Linux sshd_config configuration manual Chinese version
- 2020-05-07 20:48:02
- OfStack
[note] values are case-sensitive, but instructions are case-independent.
# 1. about SSH Server The overall setting, including the used port Ah, and the cryptography used
Port 22 # SSH Use the default 22 this port , you can also use more port !
# That is, reuse port This setting item can!
Protocol 2,1 # Select the SSH Protocol version, could be 1 It can also be 2 .
# If you want to support both, you must use them 2,1 This split!
#ListenAddress 0.0.0.0 # Monitor the host adapter card! For example, if you have two IP .
# , respectively, 192.168.0.100 and 192.168.2.20 So just want
# open 192.168.0.100 , you can write as follows:
ListenAddress 192.168.0.100 # Only listen from 192.168.0.100 this IP the SSH Online.
# If Settings are not used, all interfaces are accepted by default SSH
PidFile /var/run/sshd.pid # Can be placed SSHD this PID The file! Left is the default value
LoginGraceTime 600 # When the user connects SSH server After that, there's a screen of entering the password,
# In this picture, how long did it not connect successfully SSH server .
# Just break! Time for seconds!
Compression yes # Can I use a compression instruction? Sure!
# 2. main-specific Private Key Place the file, preset using the following files can!
HostKey /etc/ssh/ssh_host_key # SSH version 1 The private key used
HostKey /etc/ssh/ssh_host_rsa_key # SSH version 2 The use of RSA The private key
HostKey /etc/ssh/ssh_host_dsa_key # SSH version 2 The use of DSA The private key
# 2.1 about version 1 the 1 Some set!
KeyRegenerationInterval 3600 # As can be seen from the previous online instructions, version 1 Will use
# server the Public Key So if this Public
# Key If stolen, not finished? So you need every other 1 Period of time
# To re-establish 1 Times! The time here is seconds!
ServerKeyBits 768 # That's right! This is the Server key The length of the!
# 3. Information about the login file is placed with the data daemon The name of the!
SyslogFacility AUTH # When someone USES SSH When you log in, SSH Will record information
# Message, what is this message to record daemon name The bottom?
# The default is AUTH To set, that is /var/log/secure
# Inside! What? Forget! Go back to Linux Basis to turn 1 Under the
# Other available daemon name To: DAEMON,USER,AUTH,
# LOCAL0,LOCAL1,LOCAL2,LOCAL3,LOCAL4,LOCAL5,
LogLevel INFO # Level of login records! Hey hey! Any message!
# Again, forget to go back to reference!
# 4. Safety Settings! Very important!
# 4.1 Login Settings
PermitRootLogin no # Whether to allow root Login! The default is allowed, but is recommended no !
UserLogin no # in SSH It was never accepted at the bottom login Login to this program!
StrictModes yes # As user host key After the change, Server You don't accept online,
# Can resist part of the Trojan program!
#RSAAuthentication yes # Whether to use pure RSA Certification! ? Only for version 1 !
PubkeyAuthentication yes # Whether to allow Public Key ? Of course! only version 2
AuthorizedKeysFile .ssh/authorized_keys
# The one above is for setting up an account that doesn't require a password to log in
# The file name of the storage file of the account number!
# 4.2 Certification part
RhostsAuthentication no # The native system is not used only .rhosts Because only use .rhosts too
# It's not safe, so here 1 It has to be set to no !
IgnoreRhosts yes # Cancel use or not ~/.ssh/.rhosts For authentication! Is, of course!
RhostsRSAAuthentication no # This option is specifically given version 1 Use, use rhosts File in
# /etc/hosts.equiv Cooperate with RSA Calculus way to verify! Don't use
HostbasedAuthentication no # This project is similar to the one above, but for version 2 Use of!
IgnoreUserKnownHosts no # Whether to ignore the home directory ~/.ssh/known_hosts This file records
# Host content? Of course don't ignore it, so here it is no !
PasswordAuthentication yes # Password verification is certainly required! So let's say that yes �!
PermitEmptyPasswords no # If the above that 1 If the term is set to yes , this 1 You'd better set the terms
# for no , this project in whether to allow to login with an empty password! Of course not!
ChallengeResponseAuthentication yes # Challenge any password authentication! So any login.conf
# The authentication way that sets, all can apply!
#PAMAuthenticationViaKbdInt yes # Whether to enable others PAM Module! Enabling this module will
# Lead to PasswordAuthentication Setting is invalid!
# 4.3 with Kerberos About parameter setting! Because we don't have Kerberos Host, so there is no need to set the bottom!
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosTgtPassing no
# 4.4 The bottom is related to X-Window Related Settings used below!
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
# 4.5 Project after login:
PrintMotd no # Whether it is displayed after login 1 Some information? Such as the last login time, place, etc
# And so on yes However, if you want to be safe, you can consider changing to no !
PrintLastLog yes # Display last login information! B: yes, you can! The default is yes !
KeepAlive yes # 1 In general, if the project is set, then SSH Server Will transfer
# KeepAlive The message to Client End to ensure both online normal!
# In this case, any 1 When the end dies, SSH Instantly! without
# There are zombie programs happening!
UsePrivilegeSeparation yes # User's permission setting project! Is set to yes !!!!
MaxStartups 10 # How many unlogged online screens are allowed at the same time? When we connect SSH .
# But before you enter your password, this is what we call an online screen.
# In this online screen, in order to protect the host, the maximum value needs to be set,
# The default maximum 10 Three online screens, and those that have been established online are not counted here 10 One of the
# 4.6 About user resistance Settings:
DenyUsers * # Sets the user name to be resisted, if all users, then all
# Stop!!!! If partial user, can fill in this account! For example, the following!
DenyUsers test
DenyGroups test # with DenyUsers The same! Only against a few groups!
# 5. about SFTP Service Settings!
Subsystem sftp /usr/lib/ssh/sftp-server
Basically, in your system, "please don't change the Settings for /etc/ssh/sshd_config file unless necessary!" Since SSH is usually the most heavily protected by default, there is no need to change it! The above description is just to let you know the basic content of each item! Note the last item, if you do not want to open SFTP, just comment out the last line!