linux ssh配置文件的详解

# This is the sshd server system-wide configuration file.   See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.   Uncommented options change a
# default value.

#Port 22 SSH 默认的坚挺端口
#Protocol 2,1 选择SSH的版本
#ListenAddress 0.0.0.0 监听的IP地址
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key SSH VERSION 1 使用的密钥
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key SSH VERSION 2 使用的RSA私钥
#HostKey /etc/ssh/ssh_host_dsa_key SSH VAESION 2 使用的 DSA私钥

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600 版本一的密钥从新生成时间间隔
#ServerKeyBits 768 SERVER_KEY 的长度

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH SSH登陆系统 记录信息   记录的位置 默认是/VAR/LOG/SECUER
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:
#UserLogin no 在SSH 下不接受LOGIN 程序登陆

#LoginGraceTime 120
#PermitRootLogin yes        是否让ROOT用户登陆
#StrictModes yes        用户的HOST_KEY 改面的时候不让登陆

#RSAAuthentication yes        是否使用纯的RAS认证 针对VERSION 1
#PubkeyAuthentication yes 是否使用PUBLIC_KEY 针对VERSION 2
#AuthorizedKeysFile .ssh/authorized_keys     使用不需要密码登陆的的帐号时帐号的存放文件所在的文件名

# rhosts authentication should not be used
#RhostsAuthentication no 本机系统不使用 RHOSTS 使用RHOSTS 不安全
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes 是否取消上面的认证方式 当然选是
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no 不使用针对 VERSION 1 使用RHOSTS 文件在/ETC/HOSTS.EQUIV 配合RAS进行认证 不建议使用
# similar for protocol version 2
#HostbasedAuthentication no 针对VERSION 2 也是上面的功能
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no 是否忽略主目录的 ~/.ssh/known_hosts文件记录

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes 是否需要密码验证
#PermitEmptyPasswords no 是否允许空密码登陆

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes 挑战任何密码验证

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes 是否显示上次登陆信息
#PrintLastLog yes 显示上次登陆信息
#KeepAlive yes 发送连接信息
#UseLogin no
#UsePrivilegeSeparation yes 用户权限设置
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10 连接的画面的设置 从连接就是登陆画面
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
DenyUsers * 设置受阻的用户 代表全部用户
DenyUsers test
DenyGroups test


SSH 自动登陆设置
1设置CLIENT端建立PUBLIC_KEY 和 PRIVATE_KEY
[TEST@TEST TEST] SSH-KEYGEN �CT RSA   //-T 说明使用RSA 加密算法
生成密钥的文件夹 $HOME/.SSH/ID_RSA
上传PUBLIC_KEY 到SERVER
SFTP TEST@TEST
LCD /HOME/.SSH
PUT ID_RSA.PUB
EXIT
登陆到SERVER
执行命令
[TEST@TEST SSH] CAT ../ID_RSA.PUB >> AUTHORIZED_KEYS
相关的安全设置
/ETC/SSH/SSHD_CONFIG
/ETC/HOSTS.ALLOW
/ETC/HOSTS.DENY
IPTABLES

编辑/ETC/HOSTS.DENY
SSHD : ALL :SPAWN (/BIN/ECHO SECURITY NOTICE FROM HOST `/BIN/HOSTNAME` ;\
/BIN/ECHO ; /USR/SBIN/SAFE_FINGER @%H )|\
/BIN/MAIL �CS “%d -%H SECURITY” ROOT@LOCALHOST &\
:TWIST (/BIN/ECHO �CE “\N\nWARNING connection not allowed. You attempt has been logged. \n\n\n   警告信息   

你可能感兴趣的:(linux,ssh服务详解)