Solaris学习笔记:8.SSH配置(2.ssh server配置)

Solaris 10(sparc)

pkginfo �Cl | grep ssh;pkginfo �Cl SUNWsshdr;pkgchk �Cv SUNWsshdr;

ssh,sshd,sftp,ssh-agent;

ssh_config;sshd_config;

ssh-keygen,sshd;

/etc/ssh/*;/usr/lib/ssh/*;/usr/bin/ssh*;/$HOME/.ssh/*;

whatis ssh-keygen;man ssh-keygen;

 

 

1.ssh server 软件是否已安装及软件信息

# pkginfo -l | grep ssh
   PKGINST:  SUNWsshcu
   PKGINST:  SUNWsshdr
   PKGINST:  SUNWsshdu
   PKGINST:  SUNWsshr
   PKGINST:  SUNWsshu

#
# pkginfo -l SUNWsshcu
   PKGINST:  SUNWsshcu
     NAME:  SSH Common, (Usr)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.10.0,REV=2005.01.21.15.53
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Secure Shell protocol common Utilities
    PSTAMP:  on10ptchfeat20071025112509
  INSTDATE:  Dec 25 2009 15:19
   HOTLINE:  Please contact your local service provider
    STATUS:  全部安装
     FILES:      7 个已安装的路径名
                   4 个共享的路径名
                   4 目录
                   3 可执行文件
                   1 setuid/setgid可执行文件
                 782 个已使用的块(近似)

# pkginfo -l SUNWsshdr
   PKGINST:  SUNWsshdr
      NAME:  SSH Server, (Root)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.10.0,REV=2005.01.21.15.53
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Secure Shell protocol Server
    PSTAMP:  on10ptchfeat20080228002300
  INSTDATE:  Dec 25 2009 15:19
   HOTLINE:  Please contact your local service provider
    STATUS:  全部安装
     FILES:     12 个已安装的路径名
                   9 个共享的路径名
                   9 目录
                   1 可执行文件
                  20 个已使用的块(近似)

# pkginfo -l SUNWsshdu
   PKGINST:  SUNWsshdu
      NAME:  SSH Server, (Usr)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.10.0,REV=2005.01.21.15.53
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Secure Shell protocol Server
    PSTAMP:  on10ptchfeat20071025112510
  INSTDATE:  Dec 25 2009 15:19
   HOTLINE:  Please contact your local service provider
    STATUS:  全部安装
     FILES:      5 个已安装的路径名
                   3 个共享的路径名
                   3 目录
                   2 可执行文件
                 772 个已使用的块(近似)

# pkginfo -l SUNWsshr
   PKGINST:  SUNWsshr
      NAME:  SSH Client and utilities, (Root)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.10.0,REV=2005.01.21.15.53
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Secure Shell protocol Client and associated Utilities
    PSTAMP:  gaget20050121155950
  INSTDATE:  Dec 25 2009 15:19
   HOTLINE:  Please contact your local service provider
    STATUS:  全部安装
     FILES:      4 个已安装的路径名
                   2 个共享的路径名
                   2 目录
                 175 个已使用的块(近似)

# pkginfo -l SUNWsshu
   PKGINST:  SUNWsshu
      NAME:  SSH Client and utilities, (Usr)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.10.0,REV=2005.01.21.15.53
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Secure Shell protocol Client and associated Utilities
    PSTAMP:  on10ptchfeat20071025112511
  INSTDATE:  Dec 25 2009 15:19
   HOTLINE:  Please contact your local service provider
    STATUS:  全部安装
     FILES:     11 个已安装的路径名
                   4 个共享的路径名
                   4 目录
                   7 可执行文件
                1081 个已使用的块(近似)

 

2.ssh server/client 进程状态

 

 

 

3.与ssh server相关的文件(程序/配置文件/命令)

# pkgchk -v SUNWsshcu
/usr
/usr/bin
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/lib
/usr/lib/ssh
/usr/lib/ssh/ssh-keysign
#
# pkgchk -v SUNWsshdr
/etc
/etc/ssh
/etc/ssh/sshd_config
/lib
/lib/svc
/lib/svc/method
/lib/svc/method/sshd
/var
/var/svc
/var/svc/manifest
/var/svc/manifest/network
/var/svc/manifest/network/ssh.xml
#
#
# pkgchk -v SUNWsshdu
/usr
/usr/lib
/usr/lib/ssh
/usr/lib/ssh/sftp-server
/usr/lib/ssh/sshd
#
# pkgchk -v SUNWsshr
/etc
/etc/ssh
/etc/ssh/moduli
/etc/ssh/ssh_config
#
# pkgchk -v SUNWsshu
/usr
/usr/bin
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/lib
/usr/lib/ssh
/usr/lib/ssh/ssh-http-proxy-connect
/usr/lib/ssh/ssh-socks5-proxy-connect
#
#

 

5.man 内容

# whatis ssh
ssh             ssh (1)         - secure shell client (remote login program)
#
# whatis sshd
sshd            sshd (1m)       - secure shell daemon
#
# whatis ssh-keygen
ssh-keygen      ssh-keygen (1)  - authentication key generation
#
# whatis ssh-keyscan
ssh-keyscan     ssh-keyscan (1) - gather public ssh host keys of a number of hosts
#
# whatis ssh-keysign
ssh-keysign     ssh-keysign (1m)    - ssh helper program for host-based authentication
#

# whatis sshd_config
sshd_config     sshd_config (4) - sshd configuration file
#
# whatis ssh_config
ssh_config      ssh_config (4)  - ssh configuration file
#
# whatis ssh-add
ssh-add         ssh-add (1)     - add RSA or DSA identities to the authentication agent
#

# whatis ssh-agent
ssh-agent       ssh-agent (1)   - authentication agent
#
# whatis sftp-server
sftp-server     sftp-server (1m)    - SFTP server subsystem
#

# whatis sftp
sftp            sftp (1)        - secure file transfer program

# whatis ssh-http-proxy-connect
ssh-http-proxy-connect          ssh-http-proxy-connect (1)  - Secure Shell proxy for HTTP
#
# whatis ssh-socks5-proxy-connect
ssh-socks5-proxy-connect        ssh-socks5-proxy-connect (1)    - Secure Shell proxy for SOCKS5

# man sshd

NAME
     sshd - secure shell daemon

SYNOPSIS
     sshd [-deiqtD46] [-b bits] [-f config_file]
         [-g login_grace_time] [-h host_key_file]
         [-k key_gen_time] [-p port] [-V client_protocol_id]

DESCRIPTION
     The sshd (Secure Shell daemon) is  the  daemon  program  for
     ssh(1).  Together these programs replace rlogin and rsh, and
     provide  secure   encrypted   communications   between   two
     untrusted  hosts  over an insecure network. The programs are
     intended to be as easy to install and use as possible.

     sshd  is  the  daemon  that  listens  for  connections  from
     clients. It forks a new daemon for each incoming connection.
     The forked daemons handle key exchange, encryption,  authen-
     tication, command execution, and data exchange.

     This implementation of sshd supports both SSH protocol  ver-
     sions 1 and 2 simultaneously. Because of security weaknesses
     in the v1 protocol, sites should run only v2,  if  possible.
     In  the  default  configuration, only protocol v2 is enabled
     for the server. To enable v1 and v2 simultaneously, see  the
     instructions in sshd_config(4).

     Support for v1 is provided to help sites with  existing  ssh
     v1  clients and servers to transition to v2. v1 might not be
     supported in a future release.

  SSH Protocol Version 1
     Each host has a host-specific RSA key (normally  1024  bits)
     used  to  identify  the  host. Additionally, when the daemon
     starts, it generates a server RSA key (normally  768  bits).
     This  key  is normally regenerated every hour if it has been
     used, and is never stored on disk.

     Whenever a client connects the daemon responds with its pub-
     lic  host  and server keys. The client compares the RSA host
     key against its own database  to  verify  that  it  has  not
     ……

#

# man -s 4 sshd_config

NAME
     sshd_config - sshd configuration file

SYNOPSIS
     /etc/ssh/sshd_config

DESCRIPTION
     The  sshd(1M)   daemon   reads   configuration   data   from
     /etc/ssh/sshd_config  (or the file specified with sshd -f on
     the command line). The file  contains  keyword-value  pairs,
     one per line. A line starting with a hash mark (#) and empty
     lines are interpreted as comments.

     The sshd_config file supports  the  keywords  listed  below.
     Unless  otherwise  noted,  keywords  and their arguments are
     case-insensitive.

     AllowGroups

         This keyword can be followed by a number of group names,
         separated by spaces. If specified, login is allowed only
         for users whose primary group matches one  of  the  pat-
         terns. Asterisk (*) and question mark (?) can be used as
         wildcards in the patterns. Only group names are valid; a
         numerical  group ID is not recognized. By default, login
         is allowed regardless of the primary group.

     AllowTcpForwarding

         Specifies  whether  TCP  forwarding  is  permitted.  The
         default  is yes. Note that disabling TCP forwarding does
         not improve security unless users are also denied  shell
         access, as they can always install their own forwarders.

    AllowUsers

         This keyword can be followed by a number of user  names,
         separated by spaces. If specified, login is allowed only
         for user names that match one of the patterns.  Asterisk
         (*)  and  question  mark (?) can be used as wildcards in
         the patterns. Only user names  are  valid;  a  numerical
         user  ID  is not recognized. By default login is allowed
         regardless of the user name.

         If a specified pattern takes  the  form  user@host  then
         user and host are checked separately, restricting logins
         to particular users from particular hosts.

     AuthorizedKeysFile

         Specifies the file that contains the public  keys  that
         can  be used for user authentication. AuthorizedKeysFile
         can contain tokens of the form %T, which are substituted
         during  connection  set-up.  The  following  tokens  are
         defined: %% is replaced by a literal %, %h  is  replaced
         by  the  home  directory of the user being authenticated
         and %u is replaced by the username of that  user.  After
         expansion, AuthorizedKeysFile is taken to be an absolute
         path or one relative to the user's home  directory.  The
         default is .ssh/authorized_keys.

     Banner

         In some jurisdictions, sending a warning message  before
         authentication can be relevant for getting legal protec-
         tion. The contents of the specified file are sent to the
         remote  user  before  authentication  is  allowed.  This
         option is only available  for  protocol  version  2.  By
         default, no banner is displayed.

     Ciphers

         Specifies the ciphers allowed for  protocol  version  2.
         Multiple ciphers must be comma-separated. The default is
         aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc.

     ClientAliveCountMax

         Sets the number of client  alive  messages  (see  Clien-
         tAliveInterval,  below)  that  can  be sent without sshd
         receiving any messages back from  the  client.  If  this
         threshold  is  reached  while  client alive messages are
         being sent, sshd disconnects the client, terminating the
         session.  It is important to note that the use of client
         alive messages is very  different  from  KeepAlive  (see
         below).  The  client alive messages are sent through the
         encrypted channel and therefore are not  spoofable.  The
         TCP  keepalive option enabled by KeepAlive is spoofable.
         The client alive mechanism is valuable when a client  or
         server  depend  on  knowing when a connection has become
         inactive.

         The default value is 3. If  ClientAliveInterval  (below)
         is  set  to  15,  and ClientAliveCountMax is left at the
         default, unresponsive ssh clients are disconnected after
         approximately 45 seconds.

     ClientAliveInterval

         Sets a timeout interval in seconds after  which,  if  no
         data  has  been  received  from the client, sshd sends a
         message through  the  encrypted  channel  to  request  a
         response  from  the client. The default is 0, indicating
         that these messages are not sent to  the  client.   This
         option applies only to protocol version 2.

    Compression

         Controls whether the server allows the client  to  nego-
         tiate the use of compression. The default is yes.

     DenyGroups

         Can be followed by a number of group names, separated by
         spaces.  Users  whose  primary  group matches one of the
         patterns are not allowed to log  in.  Asterisk  (*)  and
         question  mark  (?) can be used as wildcards in the pat-
         terns. Only group names are valid; a numerical group  ID
         is  not recognized. By default, login is allowed regard-
         less of the primary group.

    DenyUsers

         Can be followed by a number of user names, separated  by
         spaces.  Login  is  disallowed for user names that match
         one of the patterns. Asterisk (*) and question mark  (?)
         can  be  used  as  wildcards  in the patterns. Only user
         names are valid; a numerical user ID is not  recognized.
         By  default,  login  is  allowed  regardless of the user
         name.

         If a specified pattern takes  the  form  muser@mhost  then
         user and 4mhost are checked separately, disallowing logins
         to particular users from particular hosts.

     GatewayPorts

         Specifies whether remote hosts are allowed to connect to
         ports  forwarded  for the client. By default, sshd binds
         remote port forwardings to the  loopback  address.  This
         prevents other remote hosts from connecting to forwarded
         ports. GatewayPorts can be used  to  specify  that  sshd
         should  bind  remote  port  forwardings  to the wildcard
         address, thus allowing remote hosts to connect  to  for-
         warded  ports.  The  argument  must  be  yes  or no. The
         default is no.

     GSSAPIAuthentication

         Enables/disables  GSS-API   user   authentication.   The
         default is yes.

         Currently sshd authorizes client user principals to user
         accounts  as  follows: if the principal name matches the
         requested user account, then the  principal  is  author-
         ized. Otherwise, GSS-API authentication fails.

     GSSAPIKeyExchange

         Enables/disables  GSS-API-authenticated  key  exchanges.
         The default is yes.

         This option also enables  the  use  of  the  GSS-API  to
         authenticate  the user to server after the key exchange.
         Note that GSS-API key exchange can succeed but the  sub-
         sequent  authentication  using  the  GSS-API fail if the
         server does not authorize the user's GSS principal  name
         to the target user account.

         Currently sshd authorizes client user principals to user
         accounts  as  follows: if the principal name matches the
         requested user account, then the  principal  is  author-
         ized. Otherwise, GSS-API authentication fails.

     GSSAPIStoreDelegatedCredentials

         Enables/disables the use of  delegated  GSS-API  creden-
         tials on the server-side. The default is yes.

         Specifically, this  option,  when  enabled,  causes  the
         server  to  store  delegated  GSS-API credentials in the
         user's default GSS-API credential store (which  for  the
         Kerberos V mechanism means /tmp/krb5cc_<uid).

         Note -

           sshd does not take any  steps  to  explicitly  destroy
           stored  delegated  GSS-API credentials upon logout. It
           is  the  responsibility  of  PAM  modules  to  destroy
           credentials associated with a session.

     HostbasedAuthentication

         Specifies whether  to  try  rhosts-based  authentication
         with public key authentication. The argument must be yes
         or no. The default is no. This option applies to  proto-
         col  version 2 only and is similar to RhostsRSAAuthenti-
         cation. See sshd(1M) for guidelines on setting up  host-
         based authentication.

     HostbasedUsesNameFromPacketOnly

         Controls which hostname is searched  for  in  the  files
         ~/.shosts,  /etc/shosts.equiv,  and /etc/hosts.equiv. If
         this parameter is set to yes, the server uses  the  name
         the  client  claimed  for  itself  and  signed with that
         host's key. If set to no, the default, the  server  uses
         the name to which the client's IP address resolves.

         Setting this parameter to no disables host-based authen-
         tication  when  using NAT or when the client gets to the
         server indirectly through a port-forwarding firewall.

     HostKey

         Specifies the file containing the private host key  used
         by  SSH. The default is /etc/ssh/ssh_host_key for proto-
         col  version  1,   and   /etc/ssh/ssh_host_rsa_key   and
         /etc/ssh/ssh_host_dsa_key  for  protocol version 2. Note
         that sshd refuses to use a file if  it  is  group/world-
         accessible.  It  is  possible  to have multiple host key
         files. rsa1 keys are used for version 1 and dsa  or  rsa
         are used for version 2 of the SSH protocol.

     IgnoreRhosts

         Specifies that .rhosts and .shosts files are not used in
         authentication.  /etc/hosts.equiv  and /etc/shosts.equiv
         are still used.  The  default  is  yes.  This  parameter
         applies to both protocol versions 1 and 2.

     IgnoreUserKnownHosts

         Specifies  whether  sshd  should   ignore   the   user's
         $HOME/.ssh/known_hosts  during  RhostsRSAAuthentication.
         The default is no. This parameter applies to both proto-
         col versions 1 and 2.

     KbdInteractiveAuthentication

        Specifies  whether  authentication  by  means   of   the
         "keyboard-interactive"  authentication  method (and PAM)
         is allowed. Defaults to yes. (Deprecated: this parameter
         can only be set to yes.)

     KeepAlive

         Specifies whether the system should send keepalive  mes-
         sages  to the other side. If they are sent, death of the
         connection or crash of one of the machines  is  properly
         noticed. However, this means that connections die if the
         route is down temporarily, which can be an annoyance. On
         the other hand, if keepalives are not sent, sessions can
         hang indefinitely on the server, leaving ghost users and
         consuming server resources.

         The default is yes (to send keepalives), and the  server
         notices  if  the  network  goes  down or the client host
         reboots. This avoids infinitely hanging sessions.

         To disable keepalives, the value should be set to no  in
         both the server and the client configuration files.

     KeyRegenerationInterval

         In protocol version  1,  the  ephemeral  server  key  is
         automatically regenerated after this many seconds (if it
         has been  used).  The  purpose  of  regeneration  is  to
         prevent  decrypting  captured sessions by later breaking
         into the machine and stealing the keys. The key is never
         stored  anywhere.   If  the value is 0, the key is never
         regenerated. The default is 3600 (seconds).

     ListenAddress

         Specifies what local address sshd should listen on.  The
         following forms can be used:

           ListenAddress host|IPv4_addr|IPv6_addr
           ListenAddress host|IPv4_addr:port
           ListenAddress [host|IPv6_addr]:port

         If port is not specified, sshd listens  on  the  address
         and  all prior Port options specified. The default is to
         listen on all local  addresses.  Multiple  ListenAddress
         options  are  permitted.  Additionally, any Port options
         must  precede  this  option   for   non-port   qualified
         addresses.
         The default is to listen on all local addresses.  Multi-
         ple  options  of  this type are permitted. Additionally,
         the Ports options must precede this option.

     LoginGraceTime

         The server disconnects after this time (in  seconds)  if
         the user has not successfully logged in. If the value is
         0, there is no time limit. The default is 120 (seconds).

     LogLevel

         Gives the verbosity level that is used when logging mes-
         sages  from sshd. The possible values are: QUIET, FATAL,
         ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
         The  default  is  INFO.  DEBUG2  and DEBUG3 each specify
         higher levels of debugging output.  Logging  with  level
         DEBUG  violates  the  privacy of users and is not recom-
         mended.

     LookupClientHostnames

         Specifies whether or not to lookup the names of client's
         addresses. Defaults to yes.

     MACs

         Specifies  the  available  MAC  (message  authentication
         code)  algorithms. The MAC algorithm is used in protocol
         version 2 for data integrity protection. Multiple  algo-
         rithms  must  be  comma-separated.  The default is hmac-
         md5,hmac-sha1,hmac-sha1-96,hmac-md5-96.

     MaxStartups
         Specifies the maximum number of  concurrent  unauthenti-
         cated connections to the sshd daemon. Additional connec-
         tions are dropped until authentication succeeds  or  the
         LoginGraceTime  expires for a connection. The default is
         10.

         Alternatively, random  early  drop  can  be  enabled  by
         specifying     the    three    colon-separated    values
         this  example,  sshd  refuse  connection attempts with a
         probability of rate/100 (30% in our  example)  if  there
         are  currently 10 (from the start field) unauthenticated
         connections. The probabillity increases linearly and all
         connection  attempts  are refused if the number of unau-
         thenticated connections reaches full (60  in  our  exam-
         ple).

     PasswordAuthentication

         Specifies whether password  authentication  is  allowed.
         The  default  is  yes.  Note that this option applies to
         both protocol versions 1 and 2.

     PermitEmptyPasswords

         When password authentication is  allowed,  it  specifies
         whether  the  server allows login to accounts with empty
         password strings. In /etc/default/login, if  PASSREQ  is
         not  set,  or  PASSREQ=YES,  then  the default is no; if
         PASSREQ=NO, then the default is yes.

     PermitRootLogin

         Specifies whether the root can log in using ssh(1).  The
         argument   must   be   yes,   without-password,  forced-
         commands-only, or no. without-password means  that  root
         cannot   be   authenticated   using  the  "password"  or
         "keyboard-interactive"  methods  (see   description   of
         KbdInteractiveAuthentication   above).  forced-commands-
         lickey"  (for  SSHv2, or RSA, for SSHv1) and only if the
         matching  authorized_keys   entry   for   root   has   a
         command=&lt;cmd> option.

         In Solaris, the  default  /etc/ssh/sshd_config  file  is
         shipped  with PermitRootLogin set to no. If unset by the
         administrator,    then    CONSOLE     parameter     from
         /etc/default/login  supplies  the  default value as fol-
         lows: if the CONSOLE parameter is not commented out  (it
         can  even  be empty, that is, "CONSOLE="), then without-
         password is used as default value. If  CONSOLE  is  com-
         mented out, then the default for PermitRootLogin is yes.

         The without-password and  forced-commands-only  settings
         are  useful for, for example, performing remote adminis-
         tration  and  backups  using  trusted  public  keys  for
         authentication  of  the  remote client, without allowing
         access to the root account using passwords.

     PermitUserEnvironment

         Specifies whether a  user's  ~/.ssh/environment  on  the
         server  side  and  environment  options  in  the Author-
         izedKeysFile file are processed by sshd. The default  is
         no.  Enabling environment processing can enable users to
         bypass access restrictions in some configurations  using
         mechanisms such as LD_PRELOAD.

         Environment setting from a  relevant  entry  in  Author-
         izedKeysFile  file  is  processed  only  if the user was
         authenticated  using  the  public   key   authentication
         method.  Of  the two files used, values of variables set
         in ~/.ssh/environment are of higher priority.

     PidFile

         Allows   you    to    specify    an    alternative    to
         /var/run/sshd.pid,  the default file for storing the PID
         of the sshd listening for connections. See sshd(1M).
     Port

         Specifies the port number  that  sshd  listens  on.  The
         default is 22. Multiple options of this type are permit-
         ted. See also ListenAddress.

     PrintLastLog

         Specifies whether sshd should display the date and  time
         when the user last logged in. The default is yes.

     PrintMotd

         Specifies whether sshd should display  the  contents  of
         /etc/motd  when  a  user logs in interactively. (On some
         systems it is also displayed by the  shell  or  a  shell
         startup file, such as /etc/profile.) The default is yes.

     Protocol

         Specifies the protocol versions sshd should  support  in
         order  of  preference.  The possible values are 1 and 2.
         Multiple versions must be comma-separated.  The  default
         is  2,1.  This  means that ssh tries version 2 and falls
         back to version 1 if version 2 is not available.

     PubkeyAuthentication

         Specifies whether public key authentication is  allowed.
         The  default  is  yes.  Note that this option applies to
         protocol version 2 only.

     RhostsAuthentication

         Specifies  whether  authentication   using   rhosts   or
         /etc/hosts.equiv  files  is  sufficient.  Normally, this
         method should not be permitted because it  is  insecure.
         RhostsRSAAuthentication  should be used instead, because
         it performs RSA-based host authentication in addition to
         normal  rhosts  or  /etc/hosts.equiv authentication. The
         default is no. Note that this parameter applies only  to
         protocol version 1.

     RhostsRSAAuthentication

         Specifies whether rhosts or /etc/hosts.equiv authentica-
         tion together with successful RSA host authentication is
         allowed. The default is no.  Note  that  this  parameter
         applies only to protocol version 1.

     RSAAuthentication

         Specifies whether pure RSA  authentication  is  allowed.
         The  default  is  yes.  Note that this option applies to
         protocol version 1 only.

     ServerKeyBits

         Defines the number of bits  in  the  ephemeral  protocol
         version  1 server key. The minimum value is 512, and the
         default is 768.

     StrictModes (???)

         Specifies whether sshd should check file modes and  own-
         ership  of  the  user's  files and home directory before
         accepting login.  This  is  normally  desirable  because
         novices  sometimes accidentally leave their directory or
         files world-writable. The default is yes.

         Configures an external subsystem (for  example,  a  file
         transfer  daemon).  Arguments should be a subsystem name
         and a command to execute  upon  subsystem  request.  The
         command   sftp-server(1M)   implements   the  sftp  file
         transfer  subsystem.  By  default,  no  subsystems   are
         defined.  Note that this option applies to protocol ver-
         sion 2 only.

     SyslogFacility

         Gives the facility code that is used when  logging  mes-
         sages  from sshd. The possible values are: DAEMON, USER,
         AUTH, LOCAL0, LOCAL1, LOCAL2,  LOCAL3,  LOCAL4,  LOCAL5,
         LOCAL6, and LOCAL7. The default is AUTH.

     VerifyReverseMapping

         Specifies whether sshd should try to verify  the  remote
         host  name and check that the resolved host name for the
         remote IP address maps back to the very same IP address.
         (A  yes  setting means "verify".) Setting this parameter
         to no can be useful where DNS servers might be down  and
         thus cause sshd to spend much time trying to resolve the
         client's IP address to a name. This  feature  is  useful
         for Internet-facing servers. The default is no.

     X11DisplayOffset

         Specifies the first display number available for  sshd's
        X11 forwarding. This prevents sshd from interfering with
         real X11 servers. The default is 10.

     X11Forwarding

        Specifies  whether  X11  forwarding  is  permitted. The
         default  is yes. Note that disabling X11 forwarding does
         not improve security in any way,  as  users  can  always
         install their own forwarders.

         When X11 forwarding is enabled, there can be  additional
         exposure  to  the  server  and to client displays if the
         sshd proxy display is configured to listen on the  wild-
         card  address (see X11UseLocalhost below). However, this
         is not the  default.  Additionally,  the  authentication
         spoofing  and  authentication data verification and sub-
         stitution occur on the client side. The security risk of
         using  X11  forwarding  is that the client's X11 display
         server can be exposed to  attack  when  the  ssh  client
         requests  forwarding (see the warnings for ForwardX11 in
         ssh_config(4)). A system administrator who wants to pro-
         tect  clients that expose themselves to attack by unwit-
         tingly  requesting  X11  forwarding,  should  specify  a
         ``no'' setting.

         Note that disabling  X11  forwarding  does  not  prevent
         users  from  forwarding X11 traffic, as users can always
         install their own forwarders.

    X11UseLocalhost

         Specifies whether sshd should bind  the  X11  forwarding
         server  to  the  loopback  address  or  to  the wildcard
         address. By default, sshd binds the forwarding server to
         the  loopback  address and sets the hostname part of the
         DISPLAY  environment  variable  to  ``localhost''.  This
         prevents  remote  hosts  from  connecting  to  the proxy
         display. However, some older X11 clients might not func-
         tion with this configuration. X11UseLocalhost can be set
        to no to specify that the forwarding  server  should  be
         bound  to the wildcard address. The argument must be yes
         or no. The default is yes.

     XAuthLocation

         Specifies the location  of  the  xauth(1)  program.  The
         default is /usr/X/bin/xauth.

  Time Formats
     sshd command-line arguments and configuration  file  options
     that  specify  time can be expressed using a sequence of the
     form: time[qualifier,] where  time  is  a  positive  integer
     value and qualifier is one of the following:

     <none>    seconds

     s | S     seconds

     m | M     minutes

     h | H     hours

     d | D     days

     w |       weeks

     Each element of the sequence is added together to  calculate
     the total time value. For example:

     600      600 seconds (10 minutes)

     10m      10 minutes

     1h30m    1 hour, 30 minutes (90 minutes)

FILES
     /etc/ssh/sshd_config    Contains  configuration   data   for
                             sshd.  This  file should be writable
                             by root only, but it is  recommended
                             (though  not  necessary)  that it be
                             world-readable.

ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWsshu                    |
    |_____________________________|_____________________________|
    | Interface Stability         | Evolving                    |
    |_____________________________|_____________________________|

SEE ALSO
     login(1),  sshd(1M),  ssh_config(4),   attributes(5),   kerberos(5)

AUTHORS
     OpenSSH is a derivative of the original and free ssh  1.2.12
     release  by  Tatu  Ylonen.  Aaron Campbell, Bob Beck, Markus
     Friedl, Niels Provos, Theo de Raadt, and  Dug  Song  removed
     many  bugs,  re-added  recent features, and created OpenSSH.
     Markus Friedl contributed the support for SSH protocol  ver-
     sions  1.5  and  2.0. Niels Provos and Markus Friedl contri-
     buted support for privilege separation.

 

6./etc/ssh/sshd_config文件

#
# cd /etc/ssh
#
# ls -l
-rw-r--r--   1 root     sys        88301 2005   1月 22 moduli
-rw-r--r--   1 root     sys          861 2005   1月 22 ssh_config
-rw-r--r--   1 root     sys         5202 2005   1月 22 sshd_config
-rw-------   1 root     root         668 12月 25日 15:40 ssh_host_dsa_key
-rw-r--r--   1 root     root         600 12月 25日 15:40 ssh_host_dsa_key.pub
-rw-------   1 root     root         887 12月 25日 15:40 ssh_host_rsa_key
-rw-r--r--   1 root     root         220 12月 25日 15:40 ssh_host_rsa_key.pub
#
#
# cd /usr/lib/ssh
# ls -l
-r-xr-xr-x   1 root     bin        44172 2007  10月 30 sftp-server
-r-xr-xr-x   1 root     bin       350624 2007  10月 30 sshd
-r-xr-xr-x   1 root     bin        10268 2007  10月 30 ssh-http-proxy-connect
-r-sr-xr-x   1 root     bin       156104 2007  10月 30 ssh-keysign
-r-xr-xr-x   1 root     bin        10244 2007  10月 30 ssh-socks5-proxy-connect
#

# cd /usr/bin
# ls -l ssh*
-r-xr-xr-x   1 root     bin       257280 2007  10月 30 ssh
-r-xr-xr-x   1 root     bin        87724 2007   8月 17 ssh-add
-r-xr-xr-x   1 root     bin        70912 2005   1月 23 ssh-agent
-r-xr-xr-x   1 root     bin        87856 2007  11月 17 ssh-keygen
-r-xr-xr-x   1 root     bin       156072 2007   8月 17 ssh-keyscan

# more /etc/ssh/sshd_config
#
# ident "@(#)sshd_config        1.8     04/05/10 SMI"
#
# Configuration file for sshd(1m)

# Protocol versions supported
#
# The sshd shipped in this release of Solaris has support for major versions
# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
# that sites run only v2 if possible. Support for v1 is provided to help sites
# with existing ssh v1 clients/servers to transition.
# Support for v1 may not be available in a future release of Solaris.
#
# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
# do not already exist, RSA1 keys for protocol v1 are not automatically created.

# Uncomment ONLY ONE of the following Protocol statements.

# Only v2 (recommended)
Protocol 2

# Both v1 and v2 (not recommended)
#Protocol 2,1

# Only v1 (not recommended)
#Protocol 1

# Listen port (the IANA registered port number for ssh is 22)
Port 22

# The default listen address is all interfaces, this may need to be changed
# if you wish to restrict the interfaces sshd listens on for a multi homed host.
# Multiple ListenAddress entries are allowed.

# IPv4 only
#ListenAddress 0.0.0.0
# IPv4 & IPv6
ListenAddress ::

# Port forwarding
AllowTcpForwarding no

# If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no

# X11 tunneling options
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# The maximum number of concurrent unauthenticated connections to sshd.
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60

# Banner to be printed before authentication starts.
#Banner /etc/issue

# Should sshd print the /etc/motd file and check for mail.
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no

# KeepAlive specifies whether keep alive messages are sent to the client.
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes

# Syslog facility and level
SyslogFacility auth
LogLevel info

#
# Authentication configuration
#

# Host private key files
# Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Default Encryption algorithms and Message Authentication codes
#Ciphers        aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
#MACS   hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

# Length of the server key
# Default 768, Minimum 512
ServerKeyBits 768

# sshd regenerates the key every KeyRegenerationInterval seconds.
# The key is never stored anywhere except the memory of sshd.
# The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Length of time in seconds before a client that hasn't completed
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries    6
MaxAuthTriesLog 3

# Are logins to accounts with empty passwords allowed.
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
# to pam_authenticate(3PAM).
PermitEmptyPasswords no

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes

# Use PAM via keyboard interactive method for authentication.
# Depending on the setup of pam.conf(4) this may allow tunneled clear text
# passwords even when PasswordAuthentication is set to no. This is dependent
# on what the individual modules request and is out of the control of sshd
# or the protocol.
PAMAuthenticationViaKBDInt yes

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin no

# sftp subsystem
Subsystem       sftp    /usr/lib/ssh/sftp-server

# SSH protocol v1 specific options
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh.  Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.

# Should sshd use .rhosts and .shosts for password less authentication.
IgnoreRhosts yes
RhostsAuthentication no

# Rhosts RSA Authentication
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes

# Is pure RSA authentication allowed.
# Default is yes
RSAAuthentication yes

6.ssh server配置步骤

6.1使用口令认证

step1:检查ssh服务

#
# svcs -a | grep ssh
online          0:17:07 svc:/network/ssh:default

# svcs -x ssh
svc:/network/ssh:default (SSH server)
状态：online 自 2009年12月29日 星期二 00时17分07秒 开始
   参见：sshd(1M)
   参见：/var/svc/log/network-ssh:default.log
影响：无。
# svcs -l ssh
fmri         svc:/network/ssh:default
名称         SSH server
启用         是
状态         online
next_state   none
state_time   2009年12月29日 星期二 00时17分07秒
logfile      /var/svc/log/network-ssh:default.log
重启程序     svc:/system/svc/restarter:default
contract_id  126
dependency   require_all/none svc:/system/filesystem/local (online)
dependency   optional_all/none svc:/system/filesystem/autofs (online)
dependency   require_all/none svc:/network/loopback (online)
dependency   require_all/none svc:/network/physical (online)
dependency   require_all/none svc:/system/cryptosvc (online)
dependency   require_all/none svc:/system/utmp (online)
dependency   require_all/restart file://localhost/etc/ssh/sshd_config (online)

 step2: vi /etc/ssh/sshd_config,允许root登录,启用密码认证;

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin yes

step3:重启ssh server

# svcadm refresh ssh
# svcadm restart ssh

step4:从本机和远程ssh连接测试

#
# ssh localhost  /为何未提示输入用户名?/  或者 ssh root@localhost  或者ssh �Cl  root  localhost

口令:
Last login: Tue Dec 29 00:18:56 2009 from 116.226.73.116
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
#

# who
root       pts/2        12月 28日 23:18  (116.226.73.116)
root       pts/1        12月 29日 00:43  (localhost)

使用putty ssh连接

login as: root
Using keyboard-interactive authentication.
口令:
Last login: Tue Dec 29 00:43:40 2009 from localhost
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
#

step5:使用非root账户ssh登录

useradd �Cu 100  -d /export/home/user1 user1

passwd user1

#
# ssh user1@localhost
口令:
Last login: Tue Dec 29 00:52:57 2009 from localhost
Could not chdir to home directory /home/user1: 无此文件或目录
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
$

$ who
root       pts/2        12月 28日 23:18  (116.226.73.116)
user1      pts/1        12月 29日 00:52  (localhost)

6.2 使用密钥认证

step1:

# ssh-keygen -t rsa -b 1024  (生成服务器端的公钥和私钥对,服务器端的公钥不需要发布给客户端主机,它在通信的第二阶段传递给客户端)
产生公共/私有 rsa 密钥对。
输入要存储密钥的文件 (//.ssh/id_rsa):
请输入口令（空白表示没有口令）:
再次输入同一 passphrase:
您的标识已经存储在 //.ssh/id_rsa 中。
您的公共密钥已经存储在 //.ssh/id_rsa.pub 中。
密钥指纹为:
4f:d2:db:99:64:bc:3c:d1:5d:e9:84:42:77:d2:14:8b root@b1500

# more /etc/passwd | grep root
root:x:0:0:Super-User:/:/sbin/sh
#
# cd /.ssh
# ls -a
.            ..          id_rsa       id_rsa.pub   known_hosts

step2:

ssh客户端(putty windows平台)配置

使用puttygen生成密钥对,将公钥文件分发(ftp)到$HOME/.ssh目录下

step3:

login as: root
Server refused our key  (?????)
Using keyboard-interactive authentication.