SSH服務器端/etc/ssh/sshd_conf配置文件詳解

[root@u0704-t5-test-shaoew1 ~]$cat /etc/ssh/sshd_config

---

1. #Port 22                                          監聽端口，默認監聽22端口   【默認可修改】
2. #AddressFamily any                        IPV4和IPV6協議家族用哪個，any表示二者均有
3. #ListenAddress 0.0.0.0                   指明監控的地址，0.0.0.0表示本機的所有地址  【默認可修改】
4. #ListenAddress ::                            指明監聽的IPV6的所有地址格式
5. # The default requires explicit activation of protocol 1   
6. #Protocol 2                                      使用SSH第二版本，centos7默認第一版本已拒絕
7. # HostKey for protocol version 1      一版的SSH支持以下一種秘鑰形式
8. #HostKey /etc/ssh/ssh_host_key
9. # HostKeys for protocol version 2                  使用第二版本發送秘鑰，支持以下四種秘鑰認證的存放位置：（centos6只支持rsa和dsa兩種）
10. HostKey /etc/ssh/ssh_host_rsa_key               rsa私鑰認證 【默認】
11. #HostKey /etc/ssh/ssh_host_dsa_key            dsa私鑰認證
12. HostKey /etc/ssh/ssh_host_ecdsa_key          ecdsa私鑰認證
13. HostKey /etc/ssh/ssh_host_ed25519_key      ed25519私鑰認證
14. # Lifetime and size of ephemeral version 1 server key
15. #KeyRegenerationInterval 1h
16. #ServerKeyBits 1024        主機秘鑰長度        
17. # Ciphers and keying      
18. #RekeyLimit default none
19. # Logging
20. # obsoletes QuietMode and FascistLogging
21. #SyslogFacility AUTH
22. SyslogFacility AUTHPRIV                   當有人使用ssh登錄系統的時候，SSH會記錄信息，信息保存在/var/log/secure里面
23. #LogLevel INFO                                  日志的等級
24. # Authentication:
25. #LoginGraceTime 2m                           登錄的寬限時間，默認2分鍾沒有輸入密碼，則自動斷開連接
26. #PermitRootLogin no
27. PermitRootLogin yes                            是否允許管理員直接登錄，'yes'表示允許
28. #StrictModes yes                                 是否讓sshd去檢查用戶主目錄或相關文件的權限數據
29. #MaxAuthTries 6                                  最大認證嘗試次數，最多可以嘗試6次輸入密碼。之后需要等待某段時間后才能再次輸入密碼
30. #MaxSessions 10                                 允許的最大會話數
31. #RSAAuthentication yes
32. #PubkeyAuthentication yes
33. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
34. # but this is overridden so installations will only check .ssh/authorized_keys
35. AuthorizedKeysFile .ssh/authorized_keys                 服務器生成一對公私鑰之后，會將公鑰放到.ssh/authorizd_keys里面，將私鑰發給客戶端
    
36. #AuthorizedPrincipalsFile none 
37. #AuthorizedKeysCommand none
38. #AuthorizedKeysCommandUser nobody
39. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
40. #RhostsRSAAuthentication no
41. # similar for protocol version 2
42. #HostbasedAuthentication no
43. # Change to yes if you don't trust ~/.ssh/known_hosts for
44. # RhostsRSAAuthentication and HostbasedAuthentication
45. #IgnoreUserKnownHosts no
46. # Don't read the user's ~/.rhosts and ~/.shosts files
47. #IgnoreRhosts yes
48. # To disable tunneled clear text passwords, change to no here!
49. #PasswordAuthentication yes
50. #PermitEmptyPasswords no
51. PasswordAuthentication yes                    是否允許支持基於口令的認證
52. # Change to no to disable s/key passwords
53. #ChallengeResponseAuthentication yes
54. ChallengeResponseAuthentication no     是否允許任何的密碼認證
55. # Kerberos options                                   是否支持kerberos（基於第三方的認證，如LDAP）認證的方式，默認為no 
56. #KerberosAuthentication no
57. #KerberosOrLocalPasswd yes
58. #KerberosTicketCleanup yes
59. #KerberosGetAFSToken no
60. #KerberosUseKuserok yes
61. # GSSAPI options                                       
62. GSSAPIAuthentication yes
63. GSSAPICleanupCredentials no
64. #GSSAPIStrictAcceptorCheck yes
65. #GSSAPIKeyExchange no
66. #GSSAPIEnablek5users no
67. # Set this to 'yes' to enable PAM authentication, account processing,
68. # and session processing. If this is enabled, PAM authentication will
69. # be allowed through the ChallengeResponseAuthentication and
70. # PasswordAuthentication. Depending on your PAM configuration,
71. # PAM authentication via ChallengeResponseAuthentication may bypass
72. # the setting of "PermitRootLogin without-password".
73. # If you just want the PAM account and session checks to run without
74. # PAM authentication, then enable this but set PasswordAuthentication
75. # and ChallengeResponseAuthentication to 'no'.
76. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
77. # problems.
78. UsePAM yes
79. #AllowAgentForwarding yes
80. #AllowTcpForwarding yes
81. #GatewayPorts no
82. X11Forwarding yes                    是否允許x11轉發，可以讓窗口的數據通過SSH連接來傳遞(請查看ssh -X 參數)：#ssh -X  user@IP
83. #X11DisplayOffset 10
84. #X11UseLocalhost yes 
85. #PermitTTY yes
86. #PrintMotd yes
87. #PrintLastLog yes
88. #TCPKeepAlive yes
89. #UseLogin no
90. UsePrivilegeSeparation sandbox # Default for new installations.
91. #PermitUserEnvironment no
92. #Compression delayed
93. #ClientAliveInterval 0
94. #ClientAliveCountMax 3
95. #ShowPatchLevel no
96. #UseDNS yes              是否反解DNS，如果想讓客戶端連接服務器端快一些，這個可以改為no
97. #PidFile /var/run/sshd.pid
98. #MaxStartups 10:30:100
99. #PermitTunnel no
100. #ChrootDirectory none
101. #VersionAddendum none
102. # no default banner path
103. #Banner none
104. # Accept locale-related environment variables
105. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
106. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
107. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
108. AcceptEnv XMODIFIERS
109. # override default of no subsystems
110. Subsystem sftp /usr/libexec/openssh/sftp-server                    支持 SFTP ，如果注釋掉，則不支持sftp連接
111. # Example of overriding settings on a per-user basis
112. #Match User anoncvs
113. # X11Forwarding no
114. # AllowTcpForwarding no
115. # PermitTTY no
116. # ForceCommand cvs server
117. AllowUsers user1 user2                登錄白名單（默認沒有這個配置，需要自己手動添加），允許遠程登錄的用戶。如果名單中沒有的用戶，則提示拒絕登錄

 

---