SSH服务器端/etc/ssh/sshd_conf配置文件详解
[root@u0704-t5-test-shaoew1 ~]$cat /etc/ssh/sshd_config
- #Port 22 监听端口,默认监听22端口 【默认可修改】
- #AddressFamily any IPV4和IPV6协议家族用哪个,any表示二者均有
- #ListenAddress 0.0.0.0 指明监控的地址,0.0.0.0表示本机的所有地址 【默认可修改】
- #ListenAddress :: 指明监听的IPV6的所有地址格式
- # The default requires explicit activation of protocol 1
- #Protocol 2 使用SSH第二版本,centos7默认第一版本已拒绝
- # HostKey for protocol version 1 一版的SSH支持以下一种秘钥形式
- #HostKey /etc/ssh/ssh_host_key
- # HostKeys for protocol version 2 使用第二版本发送秘钥,支持以下四种秘钥认证的存放位置:(centos6只支持rsa和dsa两种)
- HostKey /etc/ssh/ssh_host_rsa_key rsa私钥认证 【默认】
- #HostKey /etc/ssh/ssh_host_dsa_key dsa私钥认证
- HostKey /etc/ssh/ssh_host_ecdsa_key ecdsa私钥认证
- HostKey /etc/ssh/ssh_host_ed25519_key ed25519私钥认证
- # Lifetime and size of ephemeral version 1 server key
- #KeyRegenerationInterval 1h
- #ServerKeyBits 1024 主机秘钥长度
- # Ciphers and keying
- #RekeyLimit default none
- # Logging
- # obsoletes QuietMode and FascistLogging
- #SyslogFacility AUTH
- SyslogFacility AUTHPRIV 当有人使用ssh登录系统的时候,SSH会记录信息,信息保存在/var/log/secure里面
- #LogLevel INFO 日志的等级
- # Authentication:
- #LoginGraceTime 2m 登录的宽限时间,默认2分钟没有输入密码,则自动断开连接
- #PermitRootLogin no
- PermitRootLogin yes 是否允许管理员直接登录,'yes'表示允许
- #StrictModes yes 是否让sshd去检查用户主目录或相关文件的权限数据
- #MaxAuthTries 6 最大认证尝试次数,最多可以尝试6次输入密码。之后需要等待某段时间后才能再次输入密码
- #MaxSessions 10 允许的最大会话数
- #RSAAuthentication yes
- #PubkeyAuthentication yes
- # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
- # but this is overridden so installations will only check .ssh/authorized_keys
- AuthorizedKeysFile .ssh/authorized_keys 服务器生成一对公私钥之后,会将公钥放到.ssh/authorizd_keys里面,将私钥发给客户端
- #AuthorizedPrincipalsFile none
- #AuthorizedKeysCommand none
- #AuthorizedKeysCommandUser nobody
- # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
- #RhostsRSAAuthentication no
- # similar for protocol version 2
- #HostbasedAuthentication no
- # Change to yes if you don't trust ~/.ssh/known_hosts for
- # RhostsRSAAuthentication and HostbasedAuthentication
- #IgnoreUserKnownHosts no
- # Don't read the user's ~/.rhosts and ~/.shosts files
- #IgnoreRhosts yes
- # To disable tunneled clear text passwords, change to no here!
- #PasswordAuthentication yes
- #PermitEmptyPasswords no
- PasswordAuthentication yes 是否允许支持基于口令的认证
- # Change to no to disable s/key passwords
- #ChallengeResponseAuthentication yes
- ChallengeResponseAuthentication no 是否允许任何的密码认证
- # Kerberos options 是否支持kerberos(基于第三方的认证,如LDAP)认证的方式,默认为no
- #KerberosAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
- #KerberosUseKuserok yes
- # GSSAPI options
- GSSAPIAuthentication yes
- GSSAPICleanupCredentials no
- #GSSAPIStrictAcceptorCheck yes
- #GSSAPIKeyExchange no
- #GSSAPIEnablek5users no
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
- # be allowed through the ChallengeResponseAuthentication and
- # PasswordAuthentication. Depending on your PAM configuration,
- # PAM authentication via ChallengeResponseAuthentication may bypass
- # the setting of "PermitRootLogin without-password".
- # If you just want the PAM account and session checks to run without
- # PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
- # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
- # problems.
- UsePAM yes
- #AllowAgentForwarding yes
- #AllowTcpForwarding yes
- #GatewayPorts no
- X11Forwarding yes 是否允许x11转发,可以让窗口的数据通过SSH连接来传递(请查看ssh -X 参数):#ssh -X user@IP
- #X11DisplayOffset 10
- #X11UseLocalhost yes
- #PermitTTY yes
- #PrintMotd yes
- #PrintLastLog yes
- #TCPKeepAlive yes
- #UseLogin no
- UsePrivilegeSeparation sandbox # Default for new installations.
- #PermitUserEnvironment no
- #Compression delayed
- #ClientAliveInterval 0
- #ClientAliveCountMax 3
- #ShowPatchLevel no
- #UseDNS yes 是否反解DNS,如果想让客户端连接服务器端快一些,这个可以改为no
- #PidFile /var/run/sshd.pid
- #MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
- #VersionAddendum none
- # no default banner path
- #Banner none
- # Accept locale-related environment variables
- AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
- AcceptEnv XMODIFIERS
- # override default of no subsystems
- Subsystem sftp /usr/libexec/openssh/sftp-server 支持 SFTP ,如果注释掉,则不支持sftp连接
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
- # AllowTcpForwarding no
- # PermitTTY no
- # ForceCommand cvs server
- AllowUsers user1 user2 登录白名单(默认没有这个配置,需要自己手动添加),允许远程登录的用户。如果名单中没有的用户,则提示拒绝登录