SSH 配置⽂件etcsshsshd_conf 参数详细说明
⼀:配置⽂件相关参数详细说明
1)SSH客户端配置⽂件
[root@controller ~]# vi /etc/ssh/sshd_config #      $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $# This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options override the # default value.# If you want to change the port on a SELinux system, you have to tell # SELinux about this change.# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER ##Port 22#AddressFamily any #ListenAddress 0.0.0.0#ListenAddress ::# The default requires explicit activation of protocol 1#Protocol 2# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024# Ciphers and keyi
ng #RekeyLimit default none #ServerKeyBits 1024# Ciphers and keying #RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication:#LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6#MaxSessions 10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
野生动物有哪些57
58
#RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2# but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile      .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2#HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication no GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication.  Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'.# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems.UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10#X11UseLocalhost yes #PermitTTY yes
59
60
61
62
63
64
65
66
67
68
69
70
71
热门专业排行榜前十名202272
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
小学生国庆节手抄报内容89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
qq同步107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
现在什么专业好就业123
124
#PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox          # Default for new installations.#PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100#PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem      sftp    /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs #      X11Forwarding no #      AllowTcpForwarding no #      PermitTTY no #      ForceCommand cvs server "/etc/ssh/sshd_config" 153L, 4358C
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
2)SSH服务端配置⽂件详解
/etc /ssh /ssh——config #配置⽂件概要Host *                                        #选项“Host”只对能够匹配后⾯字串的计算机有效。“*”表⽰所有的计算机。ForwardAgent no                      #设置连接是否经过验证代理(如果存在)转发给远程计算机。ForwardX11 no                          #设置X11连接是否被⾃动重定向到安全的通道和显⽰集(DISPLAY set )RhostsAuthentication n            #设置是否使⽤基于rhosts 的安全验证。RhostsRSAAuthentication no  #设置是否使⽤⽤RSA 算法的基于rhosts 的安全验证。RSAAuthentication yes            #设置是否使⽤RSA 算法进⾏安全验证。PasswordAuthentication yes    #设置是否使⽤⼝令验证。FallBackToRsh no                    #设置如果⽤ssh 连接出现错误是否⾃动使⽤rsh 。UseRsh no                              #设置是否在这台计算机上使⽤“rlogin/rsh”。BatchMode no                        #如果设为“yes”,passphrase/password (交互式输⼊⼝令)的提⽰将被禁⽌。当不能交互式输⼊⼝令的时候,这个选项对脚本⽂CheckHostIP yes                      #设置ssh 是否查看连接到服务器的主机的IP 地址以防⽌DNS 欺骗。建议设置为“yes”。StrictHostKeyChecking no      #如果设置成“yes”,ssh 就不会⾃动把计算机的密匙加⼊“$HOME/.ssh/known_hosts”⽂件,并且⼀旦计算机的密匙发⽣了变化,就IdentityFile ~/.ssh /identity    #设置从哪个⽂件读取⽤户的RSA 安全验证标识。Port 22                                    #设置连接到远程主机的端⼝。Cipher blowfish                      #设置加密⽤的
密码。EscapeChar ~                        #设置escape 字符。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
读取配置文件失败22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37/etc/ssh/sshd_config #配置⽂件概要Port 22          # SSH 预设使⽤ 22 这个 port ,最好是⽤别的 port !Protocol 2,1  # 选择的 SSH 协议版本,可以是 1 也可以是 2 ,如果要同时⽀持两者,就必须要使⽤ 2,1 这个分隔了!1
2
3
4
5ListenAddress 0.0.0.0        #监听的主机适配卡!举个例⼦来说,如果您有两个 IP ,分别是 192.168.0.100 及 192.168.2.20 ,那么只想要开放 192.168.0.100 时,#就可以写如同下⾯的样式:Li
stenAddress 192.168.0.100 只监听来⾃ 192.168.0.100 这个 IP 的SSH 联机。如果不使⽤设定的话,则预设所有接⼝均接受 SSH
1
2
3
4
5
6
7
PidFile /var/run/sshd.pid   # 可以放置 SSHD 这个 PID 的档案!左列为默认值LoginGraceTime 600          # 当使⽤者连上 SSH server 之后,会出现输⼊密码的画⾯,在该画⾯中,在多久时间内没有成
功连上 SSH server ,就断线!时间为秒!
1
2
3
4
5
6Compression yes              # 是否可以使⽤压缩指令?HostKey /etc/ssh/ssh_host_key          # SSH version 1 使⽤的私钥HostKey /etc/ssh/ssh_host_rsa_key    # SSH version 2 使⽤的 RSA 私钥HostKey /etc/ssh/ssh_host_dsa_key  # SSH version 2 使⽤的 DSA 私钥KeyRegenerationInterval 3600      # 由前⾯联机的说明可以知道, version 1 会使⽤ server 的 Public Key ,每隔⼀段时间来重新建⽴⼀次!时间为秒!1
2
3
4
5
6
7
8
9
10
11
12
13ServerKeyBits 768                        # Server key 的长度!SyslogFacility AUTH                        # 当有⼈使⽤ SSH 登⼊系统的时候,SSH 会记录信息LogLevel INFO                            # 登录记录的等级---》全部PermitRootLogin no                      # 是否允许 root 登⼊!预设是允许的,但是建议设定成 no !
UserLogin no                          # 在 SSH 底下本来就不接受 login 这个程序的登⼊!StrictModes yes                    # 当使⽤者的 host key 改变之后,Server 就不接受联机RSAAuthentication yes                  # 是否使⽤纯的 RSA 认证!?仅针对 version 1 !PubkeyAuthentication yes              # 是否允许 Public Key ?只有 version 2AuthorizedKeysFile .ssh/authorized_keys        #设定若要使⽤不需要密码登⼊的账号时,那么那个账号的存放档案所在档名!RhostsAuthentication no          # 本机系统不使⽤ .rhosts , .rhosts 不安全!IgnoreRhosts yes              # 是否取消使⽤ ~/.ssh/.rhosts 来做为认证!RhostsRSAAuthentication no        # 针对 version 1 ,使⽤ rhosts 档案在/etc/hosts.equiv 配合 RSA 演算⽅式来进⾏认证!HostbasedAuthentication no        # 这个项⽬与上⾯的项⽬类似,不过是给 version 2 使⽤的!IgnoreUserKnownHosts no      # 是否忽略家⽬录内的 ~/.ssh/known_hosts 这个档案所记录的主机内容PasswordAuthentication yes          # 密码验证当然是需要的!PermitEmptyPasswords no      # 上⾯那⼀项如果设定为 yes 的话,这⼀项就最好设定为 no ,这个项⽬在是否允许以空的密码登⼊!ChallengeResponseAuthentication yes          # 挑战任何的密码认证!所以,任何 f 规定的认证⽅式,均可适⽤!PAMAuthenticationViaKbdInt yes          # 是否启⽤其它的 PAM 模块!启⽤这个模块将会导致 PasswordAuthentication 设定失效!1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37