Linux --- SSH遠端登陸配置sshd_config檔案詳解
阿新 • • 發佈:2018-12-14
ssh是linux遠端登入的安全協議,是 C/S 模式的架構,配置檔案分為伺服器端配置檔案 [/etc/ssh/sshd_config] 與客戶端配置檔案預設配置檔案[/etc/ssh/ssh_config] 使用者配置檔案[~/.ssh/config] sshd_config 是服務端主配置檔案。這個檔案的宿主應當是root,許可權最大可以是”644”
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER <==在開啟selinux的系統上,修改ssh埠的要修改selinux規則,用此命令修改 # #Port 22 <==預設ssh埠,生產環境中建議改成五位數的埠 #AddressFamily any <==地址家族,any表示同時監聽ipv4和ipv6地址 #ListenAddress 0.0.0.0 <==監聽本機所有ipv4地址 #ListenAddress :: <==監聽本機所有ipv6地址 HostKey /etc/ssh/ssh_host_rsa_key <==ssh所使用的RSA私鑰路徑 #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key <==ssh所使用的ECDSA私鑰路徑 HostKey /etc/ssh/ssh_host_ed25519_key <==ssh所使用的ED25519私鑰路徑 # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV <==設定在記錄來自sshd的訊息的時候,是否給出“facility code” #LogLevel INFO <==日誌記錄級別,預設為info # Authentication: #LoginGraceTime 2m <==限定使用者認證時間為2min #PermitRootLogin yes <==是否允許root賬戶ssh登入,生產環境中建議改成no,使用普通賬戶ssh登入 #StrictModes yes <==設定ssh在接收登入請求之前是否檢查使用者根目錄和rhosts檔案的許可權和所有權,建議開啟 #MaxAuthTries 6 <==指定每個連線最大允許的認證次數。預設值是 6 #MaxSessions 10 <==最大允許保持多少個連線。預設值是 10 #PubkeyAuthentication yes <==是否開啟公鑰驗證 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys <==公鑰驗證檔案路徑 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication <==指定伺服器在使用 ~/.shosts ~/.rhosts /etc/hosts.equiv 進行遠端主機名匹配時,是否進行反向域名查詢 #IgnoreUserKnownHosts no <==是否在 RhostsRSAAuthentication 或 HostbasedAuthentication 過程中忽略使用者的 ~/.ssh/known_hosts 檔案 # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes <==是否在 RhostsRSAAuthentication 或 HostbasedAuthentication 過程中忽略 .rhosts 和 .shosts 檔案 # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no <==是否允許空密碼 PasswordAuthentication yes <==是否允許密碼驗證,生產環境中建議改成no,只用金鑰登入 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no <==是否允許質疑-應答(challenge-response)認證 # Kerberos options #KerberosAuthentication no <==是否使用Kerberos認證 #KerberosOrLocalPasswd yes <==如果 Kerberos 密碼認證失敗,那麼該密碼還將要通過其它的認證機制(比如 /etc/passwd) #KerberosTicketCleanup yes <==是否在使用者退出登入後自動銷燬使用者的 ticket #KerberosGetAFSToken no <==如果使用了AFS並且該使用者有一個 Kerberos 5 TGT,那麼開啟該指令後,將會在訪問使用者的家目錄前嘗試獲取一個AFS token #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes <==是否允許基於GSSAPI的使用者認證 GSSAPICleanupCredentials no <==是否在使用者退出登入後自動銷燬使用者憑證快取 #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes <==是否通過PAM驗證 #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no <==是否允許遠端主機連線本地的轉發埠 X11Forwarding yes <==是否允許X11轉發 #X11DisplayOffset 10 <==指定sshd(8)X11轉發的第一個可用的顯示區(display)數字。預設值是10 #X11UseLocalhost yes <==是否應當將X11轉發伺服器繫結到本地loopback地址 #PermitTTY yes #PrintMotd yes <==指定sshd(8)是否在每一次互動式登入時列印 /etc/motd 檔案的內容 #PrintLastLog yes <==指定sshd(8)是否在每一次互動式登入時列印最後一位使用者的登入時間 #TCPKeepAlive yes <==指定系統是否向客戶端傳送 TCP keepalive 訊息 #UseLogin no <==是否在互動式會話的登入過程中使用 login(1) #UsePrivilegeSeparation sandbox <==是否讓 sshd(8) 通過建立非特權子程序處理接入請求的方法來進行許可權分離 #PermitUserEnvironment no <==指定是否允許sshd(8)處理~/.ssh/environment以及 ~/.ssh/authorized_keys中的 environment= 選項 #Compression delayed <==是否對通訊資料進行加密,還是延遲到認證成功之後再對通訊資料加密 #ClientAliveInterval 0 <==sshd(8)長時間沒有收到客戶端的任何資料,不傳送"alive"訊息 #ClientAliveCountMax 3 <==sshd(8)在未收到任何客戶端迴應前最多允許傳送多個"alive"訊息,預設值是 3 #ShowPatchLevel no #UseDNS no <==是否使用dns反向解析 #PidFile /var/run/sshd.pid <==指定存放SSH守護程序的程序號的路徑 #MaxStartups 10:30:100 <==最大允許保持多少個未認證的連線 #PermitTunnel no <==是否允許tun(4)裝置轉發 #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none <==將這個指令指定的檔案中的內容在使用者進行認證前顯示給遠端使用者,預設什麼內容也不顯示,"none"表示禁用這個特性 # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server <==配置一個外部子系統sftp及其路徑 # Example of overriding settings on a per-user basis #Match User anoncvs <==引入一個條件塊。塊的結尾標誌是另一個 Match 指令或者檔案結尾 # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server