• sshd_config详解


    # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options override the
    # default value.

    #开放的ssh端口
    Port 22

    #允许登录的用户
    AllowUsers feng

    #是否允许root登录
    PermitRootLogin no

    #监听协议
    AddressFamily inet

    #设置sshd服务器绑定的ip地址
    #ListenAddress 0.0.0.0 #监听所有ipv4地址
    #ListenAddress :: #监听所有ipv6地址

    #设置计算机密钥路径
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key

    # Ciphers and keying
    #RekeyLimit default none

    # Logging
    #SyslogFacility AUTH
    #LogLevel INFO

    #限制用户必须在指定时限内认证成功,0表示无限制。默认值是120秒
    # Authentication:

    #用来设定如果用户登录失败,在切断连接前服务器需要等待的时间,单位为秒
    #LoginGraceTime 2m

    #设置ssh在接收登录请求之前是否检查用户根目录和rhosts文件的权限和所有权,建议开启
    StrictModes yes

    MaxAuthTries 6
    #MaxSessions 10

    #设置是否开启公钥验证,如果使用公钥验证的方式登录时,则设置为yes
    PubkeyAuthentication yes

    # Expect .ssh/authorized_keys2 to be disregarded by default in future.
    #与PubkeyAuthentication配合使用,公钥放在.ssh/authorized_keysi中
    AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

    #AuthorizedPrincipalsFile none

    #AuthorizedKeysCommand none
    #AuthorizedKeysCommandUser nobody

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #设置是否开启密码验证机制,如果用密码登录系统,则设置为yes
    PasswordAuthentication yes

    #设置是否允许为空的账号登录系统,设置为no
    PermitEmptyPasswords no

    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials no
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication. Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes

    #AllowAgentForwarding yes

    #是否允许tcp端口转发,保护其他的tcp连接
    #AllowTcpForwarding yes

    #是否允许远程客户端使用本地主机的端口转发功能
    #GatewayPorts no

    #------------------- X-Window下的相关规则----------------------------
    #是否允许X11转发
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes


    #-------------------- 登入后的相关规则 -----------------------
    #PermitTTY yes

    #设置sshd是否在用户登录时显示'/etc/motd'中的信息,可以在其中加入欢迎信息
    PrintMotd no

    #显示上次登录信息
    PrintLastLog yes

    #是否持续连接,设置yes可以防止死链接
    #一般而言,如果设定这项目的话,那么 SSH Server 会传送 KeepAlive 的讯息给 Client 端,以确保两者的联机正常!这种消息可以检测到死连接、连接不当关闭、客户端崩溃等异常。在这个情况下,任何一端死掉后, SSH 可以立刻知道,而不会有僵尸程序的发生!
    TCPKeepAlive yes

    ##UseLogin 设置是否在交互式会话的登录过程中使用。默认值是"no"。如果开启此指令,那么X11Forwarding 将会被禁止,因为login不知道如何处理 xauth cookies 。需要注意的是,在SSH底下本来就不接受 login 这个程序的登入,如果指UsePrivilegeSeparation ,那么它将在认证完成后被禁用。
    #UseLogin no


    #PermitUserEnvironment no
    #Compression delayed

    #server每隔60秒发送一次请求给client,然后client响应,从而保持连接
    ClientAliveInterval 60

    #server发出请求后,客户端没有响应得次数达到3,就自动断开连接
    ClientAliveCountMax 3

    #是否使用DNS反向解析
    #UseDNS no

    #PidFile /var/run/sshd.pid

    ##MaxStartups 设置同时允许几个尚未登入的联机,当用户连上ssh但并未输入密码即为所谓的联机,在这个联机中,为了保护主机,所以需要设置最大值,预设为10个,而已经建立联机的不计算入内,所以一般5个即可,这个设置可以防止恶意对服务器进行连接
    MaxStartups 2

    #PermitTunnel no
    #ChrootDirectory none
    #VersionAddendum none

    # no default banner path
    #Banner none

    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*

    # override default of no subsystems
    Subsystem sftp /usr/lib/openssh/sftp-server

    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    # X11Forwarding no
    # AllowTcpForwarding no
    # PermitTTY no
    # ForceCommand cvs server

  • 相关阅读:
    Python PyQt5 Pycharm 环境搭建及配置
    Python Appium 元素定位方法简单介绍
    unittest单元测试简单介绍
    什么是multipart/form-data请求
    new HttpClient().PostAsync封装参数
    httpPostedFile实现WEBAPI文件上传
    Asp.Net WebApi接口返回值IHttpActionResult
    Asp.Net WebApi上传图片
    如果项目在IIS发布后,出现System.ComponentModel.Win32Exception: 拒绝访问。
    C# ASP.NET 控制windows服务的 开启和关闭 以及重启
  • 原文地址:https://www.cnblogs.com/bignode/p/9263312.html
Copyright © 2020-2023  润新知