SSH服务器端/etc/ssh/sshd_conf配置文件详解
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SSH服务器端/etc/ssh/sshd_conf配置文件详解相关的知识,希望对你有一定的参考价值。
- #Port 22 监听端口,默认监听22端口 【默认可修改】
- #AddressFamily any IPV4和IPV6协议家族用哪个,any表示二者均有
- #ListenAddress 0.0.0.0 指明监控的地址,0.0.0.0表示本机的所有地址 【默认可修改】
- #ListenAddress :: 指明监听的IPV6的所有地址格式
-
The default requires explicit activation of protocol 1
- #Protocol 2 使用SSH第二版本,centos7默认第一版本已拒绝
-
HostKey for protocol version 1 一版的SSH支持以下一种秘钥形式
- #HostKey /etc/ssh/ssh_host_key
-
HostKeys for protocol version 2 使用第二版本发送秘钥,支持以下四种秘钥认证的存放位置:(centos6只支持rsa和dsa两种)
- HostKey /etc/ssh/ssh_host_rsa_key rsa私钥认证 【默认】
- #HostKey /etc/ssh/ssh_host_dsa_key dsa私钥认证
- HostKey /etc/ssh/ssh_host_ecdsa_key ecdsa私钥认证
- HostKey /etc/ssh/ssh_host_ed25519_key ed25519私钥认证
-
Lifetime and size of ephemeral version 1 server key
- #KeyRegenerationInterval 1h
- #ServerKeyBits 1024 主机秘钥长度
-
Ciphers and keying
- #RekeyLimit default none
-
Logging
-
obsoletes QuietMode and FascistLogging
- #SyslogFacility AUTH
- SyslogFacility AUTHPRIV 当有人使用ssh登录系统的时候,SSH会记录信息,信息保存在/var/log/secure里面
- #LogLevel INFO 日志的等级
-
Authentication:
- #LoginGraceTime 2m 登录的宽限时间,默认2分钟没有输入密码,则自动断开连接
- #PermitRootLogin no
- PermitRootLogin yes 是否允许管理员直接登录,‘yes‘表示允许
- #StrictModes yes 是否让sshd去检查用户主目录或相关文件的权限数据
- #MaxAuthTries 6 最大认证尝试次数,最多可以尝试6次输入密码。之后需要等待某段时间后才能再次输入密码
- #MaxSessions 10 允许的最大会话数
- #RSAAuthentication yes
- #PubkeyAuthentication yes
-
The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-
but this is overridden so installations will only check .ssh/authorized_keys
- AuthorizedKeysFile .ssh/authorized_keys 服务器生成一对公私钥之后,会将公钥放到.ssh/authorizd_keys里面,将私钥发给客户端
- #AuthorizedPrincipalsFile none
- #AuthorizedKeysCommand none
- #AuthorizedKeysCommandUser nobody
-
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
- #RhostsRSAAuthentication no
-
similar for protocol version 2
- #HostbasedAuthentication no
-
Change to yes if you don‘t trust ~/.ssh/known_hosts for
-
RhostsRSAAuthentication and HostbasedAuthentication
- #IgnoreUserKnownHosts no
-
Don‘t read the user‘s ~/.rhosts and ~/.shosts files
- #IgnoreRhosts yes
-
To disable tunneled clear text passwords, change to no here!
- #PasswordAuthentication yes
- #PermitEmptyPasswords no
- PasswordAuthentication yes 是否允许支持基于口令的认证
-
Change to no to disable s/key passwords
- #ChallengeResponseAuthentication yes
- ChallengeResponseAuthentication no 是否允许任何的密码认证
-
Kerberos options 是否支持kerberos(基于第三方的认证,如LDAP)认证的方式,默认为no
- #KerberosAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
- #KerberosUseKuserok yes
-
GSSAPI options
- GSSAPIAuthentication yes
- GSSAPICleanupCredentials no
- #GSSAPIStrictAcceptorCheck yes
- #GSSAPIKeyExchange no
- #GSSAPIEnablek5users no
-
Set this to ‘yes‘ to enable PAM authentication, account processing,
-
and session processing. If this is enabled, PAM authentication will
-
be allowed through the ChallengeResponseAuthentication and
-
PasswordAuthentication. Depending on your PAM configuration,
-
PAM authentication via ChallengeResponseAuthentication may bypass
-
the setting of "PermitRootLogin without-password".
-
If you just want the PAM account and session checks to run without
-
PAM authentication, then enable this but set PasswordAuthentication
-
and ChallengeResponseAuthentication to ‘no‘.
-
WARNING: ‘UsePAM no‘ is not supported in Red Hat Enterprise Linux and may cause several
-
problems.
- UsePAM yes
- #AllowAgentForwarding yes
- #AllowTcpForwarding yes
- #GatewayPorts no
- X11Forwarding yes 是否允许x11转发,可以让窗口的数据通过SSH连接来传递(请查看ssh -X 参数):#ssh -X [email protected]
- #X11DisplayOffset 10
- #X11UseLocalhost yes
- #PermitTTY yes
- #PrintMotd yes
- #PrintLastLog yes
- #TCPKeepAlive yes
- #UseLogin no
- UsePrivilegeSeparation sandbox # Default for new installations.
- #PermitUserEnvironment no
- #Compression delayed
- #ClientAliveInterval 0
- #ClientAliveCountMax 3
- #ShowPatchLevel no
- #UseDNS yes 是否反解DNS,如果想让客户端连接服务器端快一些,这个可以改为no
- #PidFile /var/run/sshd.pid
- #MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
- #VersionAddendum none
-
no default banner path
- #Banner none
-
Accept locale-related environment variables
- AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
- AcceptEnv XMODIFIERS
-
override default of no subsystems
- Subsystem sftp /usr/libexec/openssh/sftp-server 支持 SFTP ,如果注释掉,则不支持sftp连接
-
Example of overriding settings on a per-user basis
- #Match User anoncvs
-
X11Forwarding no
-
AllowTcpForwarding no
-
PermitTTY no
-
ForceCommand cvs server
- AllowUsers user1 user2 登录白名单(默认没有这个配置,需要自己手动添加),允许远程登录的用户。如果名单中没有的用户,则提示拒绝登录
以上是关于SSH服务器端/etc/ssh/sshd_conf配置文件详解的主要内容,如果未能解决你的问题,请参考以下文章