSH支援以下一種祕鑰形式
8. #HostKey /etc/ssh/ssh_host_key
9. # HostKeys for protocol version 2                  使用第二版本傳送祕鑰，支援以下四種祕鑰認證的存放位置：（centos6只支援rsa和dsa兩種）
10. HostKey /etc/ssh/ssh_host_rsa_key               rsa私鑰認證 【預設】
11. #HostKey /etc/ssh/ssh_host_dsa_key            dsa私鑰認證
12. HostKey /etc/ssh/ssh_host_ecdsa_key          ecdsa私鑰認證
13. HostKey /etc/ssh/ssh_host_ed25519_key      ed25519私鑰認證
14. # Lifetime and size of ephemeral version 1 server key
15. #KeyRegenerationInterval 1h
16. #ServerKeyBits 1024        主機祕鑰長度        
17. # Ciphers and keying      
18. #RekeyLimit default none
19. # Logging
20. # obsoletes QuietMode and FascistLogging
21. #SyslogFacility AUTH
22. SyslogFacility AUTHPRIV                   當有人使用ssh登入系統的時候，SSH會記錄資訊，資訊儲存在/var/log/secure裡面
23. #LogLevel INFO                                  日誌的等級
24. # Authentication:
25. #LoginGraceTime 2m                           登入的寬限時間，預設2分鐘沒有輸入密碼，則自動斷開連線
26. #PermitRootLogin no
27. PermitRootLogin yes                            是否允許管理員直接登入，'yes'表示允許
28. #StrictModes yes                                 是否讓sshd去檢查使用者主目錄或相關檔案的許可權資料
29. #MaxAuthTries 6                                  最大認證嘗試次數，最多可以嘗試6次輸入密碼。之後需要等待某段時間後才能再次輸入密碼
30. #MaxSessions 10                                 允許的最大會話數
31. #RSAAuthentication yes
32. #PubkeyAuthentication yes
33. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
34. # but this is overridden so installations will only check .ssh/authorized_keys
35. AuthorizedKeysFile .ssh/authorized_keys                 伺服器生成一對公私鑰之後，會將公鑰放到.ssh/authorizd_keys裡面，將私鑰發給客戶端
36. #AuthorizedPrincipalsFile none 
37. #AuthorizedKeysCommand none
38. #AuthorizedKeysCommandUser nobody
39. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
40. #RhostsRSAAuthentication no
41. # similar for protocol version 2
42. #HostbasedAuthentication no
43. # Change to yes if you don't trust ~/.ssh/known_hosts for
44. # RhostsRSAAuthentication and HostbasedAuthentication
45. #IgnoreUserKnownHosts no
46. # Don't read the user's ~/.rhosts and ~/.shosts files
47. #IgnoreRhosts yes
48. # To disable tunneled clear text passwords, change to no here!
49. #PasswordAuthentication yes
50. #PermitEmptyPasswords no
51. PasswordAuthentication yes                    是否允許支援基於口令的認證
52. # Change to no to disable s/key passwords
53. #ChallengeResponseAuthentication yes
54. ChallengeResponseAuthentication no     是否允許任何的密碼認證
55. # Kerberos options                                   是否支援kerberos（基於第三方的認證，如LDAP）認證的方式，預設為no 
56. #KerberosAuthentication no
57. #KerberosOrLocalPasswd yes
58. #KerberosTicketCleanup yes
59. #KerberosGetAFSToken no
60. #KerberosUseKuserok yes
61. # GSSAPI options                                       
62. GSSAPIAuthentication yes
63. GSSAPICleanupCredentials no
64. #GSSAPIStrictAcceptorCheck yes
65. #GSSAPIKeyExchange no
66. #GSSAPIEnablek5users no
67. # Set this to 'yes' to enable PAM authentication, account processing,
68. # and session processing. If this is enabled, PAM authentication will
69. # be allowed through the ChallengeResponseAuthentication and
70. # PasswordAuthentication. Depending on your PAM configuration,
71. # PAM authentication via ChallengeResponseAuthentication may bypass
72. # the setting of "PermitRootLogin without-password".
73. # If you just want the PAM account and session checks to run without
74. # PAM authentication, then enable this but set PasswordAuthentication
75. # and ChallengeResponseAuthentication to 'no'.
76. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
77. # problems.
78. UsePAM yes
79. #AllowAgentForwarding yes
80. #AllowTcpForwarding yes
81. #GatewayPorts no
82. X11Forwarding yes                    是否允許x11轉發，可以讓視窗的資料通過SSH連線來傳遞(請檢視ssh -X 引數)：#ssh -X  [email protected]
83. #X11DisplayOffset 10
84. #X11UseLocalhost yes 
85. #PermitTTY yes
86. #PrintMotd yes
87. #PrintLastLog yes
88. #TCPKeepAlive yes
89. #UseLogin no
90. UsePrivilegeSeparation sandbox # Default for new installations.
91. #PermitUserEnvironment no
92. #Compression delayed
93. #ClientAliveInterval 0
94. #ClientAliveCountMax 3
95. #ShowPatchLevel no
96. #UseDNS yes              是否反解DNS，如果想讓客戶端連線伺服器端快一些，這個可以改為no
97. #PidFile /var/run/sshd.pid
98. #MaxStartups 10:30:100
99. #PermitTunnel no
100. #ChrootDirectory none
101. #VersionAddendum none
102. # no default banner path
103. #Banner none
104. # Accept locale-related environment variables
105. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
106. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
107. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
108. AcceptEnv XMODIFIERS
109. # override default of no subsystems
110. Subsystem sftp /usr/libexec/openssh/sftp-server                    支援 SFTP ，如果註釋掉，則不支援sftp連線
111. # Example of overriding settings on a per-user basis
112. #Match User anoncvs
113. # X11Forwarding no
114. # AllowTcpForwarding no
115. # PermitTTY no
116. # ForceCommand cvs server
117. AllowUsers user1 user2                登入白名單（預設沒有這個配置，需要自己手動新增），允許遠端登入的使用者。如果名單中沒有的使用者，則提示拒絕登入

--------------

作者：丟丟vv

原文連結：https://www.cnblogs.com/shaoerwei/articles/7594879.html