sshd_config配置文件详解

sshd_config配置文件详解
Chenxin 整理

sshd 以及ssh 配置文件示例
20181107
[root@ip-10-0-0-200 ~]# cat /etc/ssh/sshd_config
Port 4399
SyslogFacility AUTHPRIV
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
UsePrivilegeSeparation sandbox
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowUsers admin ec2-user
AllowUsers web manager backup rsyncfiles
AllowUsers xbzj chenxin

[root@ip-10-0-0-200 ~]# cat /etc/ssh/ssh_config
Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
HashKnownHosts yes
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
LogLevel ERROR

ssh sshd sshd_config OpenSSH 配置详解
20140530 Chenxin整理

Port 4399 -----sshd服务默认的端口22，为了安全考虑建议修改成其它端口

AddressFamily any

ListenAddress 192.168.1.1 -------------监听的主机，只监听来自192.168.1.1的ssh连接
Protocol 2 ----------------ssh的协议版本，这里是2

HostKey for protocol version 1

HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h -----------每个一个小时重新建立一次连接，这里未开启

ServerKeyBits 1024 -----------server key的长度

Logging

obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

SyslogFacility AUTHPRIV ------------当有人使用ssh登入系统的时候，ssh会记录信息（/var/log/secure）

LogLevel INFO

Authentication:

LoginGraceTime 2m

PermitRootLogin yes -----------是否允许root登陆，默认是允许的，建议设置成no

StrictModes yes -------------当使用者的host key改变之后，server就不接受其联机

MaxAuthTries 6 --------------最多root尝试6次连接

MaxSessions 10 --------------Specifies the maximum number of open sessions permitted per net-work connection. The default is 10.

RSAAuthentication yes -------------是否使用rsa认证，只针对version1

PubkeyAuthentication yes ------------是否允许public key，只针对version2

AuthorizedKeysFile .ssh/authorized_keys -------认证文件

AuthorizedKeysCommand none

AuthorizedKeysCommandRunAs nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no ---------是否仅适用于rhosts认证，为了安全一定设置为否

similar for protocol version 2

HostbasedAuthentication no

Change to yes if you don't trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no --------------是否忽略掉~/.shosts files中的用户

Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes --------------是否需要密码认证

PermitEmptyPasswords no --------------不允许空密码

PasswordAuthentication yes -------------开启密码认证

Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no -----------不挑战任何的密码认证,任何login.conf规定的认证方式，都禁用

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will be allowed through the #ChallengeResponseAuthentication and PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypassthe setting of "PermitRootLogin without-#password". If you just want the PAM account and session checks to run without PAM authentication, then enable #this but set PasswordAuthentication and ChallengeResponseAuthentication to 'no'.

UsePAM yes -----------启用pam模块

Accept locale-related environment variables ------------环境变量

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

PrintMotd yes ---------登陆后是否显示一些默认信息

PrintLastLog yes ---------显示上次登录的信息

TCPKeepAlive yes -------ssh server会传keepalive信息给client以此确保两者的联机正常，任何一端死后，马上断开

UseLogin no

UsePrivilegeSeparation yes -------------使用者的权限设定

PermitUserEnvironment no

PidFile /var/run/sshd.pid

MaxStartups 10 ----------最大联机画面

PermitTunnel no

ChrootDirectory none

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server ---------- sftp服务的设置

++++++++++++以上是sshd服务端+++++++下面是客户端++++++++
2、/etc/ssh/ssh_config -------ssh客户端配置文件

This is the ssh client system-wide configuration file. See

ssh_config(5) for more information. This file provides defaults for

users, and the values can be changed in per-user configuration files or on the command line.

Host * -----------只匹配设定的主机，这里默认是匹配所有的主机

ForwardAgent no ------------连接是否经过验证代理

ForwardX11 no ------------x11连接是否被自动重定向到安全的通道和显示集；

RhostsRSAAuthentication no -----是否使用rsa算法的基于rhosts的安全验证

RSAAuthentication yes ----------是否使用rsa算法验证

PasswordAuthentication yes ----------是否使用密码验证

CheckHostIP yes -------------是否验证ip

AddressFamily any

ConnectTimeout 0 ----------连接超时时间

StrictHostKeyChecking ask

IdentityFile ~/.ssh/identity

IdentityFile ~/.ssh/id_rsa

IdentityFile ~/.ssh/id_dsa

Port 22 ------------连接远程主机的端口

Protocol 2,1 -----------采用的协议版本

Cipher 3des

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

EscapeChar ~ --------------设置escape字符

Tunnel no

TunnelDevice any:any

PermitLocalCommand no

VisualHostKey no

Host *
GSSAPIAuthentication yes

If this option is set to yes then remote X11 clients will have full access

to the original X11 display. As virtually no X11 client supports the untrusted

mode correctly we set this to yes.

    ForwardX11Trusted yes

Send locale-related environment variables

    SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    SendEnv XMODIFIERS

+++++++++++++++++++++++++++++++++++++++++++++++++

3、~/.ssh/known_hosts文件的作用
ssh 会把每个你访问过的计算机的公钥（public key）都记录到~/.ssh/known_hosts文件中，当你下次访问该计算机时，openss会核对公钥。如果公钥不同，那openssh就会发出警告，避免你收到DNSHijack等攻.

三、ssh服务控制命令
启动ssh服务： service sshd start
关闭ssh服务：service sshdstop
重启ssh服务： service sshd restart
++++++++++++++++++++++++++++++++++++++++++++++

四、ssh的公钥认证
1.生成密钥文件
[root@localhost ~]# lsb_release -a -------先看一下我的linux版本
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: RedHatEnterpriseServer
Description: Red Hat Enterprise Linux Server release 5.5 (Tikanga)
Release: 5.5
Codename: Tikanga
[root@localhost ~]# ssh-keygen -t rsa #生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #输入私钥文件的名称，直接回车使用默认名称
Enter passphrase (empty for no passphrase): #输入密钥文件的密码，直接回车不设置密码
Enter same passphrase again: #再次输入密码确认
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d3:41:dd:41:56:a2:ca:7a:81:9a:64:74:d7:df:32:9e root@localhost.localdomain
[root@localhost ~]# ll /root/.ssh/
总计 12
-rw------- 1 root root 1675 10-23 10:28 id_rsa -------生成的私钥
-rw-r--r-- 1 root root 408 10-23 10:28 id_rsa.pub ------生成的公钥
-rw-r--r-- 1 root root 396 10-23 10:20 known_hosts ------登陆者的信息

2、将公钥复制到远程主机
[root@localhost ~]# scp ~/.ssh/id_rsa.pub root@192.168.254.46:~/.ssh/authorized_keys
------将公钥复制到远程服务器指定的目录下，并且重命名为authorized_keys。scp是openssh自带的工具。
root@192.168.254.46's password: --------输入远程主机的密码
id_rsa.pub 100% 408 0.4KB/s 00:00

3、登录到远程主机
[root@localhost ~]# ssh 192.168.254.46
root@192.168.254.46's password:

查看该主机的系统版本
[root@localhost ~]# cat /proc/version
Linux version 2.6.32-71.el6.x86_64 (mockbuild@c6b6.centos.org) (gcc version 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) ) #1 SMP Fri May 20 03:51:51 BST 2011
[root@localhost ~]#

然后再该主机上同样生成公钥
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6b:35:ba:70:2d:06:ee:3e:80:37:7b:ee:9c:1f:c1:2e root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
+-----------------+
将公钥传到192.168.254.153上面
[root@localhost ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.254.153 ======另外一种远程传公钥的方法
The authenticity of host '192.168.254.153 (192.168.254.153)' can't be established.
RSA key fingerprint is 4d:24:b3:e8:82:11:bf:e1:a0:0c:45:27:57:8e:a1:c8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.254.153' (RSA) to the list of known hosts.
root@192.168.254.153's password: ----------------输入192.168.254.153的密码
Now try logging into the machine, with "ssh 'root@192.168.254.153'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@localhost ~]# ssh root@192.168.254.153
Last login: Wed Oct 23 09:55:54 2013 from 192.168.254.152 ----------不用输密码可以直接登陆了

六、访问控制
/etc/host.allow和/etc/hosts.deny
这两个文件时控制远程访问设置的，通过该设置可以允许或者拒绝某个ip或者ip段访问linux的某项服务。
[root@localhost .ssh]# vi /etc/hosts.allow
sshd:192.168.0.*:allow 允许该网段访问
sshd:192.168.1.15:allow 允许该ip地址访问
[root@localhost .ssh]# vi /etc/hosts.deny
sshd:all:deny -------表示拒绝所有的sshd远程连接
当/etc/hosts.deny 跟/etc/hosts.allow冲突时会以哪个为准？这里有个规则
首先检查hosts.allow文件，若找到相关的策略则允许访问，否则继续检查hosts.deny ，若找到相关的策略则拒绝访问；如果两个文件中都没有匹配的策略则允许访问；如果二者冲突时以hosts.allow为准。
注意：如果这两个文件配置修改了，必须要重启service xinetd服务才能生效