sshd_config配置文件
[root@u0704-t5-test-shaoew1 ~]$cat /etc/ssh/sshd_config #Port 22 监听端口,默认监听22端口 【默认可修改】 #AddressFamily any IPV4和IPV6协议家族用哪个,any表示二者均有 #ListenAddress 0.0.0.0 指明监控的地址,0.0.0.0表示本机的所有地址 【默认可修改】 #ListenAddress :: 指明监听的IPV6的所有地址格式 # The default requires explicit activation of protocol 1 #Protocol 2 使用SSH第二版本,centos7默认第一版本已拒绝 # HostKey for protocol version 1 一版的SSH支持以下一种秘钥形式 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 使用第二版本发送秘钥,支持以下四种秘钥认证的存放位置:(centos6只支持rsa和dsa两种) HostKey /etc/ssh/ssh_host_rsa_key rsa私钥认证 【默认】 #HostKey /etc/ssh/ssh_host_dsa_key dsa私钥认证 HostKey /etc/ssh/ssh_host_ecdsa_key ecdsa私钥认证 HostKey /etc/ssh/ssh_host_ed25519_key ed25519私钥认证 # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 主机秘钥长度 # Ciphers and keying #RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV 当有人使用ssh登录系统的时候,SSH会记录信息,信息保存在/var/log/secure里面 #LogLevel INFO 日志的等级 # Authentication: #LoginGraceTime 2m 登录的宽限时间,默认2分钟没有输入密码,则自动断开连接 #PermitRootLogin no PermitRootLogin yes 是否允许管理员直接登录,'yes'表示允许 #StrictModes yes 是否让sshd去检查用户主目录或相关文件的权限数据 #MaxAuthTries 6 最大认证尝试次数,最多可以尝试6次输入密码。之后需要等待某段时间后才能再次输入密码 #MaxSessions 10 允许的最大会话数 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys 服务器生成一对公私钥之后,会将公钥放到.ssh/authorizd_keys里面,将私钥发给客户端 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes 是否允许支持基于口令的认证 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no 是否允许任何的密码认证 # Kerberos options 是否支持kerberos(基于第三方的认证,如LDAP)认证的方式,默认为no #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes 是否允许x11转发,可以让窗口的数据通过SSH连接来传递(请查看ssh -X 参数):#ssh -X user@IP #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes 是否反解DNS,如果想让客户端连接服务器端快一些,这个可以改为no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server 支持 SFTP ,如果注释掉,则不支持sftp连接 # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server AllowUsers user1 user2 登录白名单(默认没有这个配置,需要自己手动添加),允许远程登录的用户。如果名单中没有的用户,则提示拒绝登录