linux运维配置讲解--sshd-config
Posted kingle66
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux运维配置讲解--sshd-config相关的知识,希望对你有一定的参考价值。
文件配置:
1, /etc/ssh/sshd_config
ssh配置文件
2, /etc/shadow
密码文件
3, /etc/sudoers
授权用户管理文件
4, /etc/issue
系统信息文件,可删除
5,/etc/issue.net
远程登入欢迎信息需要更改
6, /etc/redhat-release
操作系统和版本信息最好更改
7, /etc/motd
文件的系统公告,登入系统会显示在用户的终端
8, Control - Alt - Delete
组合键重启系统快捷键更改位置:
centos5.X:/etc/inittab
centos6.X:/etc/init/Control-alt-delete.con 下更改
9, 文件 /etc/ssh/sshd_config 配置详情:
Port 22 :Port用来设置sshd监听的端口
Protocol 2 :设置使用ssh协议的版本为SSH1或者SSH2 SSH1有版本漏洞所以设置2
ListenAddress 0.0.0.0 用来设置ssh服务绑定的IP地址
HostKey /etc/ssh/ssh_host_dsa_key 用来设置 服务器密钥文件的路径
KeyRegenerationInterval 1h 用来设置在多久后系统治冻生成服务器的密钥,重新生成密钥放置利用盗用密钥解密被截获的信息
ServerKeyBits 1024 密钥的长度
SyslogFacility AUTHPRIV 设定记录来自shh消息的时候是否给出facility code
LogLevel INFO 记录ssh日志消息级别
LoginGraceTime 2m 用户登入失败,切断连接等待时间
PermitRootLogin yes 设置不能root远程登入服务器
strictModes yes 接受ssh登入之前检查用户根权限
RSAAuthentication yes 是否设置RSA密钥验证
PubkeyAuthentication yes 设置是否公钥验证
AuthorizedKeysFile .ssh/authorized_keys 设置公钥验证文件路径
AuthorizedKeysCommand none
AuthorizedKeysCommandRunAs nobody
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Change to yes if you don‘t trust ~/.ssh/known_hosts for
RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no ssh进行安全验证时候是否忽略用户“$HOME/.SSH/known_hosts”
Don‘t read the user‘s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes 设置验证时候是否使用“~/rhosts” "~/shorts" 文件
To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes 时候开启密码验证
PermitEmptyPasswords no 设置是否允许空口令帐号登入系统
PasswordAuthentication yes
Change to no to disable s/key passwords
ChallengeResponseAuthentication yes 禁用 s/key 密码
ChallengeResponseAuthentication no
Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken no
KerberosUseKuserok yes
GSSAPI options
GSSAPIAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange no
Set this to ‘yes‘ to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to ‘no‘.
UsePAM no 不通过PAM验证
UsePAM yes
Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
X11Forwarding yes 设置是否允许X11转发
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes 设置ssd 是否在用户登入的时候显示”/etc/motd“
PrintLastLog yes 是否显示上次的登录信息
TCPKeepAlive yes防止死链接
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression delayed
ClientAliveInterval 0
ClientAliveCountMax 3
ShowPatchLevel no
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 10:30:100 设置允许几个尚未登入的联机
PermitTunnel no
ChrootDirectory none
no default banner path
Banner none
override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
Example of overriding settings on a per-user basis
Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
ForceCommand cvs server
10, /etc/bashrc
用户环境变量
11,/etc/profile
系统变量
12, /etc/host.allow && /etc/host.deny
主要参数
service:代理服务器名
hosts 主机名或者ip地址
action 动作
ALL 所有服务器或者ip
all Except除去
以上是关于linux运维配置讲解--sshd-config的主要内容,如果未能解决你的问题,请参考以下文章
20170117老男孩linux实战运维培训-SSH KEY免密码验证分发管理备份实战讲解01