SSH远程登录配置文件sshd_config详解

服务

/etc/ssh/sshd_config
man sshd_config 帮助

[root@centos7 ~]#cat /etc/ssh/sshd_config
#Port 22 //这个是ssh服务的监听端口，在实际生产环境中一般都不用默认的22端口 
#AddressFamily any //any默认ipv4 ipv6
#ListenAddress 0.0.0.0 
#ListenAddress ::
ListenAddress用来设置sshd服务器绑定的IP地址;监听的主机适配卡，举个例子来说，如果您有两个 IP， 分别是 192.168.0.11 及 192.168.2.20 那么只想要开放192.168.0.11时，就可以设置为：ListenAddress 192.168.0.11表示只监听来自 192.168.0.11 这个 IP 的SSH联机。如果不使用设定的话，则预设所有接口均接受 SSH
HostKey /etc/ssh/ssh_host_rsa_key 使用的 RSA 私钥
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV   日志
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m 宽限登录时间不输入密码两分钟自动退出
#PermitRootLogin yes 改为no 是不让root连接（登录普通用户在切换到root可以）
#StrictModes yes 检查.ssh/文件的所有者，权限等
#MaxAuthTries 6 最大认证次数的一般6/2=3
#MaxSessions 10 克隆会话最大连接
#PubkeyAuthentication yes 支持公钥验证（一般开启公钥验证关闭用户登录）
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes 
#PermitEmptyPasswords no (允许空口令吗) 拒绝用户登录（一般开启公钥验证关闭用户登录）
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes//这里改为no 是让连接速度 加快
GSSAPICleanupCredentials no 
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no (网关)
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 30 （没操作的话30秒一到就断开连接）
#ClientAliveCountMax 0（没操作的话30秒一到就断开连接）
#ShowPatchLevel no
#UseDNS yes //这里改为no 是让连接速度 加快
#PidFile /var/run/sshd.pid //运行的服务编号 
#MaxStartups 10:30:100 //当连接数超过10会以30%的失败率拒绝用户登录（达到100，100%拒绝）
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none //ssh登录提示信息
Banner /etc/ssh/banner.txt //ssh登录读取内容
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AllowUsers wang //默认没这一行添加 只允许网用户登录（包括root）白名单
DenyUsers  黑名单（优先级高）
AllowGroups
DenyGroups
# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

tail /var/log/secure 查看日志