SSH服务器端/etc/ssh/sshd_conf配置文件详解

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SSH服务器端/etc/ssh/sshd_conf配置文件详解相关的知识,希望对你有一定的参考价值。

  1. #Port 22 监听端口,默认监听22端口 【默认可修改】
  2. #AddressFamily any IPV4和IPV6协议家族用哪个,any表示二者均有
  3. #ListenAddress 0.0.0.0 指明监控的地址,0.0.0.0表示本机的所有地址 【默认可修改】
  4. #ListenAddress :: 指明监听的IPV6的所有地址格式

  5. The default requires explicit activation of protocol 1

  6. #Protocol 2 使用SSH第二版本,centos7默认第一版本已拒绝

  7. HostKey for protocol version 1 一版的SSH支持以下一种秘钥形式

  8. #HostKey /etc/ssh/ssh_host_key

  9. HostKeys for protocol version 2 使用第二版本发送秘钥,支持以下四种秘钥认证的存放位置:(centos6只支持rsa和dsa两种)

  10. HostKey /etc/ssh/ssh_host_rsa_key rsa私钥认证 【默认】
  11. #HostKey /etc/ssh/ssh_host_dsa_key dsa私钥认证
  12. HostKey /etc/ssh/ssh_host_ecdsa_key ecdsa私钥认证
  13. HostKey /etc/ssh/ssh_host_ed25519_key ed25519私钥认证

  14. Lifetime and size of ephemeral version 1 server key

  15. #KeyRegenerationInterval 1h
  16. #ServerKeyBits 1024 主机秘钥长度

  17. Ciphers and keying

  18. #RekeyLimit default none

  19. Logging

  20. obsoletes QuietMode and FascistLogging

  21. #SyslogFacility AUTH
  22. SyslogFacility AUTHPRIV 当有人使用ssh登录系统的时候,SSH会记录信息,信息保存在/var/log/secure里面
  23. #LogLevel INFO 日志的等级

  24. Authentication:

  25. #LoginGraceTime 2m 登录的宽限时间,默认2分钟没有输入密码,则自动断开连接
  26. #PermitRootLogin no
  27. PermitRootLogin yes 是否允许管理员直接登录,‘yes‘表示允许
  28. #StrictModes yes 是否让sshd去检查用户主目录或相关文件的权限数据
  29. #MaxAuthTries 6 最大认证尝试次数,最多可以尝试6次输入密码。之后需要等待某段时间后才能再次输入密码
  30. #MaxSessions 10 允许的最大会话数
  31. #RSAAuthentication yes
  32. #PubkeyAuthentication yes

  33. The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

  34. but this is overridden so installations will only check .ssh/authorized_keys

  35. AuthorizedKeysFile .ssh/authorized_keys 服务器生成一对公私钥之后,会将公钥放到.ssh/authorizd_keys里面,将私钥发给客户端
  36. #AuthorizedPrincipalsFile none
  37. #AuthorizedKeysCommand none
  38. #AuthorizedKeysCommandUser nobody

  39. For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

  40. #RhostsRSAAuthentication no

  41. similar for protocol version 2

  42. #HostbasedAuthentication no

  43. Change to yes if you don‘t trust ~/.ssh/known_hosts for

  44. RhostsRSAAuthentication and HostbasedAuthentication

  45. #IgnoreUserKnownHosts no

  46. Don‘t read the user‘s ~/.rhosts and ~/.shosts files

  47. #IgnoreRhosts yes

  48. To disable tunneled clear text passwords, change to no here!

  49. #PasswordAuthentication yes
  50. #PermitEmptyPasswords no
  51. PasswordAuthentication yes 是否允许支持基于口令的认证

  52. Change to no to disable s/key passwords

  53. #ChallengeResponseAuthentication yes
  54. ChallengeResponseAuthentication no 是否允许任何的密码认证

  55. Kerberos options 是否支持kerberos(基于第三方的认证,如LDAP)认证的方式,默认为no

  56. #KerberosAuthentication no
  57. #KerberosOrLocalPasswd yes
  58. #KerberosTicketCleanup yes
  59. #KerberosGetAFSToken no
  60. #KerberosUseKuserok yes

  61. GSSAPI options

  62. GSSAPIAuthentication yes
  63. GSSAPICleanupCredentials no
  64. #GSSAPIStrictAcceptorCheck yes
  65. #GSSAPIKeyExchange no
  66. #GSSAPIEnablek5users no

  67. Set this to ‘yes‘ to enable PAM authentication, account processing,

  68. and session processing. If this is enabled, PAM authentication will

  69. be allowed through the ChallengeResponseAuthentication and

  70. PasswordAuthentication. Depending on your PAM configuration,

  71. PAM authentication via ChallengeResponseAuthentication may bypass

  72. the setting of "PermitRootLogin without-password".

  73. If you just want the PAM account and session checks to run without

  74. PAM authentication, then enable this but set PasswordAuthentication

  75. and ChallengeResponseAuthentication to ‘no‘.

  76. WARNING: ‘UsePAM no‘ is not supported in Red Hat Enterprise Linux and may cause several

  77. problems.

  78. UsePAM yes
  79. #AllowAgentForwarding yes
  80. #AllowTcpForwarding yes
  81. #GatewayPorts no
  82. X11Forwarding yes 是否允许x11转发,可以让窗口的数据通过SSH连接来传递(请查看ssh -X 参数):#ssh -X [email protected]
  83. #X11DisplayOffset 10
  84. #X11UseLocalhost yes
  85. #PermitTTY yes
  86. #PrintMotd yes
  87. #PrintLastLog yes
  88. #TCPKeepAlive yes
  89. #UseLogin no
  90. UsePrivilegeSeparation sandbox # Default for new installations.
  91. #PermitUserEnvironment no
  92. #Compression delayed
  93. #ClientAliveInterval 0
  94. #ClientAliveCountMax 3
  95. #ShowPatchLevel no
  96. #UseDNS yes 是否反解DNS,如果想让客户端连接服务器端快一些,这个可以改为no
  97. #PidFile /var/run/sshd.pid
  98. #MaxStartups 10:30:100
  99. #PermitTunnel no
  100. #ChrootDirectory none
  101. #VersionAddendum none

  102. no default banner path

  103. #Banner none

  104. Accept locale-related environment variables

  105. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
  106. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
  107. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
  108. AcceptEnv XMODIFIERS

  109. override default of no subsystems

  110. Subsystem sftp /usr/libexec/openssh/sftp-server 支持 SFTP ,如果注释掉,则不支持sftp连接

  111. Example of overriding settings on a per-user basis

  112. #Match User anoncvs

  113. X11Forwarding no

  114. AllowTcpForwarding no

  115. PermitTTY no

  116. ForceCommand cvs server

  117. AllowUsers user1 user2 登录白名单(默认没有这个配置,需要自己手动添加),允许远程登录的用户。如果名单中没有的用户,则提示拒绝登录

以上是关于SSH服务器端/etc/ssh/sshd_conf配置文件详解的主要内容,如果未能解决你的问题,请参考以下文章

SSH连接速度慢

ssh禁止用户登录

windows平台使用SecureCRT+Xming实现图形界面来执行linux平台的一些图形程序

Centos6 做服务器间免密登录

centos7虚拟机xshell连接很慢

centos7虚拟机xshell连接很慢