ssh 配置 ssh_config sshd_config

Posted by 老沙
10月 26 2009

ssh_config

# Host *  (只对能够匹配后面字串的计算机有效。“*”表示所有的计算机)
# ForwardAgent no  (设置连接是否经过验证代理(如果存在)转发给远程计算机)
# ForwardX11 no  (设置X11连接是否被自动重定向到安全的通道和显示集)
# RhostsRSAAuthentication no  (设置是否使用用RSA算法的基于rhosts的安全验证)
# RSAAuthentication yes  (设置是否使用RSA算法进行安全验证)
# PasswordAuthentication yes  (设置是否使用口令验证)
# HostbasedAuthentication no  (若设置为yes,则尝试着进行rhosts身份验证。对于安全要求更高的系统,请将其设置为no(默认值))
# GSSAPIAuthentication no  (ssh的会话直到DNS请求超时才会继续下去,建意no)
# GSSAPIDelegateCredentials no  (ssh的会话直到DNS请求超时才会继续下去,建意no)
# BatchMode no  (如果设为“yes”,passphrase/password(交互式输入口令)的提示将被禁止。
当不能交互式输入口令的时候,这个选项对脚本文件和批处理任务十分有用)
# CheckHostIP yes  (设置ssh是否查看连接到服务器的主机的IP地址以防止DNS欺骗。建议设置为“yes”)
# AddressFamily any  (设置允许的地址)
# ConnectTimeout 0  (连接超时)
# StrictHostKeyChecking ask  (如果设置成“yes”,ssh就不会自动把计算机的密匙加入“$HOME/.ssh)
# IdentityFile ~/.ssh/identity  (设置从哪个文件读取用户的RSA安全验证标识)
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22  (设置连接到远程主机的端口)
# Protocol 2,1  (设置协议版本,建意用2)
# Cipher 3des  (设置加密用的密码)
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~  (设置escape字符)
# Tunnel no  (隧道模式)
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no

=======================================================

sshd_config

#Port 22  (设置sshd监听的端口号)
#AddressFamily any
#ListenAddress 0.0.0.0  (设置sshd服务器绑定的IP地址)
#ListenAddress ::

Protocol 2  (设置协议版本)

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key  (设置包含计算机私人密匙的文件)
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h  (KeyRegenerationInterval 3600)
#ServerKeyBits 1024  (定义服务器密匙的位数)

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH  (设置在记录来自sshd的消息的时候,是否给出“facility code”)
SyslogFacility AUTHPRIV
#LogLevel INFO  (设置记录sshd日志消息的层次。INFO是一个好的选择。查看sshd的man帮
助页,已获取更多的信息)

# Authentication:

#LoginGraceTime 2m  (设置如果用户不能成功登录,在切断连接之前服务器需要等待的时间)
#PermitRootLogin yes  (设置root能不能用ssh登录。这个选项一定不要设成“yes”)
#StrictModes yes (设置ssh在接收登录请求之前是否检查用户家目录和rhosts文件的权限和所
有权。这通常是必要的,因为新手经常会把自己的目录和文件设成任何人都有写权限)
#MaxAuthTries 6 (限制登陆密码输错次数)
#MaxSessions 10

#RSAAuthentication yes  (设置是否允许用rhosts或“/etc/hosts.equiv”加上RSA进行安全验证)
#PubkeyAuthentication yes
#AuthorizedKeysFile  .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no  (设置是否允许用rhosts或“/etc/hosts.equiv”加上RSA进行安全验证)
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no (设置ssh daemon是否在进行RhostsRSAAuthentication安全验证
的时候忽略用户的“$HOME/.ssh/known_hosts)
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes (设置验证的时候是否使用“rhosts”和“shosts”文件)

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes  (设置是否允许口令验证)
#PermitEmptyPasswords no  (设置是否允许用口令为空的帐号登录)
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no  (设置是否允许X11转发)
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes  (设置sshd是否在用户登录的时候显示“/etc/motd”中的信息)
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10 (同时登录的用户的个数)
#PermitTunnel no
#ChrootDirectory none (ChrootDirectory /home/%u改变登陆者的目录)

# no default banner path
#Banner none

# override default of no subsystems
Subsystem  sftp  /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#  X11Forwarding no
#  AllowTcpForwarding no
#  ForceCommand cvs server

Trackback URL for this entry