ssh_config sshd_config区别和一些设置

ssh_config、sshd_config区别和一些设置

ssh_config和sshd_config都是ssh服务器的配置文件，二者区别在于，ssh_config是针对客户端的配置文件，sshd_config是针对服务端的配置文件。两个配置文件都允许你通过设置不同的选项来改变客户端程序的运行方式。
ssh_config的文件开头
写着：#This is the ssh client system-wide configuration file.
sshd_config的文件开头
写着：# This is the sshd server system-wide configuration file. See sshd_config(5) for more information.

配置sshd_config

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
**#ListenAddress ::**

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
**#PermitRootLogin prohibit-password
PermitRootLogin yes**
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
**#PasswordAuthentication yes**
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

其中一些粗体表示认证方式，
其中#PasswordAuthentication yes就是让不让用密码登录。
如果要取消ssh密码登录需要两项都改成no：
PasswordAuthentication
ChallengeResponseAuthentication

#PermitRootLogin prohibit-password 表示root禁止使用密码登录，只要把注释去掉，重启就能执行
PermitRootLogin yes 表示root能不能登录。
千万不要看网上一些文章，把PermitRootLogin改成without-password，这是无密码登录的意思。

关于UseDNS选项，这里默认是no的，也不需要注释去掉。
如果打开的话，服务器会先根据客户端的 IP地址进行 DNS PTR反向查询出客户端的主机名，然后根据查询出的客户端主机名进行DNS正向A记录查询，并验证是否与原始 IP地址一致，通过此种措施来防止客户端欺骗。平时我们都是动态 IP不会有PTR记录，所以打开此选项也没有太多作用。

#ListenAddress 0.0.0.0 设置sshd服务器绑定的IP地址。
这个应该是可以改成自己的ip地址，当然是外网的固定ip。本机如果是局域网内192.168开头的地址只能在局域网内使用，绝不要填到服务器上。除了局域网内服务器，局域网内有必要那么严格的安全控制吗。

#PubkeyAuthentication yes默认是yes
不需要去掉注释。我试了一下，去掉注释重启sshd和不去掉都能秘钥登录。

重启ssh：
systemctl restart sshd.service
或
service sshd restart