17. #Port 22 <==默认ssh端口,生产环境中建议改成五位数的端口
18. #AddressFamily any <==地址家族,any表示同时监听ipv4和ipv6地址
19. #ListenAddress 0.0.0.0 <==监听本机所有ipv4地址
20. #ListenAddress :: <==监听本机所有ipv6地址
21.
22. HostKey /etc/ssh/ssh_host_rsa_key <==ssh所使用的RSA私钥路径
23. #HostKey /etc/ssh/ssh_host_dsa_key
24. HostKey /etc/ssh/ssh_host_ecdsa_key <==ssh所使用的ECDSA私钥路径
25. HostKey /etc/ssh/ssh_host_ed25519_key <==ssh所使用的ED25519私钥路径
26.
27. # Ciphers and keying
28. #RekeyLimit default none
29.
30. # Logging
31. #SyslogFacility AUTH
32. SyslogFacility AUTHPRIV <==设定在记录来自sshd的消息的时候,是否给出“facility code”
33. #LogLevel INFO <==日志记录级别,默认为info
34.
35. # Authentication:
36.
37. #LoginGraceTime 2m <==限定用户认证时间为2min
38. #PermitRootLogin yes <==是否允许root账户ssh登录,生产环境中建议改成no,使用普通账户ssh登录
39. #StrictModes yes <==设置ssh在接收登录请求之前是否检查用户根目录和rhosts文件的权限和所有权,建议开启
40. #MaxAuthTries 6 <==指定每个连接最大允许的认证次数。默认值是 6
41. #MaxSessions 10 <==最大允许保持多少个连接。默认值是 10
42.
43. #PubkeyAuthentication yes <==是否开启公钥验证
44.
45. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
46. # but this is overridden so installations will only check .ssh/authorized_keys
47. AuthorizedKeysFile .ssh/authorized_keys <==公钥验证文件路径
48.
49. #AuthorizedPrincipalsFile none
50.
51. #AuthorizedKeysCommand none
52. #AuthorizedKeysCommandUser nobody
53.
54. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
55. #HostbasedAuthentication no
56. # Change to yes if you don’t trust ~/.ssh/known_hosts for
57. # HostbasedAuthentication <==指定服务器在使用 ~/.shosts ~/.rhosts /etc/hosts.equiv 进行远程主机名匹配时,是否进行反向域名查询
58. #IgnoreUserKnownHosts no <==是否在 RhostsRSAAuthentication 或 HostbasedAuthentication 过程中忽略用户的 ~/.ssh/known_hosts 文件
59. # Don’t read the user’s ~/.rhosts and ~/.shosts files
60. #IgnoreRhosts yes <==是否在 RhostsRSAAuthentication 或 HostbasedAuthentication 过程中忽略 .rhosts 和 .shosts 文件
61.
62. # To disable tunneled clear text passwords, change to no here!
63. #PasswordAuthentication yes
64. #PermitEmptyPasswords no <==是否允许空密码
65. PasswordAuthentication yes <==是否允许密码验证,生产环境中建议改成no,只用密钥登录
66.
67. # Change to no to disable s/key passwords
68. #ChallengeResponseAuthentication yes
69. ChallengeResponseAuthentication no <==是否允许质疑-应答(challenge-response)认证
70.
71. # Kerberos options
72. #KerberosAuthentication no <==是否使用Kerberos认证
73. #KerberosOrLocalPasswd yes <==如果 Kerberos 密码认证失败,那么该密码还将要通过其它的认证机制(比如 /etc/passwd)
74. #KerberosTicketCleanup yes <==是否在用户退出登录后自动销毁用户的 ticket
75. #KerberosGetAFSToken no <==如果使用了AFS并且该用户有一个 Kerberos 5 TGT,那么开启该指令后,将会在访问用户的家目录前尝试获取一个AFS token
76. #KerberosUseKuserok yes
77.
78. # GSSAPI options
79. GSSAPIAuthentication yes <==是否允许基于GSSAPI的用户认证
80. GSSAPICleanupCredentials no <==是否在用户退出登录后自动销毁用户凭证缓存
81. #GSSAPIStrictAcceptorCheck yes
82. #GSSAPIKeyExchange no
83. #GSSAPIEnablek5users no
84.
85. # Set this to ‘yes’ to enable PAM authentication, account processing,
86. # and session processing. If this is enabled, PAM authentication will
87. # be allowed through the ChallengeResponseAuthentication and
88. # PasswordAuthentication. Depending on your PAM configuration,
89. # PAM authentication via ChallengeResponseAuthentication may bypass
90. # the setting of “PermitRootLogin without-password”.
91. # If you just want the PAM account and session checks to run without
92. # PAM authentication, then enable this but set PasswordAuthentication
93. # and ChallengeResponseAuthentication to ‘no’.
94. # WARNING: ‘UsePAM no’ is not supported in Red Hat Enterprise Linux and may cause several
95. # problems.
96. UsePAM yes <==是否通过PAM验证
97.
98. #AllowAgentForwarding yes
99. #AllowTcpForwarding yes
100. #GatewayPorts no <==是否允许远程主机连接本地的转发端口
101. X11Forwarding yes <==是否允许X11转发
102. #X11DisplayOffset 10 <==指定sshd(8)X11转发的第一个可用的显示区(display)数字。默认值是10
103. #X11UseLocalhost yes <==是否应当将X11转发服务器绑定到本地loopback地址
104. #PermitTTY yes
105. #PrintMotd yes <==指定sshd(8)是否在每一次交互式登录时打印 /etc/motd 文件的内容
106. #PrintLastLog yes <==指定sshd(8)是否在每一次交互式登录时打印最后一位用户的登录时间
107. #TCPKeepAlive yes <==指定系统是否向客户端发送 TCP keepalive 消息
108. #UseLogin no <==是否在交互式会话的登录过程中使用 login(1)
109. #UsePrivilegeSeparation sandbox <==是否让 sshd(8) 通过创建非特权子进程处理接入请求的方法来进行权限分离
110. #PermitUserEnvironment no <==指定是否允许sshd(8)处理~/.ssh/environment以及 ~/.ssh/authorized_keys中的 environment= 选项
111. #Compression delayed <==是否对通信数据进行加密,还是延迟到认证成功之后再对通信数据加密
112. #ClientAliveInterval 0 <==sshd(8)长时间没有收到客户端的任何数据,不发送”alive”消息
113. #ClientAliveCountMax 3 <==sshd(8)在未收到任何客户端回应前最多允许发送多个”alive”消息,默认值是 3
114. #ShowPatchLevel no
115. #UseDNS no <==是否使用dns反向解析
116. #PidFile /var/run/sshd.pid <==指定存放SSH守护进程的进程号的路径
117. #MaxStartups 10:30:100 <==最大允许保持多少个未认证的连接
118. #PermitTunnel no <==是否允许tun(4)设备转发
119. #ChrootDirectory none
120. #VersionAddendum none
121.
122. # no default banner path
123. #Banner none <==将这个指令指定的文件中的内容在用户进行认证前显示给远程用户,默认什么内容也不显示,”none”表示禁用这个特性
124.
125. # Accept locale-related environment variables
126. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
127. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
128. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
129. AcceptEnv XMODIFIERS
130.
131. # override default of no subsystems
132. Subsystem sftp /usr/libexec/openssh/sftp-server <==配置一个外部子系统sftp及其路径
133.
134. # Example of overriding settings on a per-user basis
135. #Match User anoncvs
136. # X11Forwarding no
137. # AllowTcpForwarding no
138. # PermitTTY no
139. # ForceCommand cvs server
资料源于网络
扫一扫
1379
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
