sshd_config文件
作者:互联网
1 # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ 2 3 # This is the sshd server system-wide configuration file. See 4 # sshd_config(5) for more information. 5 6 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin 7 8 # The strategy used for options in the default sshd_config shipped with 9 # OpenSSH is to specify options with their default value where 10 # possible, but leave them commented. Uncommented options override the 11 # default value. 12 13 # If you want to change the port on a SELinux system, you have to tell 14 # SELinux about this change. 15 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER <==在开启selinux的系统上,修改ssh端口的要修改selinux规则,用此命令修改 16 # 17 #Port 22 <==默认ssh端口,生产环境中建议改成五位数的端口 18 #AddressFamily any <==地址家族,any表示同时监听ipv4和ipv6地址 19 #ListenAddress 0.0.0.0 <==监听本机所有ipv4地址 20 #ListenAddress :: <==监听本机所有ipv6地址 21 HostKey /etc/ssh/ssh_host_rsa_key <==ssh所使用的RSA私钥路径 22 #HostKey /etc/ssh/ssh_host_dsa_key 23 HostKey /etc/ssh/ssh_host_ecdsa_key <==ssh所使用的ECDSA私钥路径 24 HostKey /etc/ssh/ssh_host_ed25519_key <==ssh所使用的ED25519私钥路径 25 26 # Ciphers and keying 27 #RekeyLimit default none 28 29 # Logging 30 #SyslogFacility AUTH 31 SyslogFacility AUTHPRIV <==设定在记录来自sshd的消息的时候,是否给出“facility code” 32 #LogLevel INFO <==日志记录级别,默认为info 33 34 # Authentication: 35 36 #LoginGraceTime 2m <==限定用户认证时间为2min 37 #PermitRootLogin yes <==是否允许root账户ssh登录,生产环境中建议改成no,使用普通账户ssh登录 38 #StrictModes yes <==设置ssh在接收登录请求之前是否检查用户根目录和rhosts文件的权限和所有权,建议开启 39 #MaxAuthTries 6 <==指定每个连接最大允许的认证次数。默认值是 6 40 #MaxSessions 10 <==最大允许保持多少个连接。默认值是 10 41 42 #PubkeyAuthentication yes <==是否开启公钥验证 43 44 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 45 # but this is overridden so installations will only check .ssh/authorized_keys 46 AuthorizedKeysFile .ssh/authorized_keys <==公钥验证文件路径 47 48 #AuthorizedPrincipalsFile none 49 50 #AuthorizedKeysCommand none 51 #AuthorizedKeysCommandUser nobody 52 53 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 54 #HostbasedAuthentication no 55 # Change to yes if you don't trust ~/.ssh/known_hosts for 56 # HostbasedAuthentication <==指定服务器在使用 ~/.shosts ~/.rhosts /etc/hosts.equiv 进行远程主机名匹配时,是否进行反向域名查询 57 #IgnoreUserKnownHosts no <==是否在 RhostsRSAAuthentication 或 HostbasedAuthentication 过程中忽略用户的 ~/.ssh/known_hosts 文件 58 # Don't read the user's ~/.rhosts and ~/.shosts files 59 #IgnoreRhosts yes <==是否在 RhostsRSAAuthentication 或 HostbasedAuthentication 过程中忽略 .rhosts 和 .shosts 文件 60 61 # To disable tunneled clear text passwords, change to no here! 62 #PasswordAuthentication yes 63 #PermitEmptyPasswords no <==是否允许空密码 64 PasswordAuthentication yes <==是否允许密码验证,生产环境中建议改成no,只用密钥登录 65 66 # Change to no to disable s/key passwords 67 #ChallengeResponseAuthentication yes 68 ChallengeResponseAuthentication no <==是否允许质疑-应答(challenge-response)认证 69 70 # Kerberos options 71 #KerberosAuthentication no <==是否使用Kerberos认证 72 #KerberosOrLocalPasswd yes <==如果 Kerberos 密码认证失败,那么该密码还将要通过其它的认证机制(比如 /etc/passwd) 73 #KerberosTicketCleanup yes <==是否在用户退出登录后自动销毁用户的 ticket 74 #KerberosGetAFSToken no <==如果使用了AFS并且该用户有一个 Kerberos 5 TGT,那么开启该指令后,将会在访问用户的家目录前尝试获取一个AFS token 75 #KerberosUseKuserok yes 76 77 # GSSAPI options 78 GSSAPIAuthentication yes <==是否允许基于GSSAPI的用户认证 79 GSSAPICleanupCredentials no <==是否在用户退出登录后自动销毁用户凭证缓存 80 #GSSAPIStrictAcceptorCheck yes 81 #GSSAPIKeyExchange no 82 #GSSAPIEnablek5users no 83 84 # Set this to 'yes' to enable PAM authentication, account processing, 85 # and session processing. If this is enabled, PAM authentication will 86 # be allowed through the ChallengeResponseAuthentication and 87 # PasswordAuthentication. Depending on your PAM configuration, 88 # PAM authentication via ChallengeResponseAuthentication may bypass 89 # the setting of "PermitRootLogin without-password". 90 # If you just want the PAM account and session checks to run without 91 # PAM authentication, then enable this but set PasswordAuthentication 92 # and ChallengeResponseAuthentication to 'no'. 93 # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several 94 # problems. 95 UsePAM yes <==是否通过PAM验证 96 97 #AllowAgentForwarding yes 98 #AllowTcpForwarding yes 99 #GatewayPorts no <==是否允许远程主机连接本地的转发端口 100 X11Forwarding yes <==是否允许X11转发 101 #X11DisplayOffset 10 <==指定sshd(8)X11转发的第一个可用的显示区(display)数字。默认值是10 102 #X11UseLocalhost yes <==是否应当将X11转发服务器绑定到本地loopback地址 103 #PermitTTY yes 104 #PrintMotd yes <==指定sshd(8)是否在每一次交互式登录时打印 /etc/motd 文件的内容 105 #PrintLastLog yes <==指定sshd(8)是否在每一次交互式登录时打印最后一位用户的登录时间 106 #TCPKeepAlive yes <==指定系统是否向客户端发送 TCP keepalive 消息 107 #UseLogin no <==是否在交互式会话的登录过程中使用 login(1) 108 #UsePrivilegeSeparation sandbox <==是否让 sshd(8) 通过创建非特权子进程处理接入请求的方法来进行权限分离 109 #PermitUserEnvironment no <==指定是否允许sshd(8)处理~/.ssh/environment以及 ~/.ssh/authorized_keys中的 environment= 选项 110 #Compression delayed <==是否对通信数据进行加密,还是延迟到认证成功之后再对通信数据加密 111 #ClientAliveInterval 0 <==sshd(8)长时间没有收到客户端的任何数据,不发送"alive"消息 112 #ClientAliveCountMax 3 <==sshd(8)在未收到任何客户端回应前最多允许发送多个"alive"消息,默认值是 3 113 #ShowPatchLevel no 114 #UseDNS no <==是否使用dns反向解析 115 #PidFile /var/run/sshd.pid <==指定存放SSH守护进程的进程号的路径 116 #MaxStartups 10:30:100 <==最大允许保持多少个未认证的连接 117 #PermitTunnel no <==是否允许tun(4)设备转发 118 #ChrootDirectory none 119 #VersionAddendum none 120 121 # no default banner path 122 #Banner none <==将这个指令指定的文件中的内容在用户进行认证前显示给远程用户,默认什么内容也不显示,"none"表示禁用这个特性 123 124 # Accept locale-related environment variables 125 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 126 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 127 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 128 AcceptEnv XMODIFIERS 129 130 # override default of no subsystems 131 Subsystem sftp /usr/libexec/openssh/sftp-server <==配置一个外部子系统sftp及其路径 132 133 # Example of overriding settings on a per-user basis 134 #Match User anoncvs <==引入一个条件块。块的结尾标志是另一个 Match 指令或者文件结尾 135 # X11Forwarding no 136 # AllowTcpForwarding no 137 # PermitTTY no 138 # ForceCommand cvs server
标签:文件,sshd,default,system,options,config,port 来源: https://www.cnblogs.com/shenzhiyuan/p/16551509.html