进入 /etc/ssh 目录
cd /etc/ssh
ls
root@ud224:/home/z# cd /etc/ssh/ root@ud224:/etc/ssh# ls ssh_config ssh_config.
只有ssh_config
没有sshd_config
说明 只安装了openssh-client
, 没有安装openssh-server
安装
openssh-server
sudo apt install -y openssh-server
moduli ssh_config.d sshd_config.d ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub
ssh_config sshd_config ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key ssh_import_id
查看 /etc/ssh/sshd_config
文件
sudo cat /etc/ssh/sshd_config
sudo less /etc/ssh/sshd_config
sudo more /etc/ssh/sshd_config
sudo vi /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
sudo gedit /etc/ssh/sshd_config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
其中
Include /etc/ssh/sshd_config.d/*.conf
会引入/etc/ssh/sshd_config.d/
目录下的,以.conf
结尾的文件,作为附加配置文件, 所以, 不要直接修改这个文件, 而是将修改的配置文件以.conf
结尾,并放入/etc/ssh/sshd_config.d/
目录
查看几个选项,
与远程登陆相关
#PasswordAuthentication yes 这个选项允许远程登陆用密码来认证, 但加了#
号, 不会起作用
将前面的#
去掉, 变为 PasswordAuthentication yes
可以允许远程用密码登录认证
#PermitRootLogin prohibit-password 设为 PermitRootLogin yes
允许root远程登陆
与远程连接保持相关
ClientAliveInterval
多少秒测试一次远程客户端是否在线, 设为默认是0, 0不会测试PasswordAuthentication
Specifies whether password authentication is allowed. The default is yes.
指定是否允许密码身份验证。默认值为“yes”。
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password.
If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root.If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to no, root is not allowed to log in.
指定 root 是否可以使用 ssh(1) 登录。参数必须是 [yes
,prohibit-password
(禁止密码) ,forced-commands-only
(仅强制命令) ,no
] 其中之一。默认值为prohibit-password
。
如果此选项设置为prohibit-password
(或其已弃用的别名,without-password
),则会为 root 禁用密码和键盘交互式身份验证。
prohibit-password
是without-password
的新名字
如果此选项设置为forced-commands-only
,则将允许使用公钥身份验证进行root登录,但前提是指定了命令选项(即使通常不允许root登录,这对于进行远程备份也很有用)。所有其他身份验证方法都禁用 root 用户。
如果此选项设置为no
,则不允许 root 登录。
ClientAliveCountMax
Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive.
The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination.
设置在 sshd(8) 接收到客户端返回的任何消息的情况下可以发送的客户端活动消息的数量。如果在发送客户端活动消息时达到此阈值,sshd 将断开客户端的连接,从而终止会话。需要注意的是,客户端活动消息的使用与 TCPKeepAlive 非常不同。客户端活动消息通过加密通道发送,因此不会是可欺骗的。由 TCPKeepAlive 启用的 TCP 保持连接选项是可欺骗的。当客户端或服务器依赖于知道连接何时变得无响应时,客户端活动机制很有价值。
默认值为 3。如果 ClientAliveInterval 设置为 15,并且 ClientAliveCountMax 保留为默认值,则无响应的 SSH 客户端将在大约 45 秒后断开连接。设置零 ClientAliveCountMax 将禁用连接终止。
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
设置一个超时间隔(以秒为单位),如果客户端没有收到任何数据, sshd(8) 将通过加密通道发送消息请求客户端响应。默认值为 0,表示这些消息不会发送到客户端。
不直接修改/etc/ssh/sshd_config
, 而是在 /etc/ssh/sshd_config.d
下建立一个 Mysshd.conf 配置文件
并重启sshd.service服务
echo '
PasswordAuthentication yes
PermitRootLogin yes
ClientAliveInterval 666
' | sudo tee /etc/ssh/sshd_config.d/Mysshd.conf
sudo systemctl restart sshd.service
因为 PasswordAuthentication
的默认值就是 yes
, 所以可以不设置
echo '
PermitRootLogin yes
ClientAliveInterval 666
' | sudo tee /etc/ssh/sshd_config.d/Mysshd.conf
sudo systemctl restart sshd.service
来个进入 /etc/ssh/sshd_config.d/
文件夹 的命令, 方便复制
cd /etc/ssh/sshd_config.d/