sshd_config配置文件詳解

sshd_config配置文件詳解
Chenxin 整理

sshd 以及ssh 配置文件示例
20181107
[root@ip-10-0-0-200 ~]# cat /etc/ssh/sshd_config
Port 4399
SyslogFacility AUTHPRIV
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
UsePrivilegeSeparation sandbox
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
AllowUsers admin ec2-user
AllowUsers web manager backup rsyncfiles
AllowUsers xbzj chenxin

[root@ip-10-0-0-200 ~]# cat /etc/ssh/ssh_config
Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
HashKnownHosts yes
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
LogLevel ERROR

ssh sshd sshd_config OpenSSH 配置詳解
20140530 Chenxin整理

Port 4399 -----sshd服務默認的端口22，為了安全考慮建議修改成其它端口

AddressFamily any

ListenAddress 192.168.1.1 -------------監聽的主機，只監聽來自192.168.1.1的ssh連接
Protocol 2 ----------------ssh的協議版本，這里是2

HostKey for protocol version 1

HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h -----------每個一個小時重新建立一次連接，這里未開啟

ServerKeyBits 1024 -----------server key的長度

Logging

obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

SyslogFacility AUTHPRIV ------------當有人使用ssh登入系統的時候，ssh會記錄信息（/var/log/secure）

LogLevel INFO

Authentication:

LoginGraceTime 2m

PermitRootLogin yes -----------是否允許root登陸，默認是允許的，建議設置成no

StrictModes yes -------------當使用者的host key改變之后，server就不接受其聯機

MaxAuthTries 6 --------------最多root嘗試6次連接

MaxSessions 10 --------------Specifies the maximum number of open sessions permitted per net-work connection. The default is 10.

RSAAuthentication yes -------------是否使用rsa認證，只針對version1

PubkeyAuthentication yes ------------是否允許public key，只針對version2

AuthorizedKeysFile .ssh/authorized_keys -------認證文件

AuthorizedKeysCommand none

AuthorizedKeysCommandRunAs nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no ---------是否僅適用於rhosts認證，為了安全一定設置為否

similar for protocol version 2

HostbasedAuthentication no

Change to yes if you don't trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no --------------是否忽略掉~/.shosts files中的用戶

Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes --------------是否需要密碼認證

PermitEmptyPasswords no --------------不允許空密碼

PasswordAuthentication yes -------------開啟密碼認證

Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no -----------不挑戰任何的密碼認證,任何login.conf規定的認證方式，都禁用

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will be allowed through the #ChallengeResponseAuthentication and PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypassthe setting of "PermitRootLogin without-#password". If you just want the PAM account and session checks to run without PAM authentication, then enable #this but set PasswordAuthentication and ChallengeResponseAuthentication to 'no'.

UsePAM yes -----------啟用pam模塊

Accept locale-related environment variables ------------環境變量

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

PrintMotd yes ---------登陸后是否顯示一些默認信息

PrintLastLog yes ---------顯示上次登錄的信息

TCPKeepAlive yes -------ssh server會傳keepalive信息給client以此確保兩者的聯機正常，任何一端死后，馬上斷開

UseLogin no

UsePrivilegeSeparation yes -------------使用者的權限設定

PermitUserEnvironment no

PidFile /var/run/sshd.pid

MaxStartups 10 ----------最大聯機畫面

PermitTunnel no

ChrootDirectory none

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server ---------- sftp服務的設置

++++++++++++以上是sshd服務端+++++++下面是客戶端++++++++
2、/etc/ssh/ssh_config -------ssh客戶端配置文件

This is the ssh client system-wide configuration file. See

ssh_config(5) for more information. This file provides defaults for

users, and the values can be changed in per-user configuration files or on the command line.

Host * -----------只匹配設定的主機，這里默認是匹配所有的主機

ForwardAgent no ------------連接是否經過驗證代理

ForwardX11 no ------------x11連接是否被自動重定向到安全的通道和顯示集；

RhostsRSAAuthentication no -----是否使用rsa算法的基於rhosts的安全驗證

RSAAuthentication yes ----------是否使用rsa算法驗證

PasswordAuthentication yes ----------是否使用密碼驗證

CheckHostIP yes -------------是否驗證ip

AddressFamily any

ConnectTimeout 0 ----------連接超時時間

StrictHostKeyChecking ask

IdentityFile ~/.ssh/identity

IdentityFile ~/.ssh/id_rsa

IdentityFile ~/.ssh/id_dsa

Port 22 ------------連接遠程主機的端口

Protocol 2,1 -----------采用的協議版本

Cipher 3des

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

EscapeChar ~ --------------設置escape字符

Tunnel no

TunnelDevice any:any

PermitLocalCommand no

VisualHostKey no

Host *
GSSAPIAuthentication yes

If this option is set to yes then remote X11 clients will have full access

to the original X11 display. As virtually no X11 client supports the untrusted

mode correctly we set this to yes.

    ForwardX11Trusted yes

Send locale-related environment variables

    SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    SendEnv XMODIFIERS

+++++++++++++++++++++++++++++++++++++++++++++++++

3、~/.ssh/known_hosts文件的作用
ssh 會把每個你訪問過的計算機的公鑰（public key）都記錄到~/.ssh/known_hosts文件中，當你下次訪問該計算機時，openss會核對公鑰。如果公鑰不同，那openssh就會發出警告，避免你收到DNSHijack等攻.

三、ssh服務控制命令
啟動ssh服務： service sshd start
關閉ssh服務：service sshdstop
重啟ssh服務： service sshd restart
++++++++++++++++++++++++++++++++++++++++++++++

四、ssh的公鑰認證
1.生成密鑰文件
[root@localhost ~]# lsb_release -a -------先看一下我的linux版本
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: RedHatEnterpriseServer
Description: Red Hat Enterprise Linux Server release 5.5 (Tikanga)
Release: 5.5
Codename: Tikanga
[root@localhost ~]# ssh-keygen -t rsa #生成密鑰對
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #輸入私鑰文件的名稱，直接回車使用默認名稱
Enter passphrase (empty for no passphrase): #輸入密鑰文件的密碼，直接回車不設置密碼
Enter same passphrase again: #再次輸入密碼確認
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d3:41:dd:41:56:a2:ca:7a:81:9a:64:74:d7:df:32:9e root@localhost.localdomain
[root@localhost ~]# ll /root/.ssh/
總計 12
-rw------- 1 root root 1675 10-23 10:28 id_rsa -------生成的私鑰
-rw-r--r-- 1 root root 408 10-23 10:28 id_rsa.pub ------生成的公鑰
-rw-r--r-- 1 root root 396 10-23 10:20 known_hosts ------登陸者的信息

2、將公鑰復制到遠程主機
[root@localhost ~]# scp ~/.ssh/id_rsa.pub root@192.168.254.46:~/.ssh/authorized_keys
------將公鑰復制到遠程服務器指定的目錄下，並且重命名為authorized_keys。scp是openssh自帶的工具。
root@192.168.254.46's password: --------輸入遠程主機的密碼
id_rsa.pub 100% 408 0.4KB/s 00:00

3、登錄到遠程主機
[root@localhost ~]# ssh 192.168.254.46
root@192.168.254.46's password:

查看該主機的系統版本
[root@localhost ~]# cat /proc/version
Linux version 2.6.32-71.el6.x86_64 (mockbuild@c6b6.centos.org) (gcc version 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) ) #1 SMP Fri May 20 03:51:51 BST 2011
[root@localhost ~]#

然后再該主機上同樣生成公鑰
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6b:35:ba:70:2d:06:ee:3e:80:37:7b:ee:9c:1f:c1:2e root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
+-----------------+
將公鑰傳到192.168.254.153上面
[root@localhost ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.254.153 ======另外一種遠程傳公鑰的方法
The authenticity of host '192.168.254.153 (192.168.254.153)' can't be established.
RSA key fingerprint is 4d:24:b3:e8:82:11:bf:e1:a0:0c:45:27:57:8e:a1:c8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.254.153' (RSA) to the list of known hosts.
root@192.168.254.153's password: ----------------輸入192.168.254.153的密碼
Now try logging into the machine, with "ssh 'root@192.168.254.153'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@localhost ~]# ssh root@192.168.254.153
Last login: Wed Oct 23 09:55:54 2013 from 192.168.254.152 ----------不用輸密碼可以直接登陸了

六、訪問控制
/etc/host.allow和/etc/hosts.deny
這兩個文件時控制遠程訪問設置的，通過該設置可以允許或者拒絕某個ip或者ip段訪問linux的某項服務。
[root@localhost .ssh]# vi /etc/hosts.allow
sshd:192.168.0.*:allow 允許該網段訪問
sshd:192.168.1.15:allow 允許該ip地址訪問
[root@localhost .ssh]# vi /etc/hosts.deny
sshd:all:deny -------表示拒絕所有的sshd遠程連接
當/etc/hosts.deny 跟/etc/hosts.allow沖突時會以哪個為准？這里有個規則
首先檢查hosts.allow文件，若找到相關的策略則允許訪問，否則繼續檢查hosts.deny ，若找到相關的策略則拒絕訪問；如果兩個文件中都沒有匹配的策略則允許訪問；如果二者沖突時以hosts.allow為准。
注意：如果這兩個文件配置修改了，必須要重啟service xinetd服務才能生效