SSH服务 - 配置文件

 

ssh_config是OpenSSH客户端的配置文件， sshd_config是OpenSSH服务器端的配置文件。

[root@centos78 ~]# cd /etc/ssh/
[root@centos78 ssh]# ll
total 604
-rw-r--r--. 1 root root     581843 Aug  9  2019 moduli
-rw-r--r--. 1 root root       2276 Aug  9  2019 ssh_config
-rw-------. 1 root root       3907 Aug  9  2019 sshd_config
-rw-r-----. 1 root ssh_keys    227 Feb 19 17:19 ssh_host_ecdsa_key         
-rw-r--r--. 1 root root        162 Feb 19 17:19 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 Feb 19 17:19 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 Feb 19 17:19 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   1679 Feb 19 17:19 ssh_host_rsa_key           # SSH2用的RSA私钥
-rw-r--r--. 1 root root        382 Feb 19 17:19 ssh_host_rsa_key.pub       # SSH2用的RSA公钥

　　

[root@centos78 ~]# ssh
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]

 

一、sshd_config配置文件

[root@centos78 ssh]# cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22                    // sshd的监听端口号, 默认为22
#AddressFamily any
#ListenAddress 0.0.0.0      // 设置sshd服务绑定的IP地址, 0.0.0.0表示侦听所有地址
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key         // SSH2版本的RSA密钥存放位置 
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH        // 设置在记录来自sshd的消息时是否给出facility code
SyslogFacility AUTHPRIV     // 设置sshd发送到syslog所使用的日志类型
#LogLevel INFO              // syslog日志级别

# Authentication:

#LoginGraceTime 2m       // 设置如果用户不能成功登录，sshd将会在这个配置参数指定的时间过后断开连接
#PermitRootLogin yes     // 如果为yes则允许root用户使用ssh登录，为no则表示不允许root进行ssh登录
#StrictModes yes         // 设置sshd在接受登录请求前是否检查用户的主目录以及rhosts文件的权限和所有者等信息。防止目录和文件设成任何人都有写权限。
#MaxAuthTries 6       
#MaxSessions 10

#PubkeyAuthentication yes   // 是否允许公钥验证

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys    // 公钥文件存放的位置

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no   // 设置sshd在进行RhostsRSAAuthentication安全验证时，是否信任用户的'~/.ssh/known_hosts'文件
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes          // 验证时是否使用'~/.rhosts'和'~/.shosts'文件

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no        // 设置是否允许用空口令登录
PasswordAuthentication yes      // 设置是否需要口令验证，默认为yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no   // 设置是否允许使用提示/应答式认证。 sshd支持login.conf文件中定义的所有认证类型。

# Kerberos options             // Kerneros验证
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options               // GSSAPI 验证
GSSAPIAuthentication yes
GSSAPICleanupCredentials no    // 清除验证信息
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes            // 是否启用PAM插件式认证模块，默认为yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes                   // 设置sshd是否允许X11转发，默认为允许
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes                     // 设置sshd是否在用户登录时显示/etc/motd中的信息
#PrintLastLog yes                  // 交互式登录时是否输出用户上次登录的日期和时间
#TCPKeepAlive yes                  // TCP活动保持
#UseLogin no                       // 指定login命令是否可用于交互式登录会话 
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none                        // 设置保存banner信息的文件位置，用户登录后会显示该banner信息

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS    // 指定客户端发送的那些环境变量，能复制到当前会话的运行环境(客户端需要设置其配置文件ssh_config中的SendEnv参数)

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server    // 用于配置一个外部的服务程序，如文件传输服务器sftp-server。
                                                            // 配置参数的值应该是一个系统名与命令，能够基于客户系统的请求开始运行。
                                                            // sftp-server命令实现了sftp文件传输子系统。这个配置参数仅使用于SSH2。
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

 

二、ssh_config配置文件

[root@centos78 ssh]# cat /etc/ssh/ssh_config
#       $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:   // 配置选项生效的优先级    
#  1. command line options    // 命令行选项
#  2. user-specific file      // 用户指定文件
#  3. system-wide file        // 系统范围的文件
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *                          // 使用的计算机范围，'*'表示全部
#   ForwardAgent no               // 设置连接是否经过验证代理(如果存在)转发给远程计算机
#   ForwardX11 no                 // 设置X11连接是否被自动重定向到安全的通道和显示集
#   RhostsRSAAuthentication no    // 设置是否使用RSA进行rhosts的安全验证
#   RSAAuthentication yes         // 设置是否使用RSA进行安全验证
#   PasswordAuthentication yes    // 设置是否需要口令验证
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no                   // 如果为yes，则交互输入口令时的提示（passphrase/password的提示）信息将被禁止
#   CheckHostIP yes                // 设置SSH是否查看连接到服务器的主机的IP地址以防止DNS欺骗。建议设置为yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask      // 如果设置成yes，SSH就不会自动把计算机的密钥加入
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa     // RSA安全验证文件的位置
#   IdentityFile ~/.ssh/id_dsa     // DSA安全验证文件的位置
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22                        // 服务器端口
#   Protocol 2                     // 使用的SSH协议
#   Cipher 3des                    // 设置加密的方式
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~                  // 设置Escape(转义)字符
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
#
# Uncomment this if you want to use .local domain
# Host *.local
#   CheckHostIP no

Host *
        GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
        ForwardX11Trusted yes
# Send locale-related environment variables     // 局部环境变量
        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
        SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
        SendEnv XMODIFIERS