ssh重装centos6,ssh config配置
port 22 addressfamilyanylistenaddress 0.0.0、listen address 33603360 protocol2/* port :有关sshd服务端口的详细信息,请参阅man sshd _ confisted 地址族、any (默认值)、inet (仅限IPv4 )、inet6)仅限IPv6 ) ListenAddress )设置侦听的地址。 协议) ) sh协议版本(/
# hostkeyforprotocolversion1host key/etc/ssh/ssh _ host _ key # hostkeysforprotocolversion2host key/etc/ssh/ssh _ sh _ host _ DSA _ key host key/etc/ssh/ssh _ host _ ECD sa _ key host key/etc/ssh _ ed 25519 _ key
eyregenerationinterval1hserverkeybits 1024/* ssh-1协议中私钥的有效期和大小*/
# loggingsyslogfacilityauthsyslogfacilityauthprivloglevelinfo/* syslog facility :日志系统选择loglevel :日志级别选择*/
# authentic ation : logingracetime2mpermitrootloginyesstrictmodesyesmaxauthtries6max sessions 10/* logingracetime:permitrootlogin :允许root帐户登录到严格模式:检查用户的主目录和关联的配置文件MaxAuthTries :最大验证
raaauthenticationyespubkeyauthenticationyes # thedefaultistocheckboth.ssh/authorized _ keysand.ssh/authorized _ keys butthisisoverriddensoinstallationswillonlycheck.ssh/authorized _ keysfile.ssh/authorized RSAAuthentication:SSH-1公钥认证PubkeyAuthentication:SSH-2公钥认证AuthorizedKeysFile :许可证密钥文件*/
# forthistoworkyouwillalsoneedhostkeysin/etc/ssh/ssh _ known _ hostsrhostsrsaaauthenticationno # similarforprotocolverstolverstolverstin changetoyesifyoudon ' t trust//ssh/known _ hosts for # rhostsrsaauthenticationandhostbasedauthenticationignoreuserknoreuserknownownhoshosthostinatigeratinorestiglknorerknorat . Rhostsand )/. shostsfusion rhostsrsaauthentication:ssh-1强可信主机HostbasedAuthentication:SSH-2强可信主机ignoreuserknerkntion
# todisabletunneledcleartextpasswords,change to no here! psswordauthenticationyespermitemptypasswordsno/* passwordauthentication :使用密码验证permitemptypasswords :使用密码为空的帐户
# changetonotodisables/keypasswordschallengeresponseauthenticationyes/* challengeresponseauthentication :问答(challllengengered )
# kerberosoptionskerberosauthenticationnokerberosorlocalpasswdyeskerberosticketcleanupyeskerberosgetafstokenno/*
calPasswd:如果 Kerberos 密码认证失败,那么该密码还将要通过其它的认证机制KerberosTicketCleanup:是否在用户退出登录后自动销毁用户的 ticketKerberosGetAFSToken:尝试获取一个 AFS token*/
# GSSAPI optionsGSSAPIAuthentication yesGSSAPICleanupCredentials noGSSAPIStrictAcceptorCheck yes/*GSSAPIAuthentication:是否允许使用基于 GSSAPI 的用户认证GSSAPICleanupCredentials:是否在用户退出登录后自动销毁用户凭证缓存GSSAPIStrictAcceptorCheck:是否严格检查GSSAPI的用户认证*/
# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several# problems.UsePAM yes/*UsePAM:是否使用PAM认证登录*/
AllowAgentForwarding yesAllowTcpForwarding yesGatewayPorts noX11Forwarding yesX11DisplayOffset 10X11UseLocalhost yesPermitTTY yesPrintMotd yesPrintLastLog yesTCPKeepAlive yesUseLogin noUsePrivilegeSeparation sandbox # Default for new installations.PermitUserEnvironment noCompression delayedClientAliveInterval 0ClientAliveCountMax 3ShowPatchLevel noUseDNS yesPidFile /var/run/sshd.pidMaxStartups 10:30:100PermitTunnel noChrootDirectory noneVersionAddendum none/*AllowAgentForwarding:是否允许转发ssh-agentAllowTcpForwarding:是否允许TCP转发GatewayPorts:是否允许远程主机连接本地的转发端口X11Forwarding:是否允许进行 X11 转发X11DisplayOffset:指定X11 转发的第一个可用的显示区(display)数字X11UseLocalhost:是否应当将X11转发服务器绑定到本地loopback地址PermitTTY:是否允许pty分配PrintMotd:是否在每一次交互式登录时打印 /etc/motd 文件的内容PrintLastLog:是否在每一次交互式登录时打印最后一位用户的登录时间TCPKeepAlive:是否向客户端发送 TCP keepalive 消息UseLogin:是否在交互式会话的登录过程中使用 loginUsePrivilegeSeparation:是否让 sshd 通过创建非特权子进程处理接入请求的方法来进行权限分离PermitUserEnvironment:是否允许 sshd处理environmentCompression:是否对通信数据进行加密ClientAliveInterval:设置一个以秒记的时长,向客户端发送一个”alive”消息,并等候应答ClientAliveCountMax:sshd 在未收到任何客户端回应前最多允许发送多少个”alive”消息ShowPatchLevel:是否显示ssh的补丁信息UseDNS:是否应该对远程主机名进行反向解析PidFile:pid文件位置MaxStartups: 指定并发未认证的最大数量节点到SSH守护进程PermitTunnel:是否允许 tun 设备转发ChrootDirectory:指定chroot认证的路径名VersionAddendum:连接时指定附加文本*/
# no default banner pathBanner none/*Banner:将这个指令指定的文件中的内容在用户进行认证前显示给远程用户*/
# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS/*AcceptEnv:指定客户端发送的哪些环境变量将会被传递到会话环境中*/
# override default of no subsystemsSubsystem sftp /usr/libexec/openssh/sftp-server/*Subsystem:配置一个外部子系统*/
NOTE:
1、 以上的所有说明配置命令均已去掉‘#’(注释符号),请勿直接copy使用
2、 在修改sshd_config文件时,正确的姿势应该是在原配置文件中找到相关配置添加‘#’注释,再在文件末尾添加配置命令及选项