Linux sshd_config configuration manual Chinese version

  • 2020-05-07 20:48:02
  • OfStack

[note] values are case-sensitive, but instructions are case-independent.


# 1.  about  SSH Server  The overall setting, including the used  port  Ah, and the cryptography used 
Port 22          # SSH  Use the default  22  this  port , you can also use more  port  ! 
              #  That is, reuse  port  This setting item can! 
Protocol 2,1        #  Select the  SSH  Protocol version, could be  1  It can also be  2  . 
              #  If you want to support both, you must use them  2,1  This split! 
#ListenAddress 0.0.0.0   #  Monitor the host adapter card! For example, if you have two  IP . 
              #  , respectively,  192.168.0.100  and  192.168.2.20  So just want 
              #  open  192.168.0.100  , you can write as follows: 
ListenAddress 192.168.0.100          #  Only listen from  192.168.0.100  this  IP  the SSH Online. 
                   #  If Settings are not used, all interfaces are accepted by default  SSH
PidFile /var/run/sshd.pid      #  Can be placed  SSHD  this  PID  The file! Left is the default value 
LoginGraceTime 600     #  When the user connects  SSH server  After that, there's a screen of entering the password, 
              #  In this picture, how long did it not connect successfully  SSH server  . 
              #  Just break! Time for seconds! 
Compression yes      #  Can I use a compression instruction? Sure! 
 
# 2.  main-specific  Private Key  Place the file, preset using the following files can! 
HostKey /etc/ssh/ssh_host_key    # SSH version 1  The private key used 
HostKey /etc/ssh/ssh_host_rsa_key  # SSH version 2  The use of  RSA  The private key 
HostKey /etc/ssh/ssh_host_dsa_key  # SSH version 2  The use of  DSA  The private key 
# 2.1  about  version 1  the 1 Some set! 
KeyRegenerationInterval 3600     #  As can be seen from the previous online instructions,  version 1  Will use  
                   # server  the  Public Key  So if this  Public 
                   # Key  If stolen, not finished? So you need every other 1 Period of time 
                   #  To re-establish 1 Times! The time here is seconds! 
ServerKeyBits 768           #  That's right! This is the  Server key  The length of the! 
# 3.  Information about the login file is placed with the data  daemon  The name of the! 
SyslogFacility AUTH         #  When someone USES  SSH  When you log in, SSH Will record information 
                   #  Message, what is this message to record  daemon name  The bottom? 
                   #  The default is  AUTH  To set, that is  /var/log/secure
                   #  Inside! What? Forget! Go back to  Linux  Basis to turn 1 Under the 
                   #  Other available  daemon name  To: DAEMON,USER,AUTH,
                   # LOCAL0,LOCAL1,LOCAL2,LOCAL3,LOCAL4,LOCAL5,
LogLevel INFO            #  Level of login records! Hey hey! Any message! 
                   #  Again, forget to go back to reference! 
# 4.  Safety Settings! Very important! 
# 4.1  Login Settings 
PermitRootLogin no     #  Whether to allow  root  Login! The default is allowed, but is recommended  no ! 
UserLogin no        #  in  SSH  It was never accepted at the bottom  login  Login to this program! 
StrictModes yes      #  As user  host key  After the change, Server  You don't accept online, 
              #  Can resist part of the Trojan program! 
#RSAAuthentication yes   #  Whether to use pure  RSA  Certification! ? Only for  version 1  ! 
PubkeyAuthentication yes  #  Whether to allow  Public Key  ? Of course! only  version 2
AuthorizedKeysFile      .ssh/authorized_keys
              #  The one above is for setting up an account that doesn't require a password to log in 
              #  The file name of the storage file of the account number! 
# 4.2  Certification part 
RhostsAuthentication no  #  The native system is not used only  .rhosts  Because only use  .rhosts  too 
              #  It's not safe, so here 1 It has to be set to  no  ! 
IgnoreRhosts yes      #  Cancel use or not  ~/.ssh/.rhosts  For authentication! Is, of course! 
RhostsRSAAuthentication no #  This option is specifically given  version 1  Use, use  rhosts  File in 
              # /etc/hosts.equiv Cooperate with  RSA  Calculus way to verify! Don't use 
HostbasedAuthentication no #  This project is similar to the one above, but for  version 2  Use of! 
IgnoreUserKnownHosts no  #  Whether to ignore the home directory  ~/.ssh/known_hosts  This file records 
              #  Host content? Of course don't ignore it, so here it is  no  ! 
PasswordAuthentication yes #  Password verification is certainly required! So let's say that  yes  �! 
PermitEmptyPasswords no  #  If the above that 1 If the term is set to  yes  , this 1 You'd better set the terms 
              #  for  no  , this project in whether to allow to login with an empty password! Of course not! 
ChallengeResponseAuthentication yes  #  Challenge any password authentication! So any  login.conf 
                   #  The authentication way that sets, all can apply! 
#PAMAuthenticationViaKbdInt yes      #  Whether to enable others  PAM  Module! Enabling this module will 
                   #  Lead to  PasswordAuthentication  Setting is invalid! 
 
# 4.3  with  Kerberos  About parameter setting! Because we don't have  Kerberos  Host, so there is no need to set the bottom! 
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosTgtPassing no
 
# 4.4  The bottom is related to  X-Window  Related Settings used below! 
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
# 4.5  Project after login: 
PrintMotd no              #  Whether it is displayed after login 1 Some information? Such as the last login time, place, etc 
             #  And so on  yes  However, if you want to be safe, you can consider changing to  no  ! 
PrintLastLog yes     #  Display last login information! B: yes, you can! The default is  yes  ! 
KeepAlive yes       # 1 In general, if the project is set, then  SSH Server  Will transfer 
             # KeepAlive  The message to  Client  End to ensure both online normal! 
             #  In this case, any 1 When the end dies,  SSH  Instantly! without 
             #  There are zombie programs happening! 
UsePrivilegeSeparation yes #  User's permission setting project! Is set to  yes  !!!! 
MaxStartups 10      #  How many unlogged online screens are allowed at the same time? When we connect  SSH  . 
             #  But before you enter your password, this is what we call an online screen. 
             #  In this online screen, in order to protect the host, the maximum value needs to be set, 
             #  The default maximum 10 Three online screens, and those that have been established online are not counted here 10 One of the 
# 4.6  About user resistance Settings: 
DenyUsers *        #  Sets the user name to be resisted, if all users, then all 
             #  Stop!!!! If partial user, can fill in this account! For example, the following! 
DenyUsers test
DenyGroups test      #  with  DenyUsers  The same! Only against a few groups! 
# 5.  about  SFTP  Service Settings! 
Subsystem       sftp    /usr/lib/ssh/sftp-server

Basically, in your system, "please don't change the Settings for /etc/ssh/sshd_config file unless necessary!" Since SSH is usually the most heavily protected by default, there is no need to change it! The above description is just to let you know the basic content of each item! Note the last item, if you do not want to open SFTP, just comment out the last line!


Related articles: