【转载】SSH服务器端/etc/ssh/sshd_conf配置文件详解

[root@u0704-t5-test-shaoew1 ~]$cat /etc/ssh/sshd_config

---

1. #Port 22                                          监听端口，默认监听22端口   【默认可修改】
2. #AddressFamily any                        IPV4和IPV6协议家族用哪个，any表示二者均有
3. #ListenAddress 0.0.0.0                   指明监控的地址，0.0.0.0表示本机的所有地址  【默认可修改】
4. #ListenAddress ::                            指明监听的IPV6的所有地址格式
5. # The default requires explicit activation of protocol 1   
6. #Protocol 2                                      使用SSH第二版本，centos7默认第一版本已拒绝
7. # HostKey for protocol version 1      一版的SSH支持以下一种秘钥形式
8. #HostKey /etc/ssh/ssh_host_key
9. # HostKeys for protocol version 2                  使用第二版本发送秘钥，支持以下四种秘钥认证的存放位置：（centos6只支持rsa和dsa两种）
10. HostKey /etc/ssh/ssh_host_rsa_key               rsa私钥认证 【默认】
11. #HostKey /etc/ssh/ssh_host_dsa_key            dsa私钥认证
12. HostKey /etc/ssh/ssh_host_ecdsa_key          ecdsa私钥认证
13. HostKey /etc/ssh/ssh_host_ed25519_key      ed25519私钥认证
14. # Lifetime and size of ephemeral version 1 server key
15. #KeyRegenerationInterval 1h
16. #ServerKeyBits 1024        主机秘钥长度        
17. # Ciphers and keying      
18. #RekeyLimit default none
19. # Logging
20. # obsoletes QuietMode and FascistLogging
21. #SyslogFacility AUTH
22. SyslogFacility AUTHPRIV                   当有人使用ssh登录系统的时候，SSH会记录信息，信息保存在/var/log/secure里面
23. #LogLevel INFO                                  日志的等级
24. # Authentication:
25. #LoginGraceTime 2m                           登录的宽限时间，默认2分钟没有输入密码，则自动断开连接
26. #PermitRootLogin no
27. PermitRootLogin yes                            是否允许管理员直接登录，'yes'表示允许
28. #StrictModes yes                                 是否让sshd去检查用户主目录或相关文件的权限数据
29. #MaxAuthTries 6                                  最大认证尝试次数，最多可以尝试6次输入密码。之后需要等待某段时间后才能再次输入密码
30. #MaxSessions 10                                 允许的最大会话数
31. #RSAAuthentication yes
32. #PubkeyAuthentication yes
33. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
34. # but this is overridden so installations will only check .ssh/authorized_keys
35. AuthorizedKeysFile .ssh/authorized_keys                 服务器生成一对公私钥之后，会将公钥放到.ssh/authorizd_keys里面，将私钥发给客户端
36. #AuthorizedPrincipalsFile none 
37. #AuthorizedKeysCommand none
38. #AuthorizedKeysCommandUser nobody
39. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
40. #RhostsRSAAuthentication no
41. # similar for protocol version 2
42. #HostbasedAuthentication no
43. # Change to yes if you don't trust ~/.ssh/known_hosts for
44. # RhostsRSAAuthentication and HostbasedAuthentication
45. #IgnoreUserKnownHosts no
46. # Don't read the user's ~/.rhosts and ~/.shosts files
47. #IgnoreRhosts yes
48. # To disable tunneled clear text passwords, change to no here!
49. #PasswordAuthentication yes
50. #PermitEmptyPasswords no
51. PasswordAuthentication yes                    是否允许支持基于口令的认证
52. # Change to no to disable s/key passwords
53. #ChallengeResponseAuthentication yes
54. ChallengeResponseAuthentication no     是否允许任何的密码认证
55. # Kerberos options                                   是否支持kerberos（基于第三方的认证，如LDAP）认证的方式，默认为no 
56. #KerberosAuthentication no
57. #KerberosOrLocalPasswd yes
58. #KerberosTicketCleanup yes
59. #KerberosGetAFSToken no
60. #KerberosUseKuserok yes
61. # GSSAPI options                                       
62. GSSAPIAuthentication yes
63. GSSAPICleanupCredentials no
64. #GSSAPIStrictAcceptorCheck yes
65. #GSSAPIKeyExchange no
66. #GSSAPIEnablek5users no
67. # Set this to 'yes' to enable PAM authentication, account processing,
68. # and session processing. If this is enabled, PAM authentication will
69. # be allowed through the ChallengeResponseAuthentication and
70. # PasswordAuthentication. Depending on your PAM configuration,
71. # PAM authentication via ChallengeResponseAuthentication may bypass
72. # the setting of "PermitRootLogin without-password".
73. # If you just want the PAM account and session checks to run without
74. # PAM authentication, then enable this but set PasswordAuthentication
75. # and ChallengeResponseAuthentication to 'no'.
76. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
77. # problems.
78. UsePAM yes
79. #AllowAgentForwarding yes
80. #AllowTcpForwarding yes
81. #GatewayPorts no
82. X11Forwarding yes                    是否允许x11转发，可以让窗口的数据通过SSH连接来传递(请查看ssh -X 参数)：#ssh -X  user@IP
83. #X11DisplayOffset 10
84. #X11UseLocalhost yes 
85. #PermitTTY yes
86. #PrintMotd yes
87. #PrintLastLog yes
88. #TCPKeepAlive yes
89. #UseLogin no
90. UsePrivilegeSeparation sandbox # Default for new installations.
91. #PermitUserEnvironment no
92. #Compression delayed
93. #ClientAliveInterval 0
94. #ClientAliveCountMax 3
95. #ShowPatchLevel no
96. #UseDNS yes              是否反解DNS，如果想让客户端连接服务器端快一些，这个可以改为no
97. #PidFile /var/run/sshd.pid
98. #MaxStartups 10:30:100
99. #PermitTunnel no
100. #ChrootDirectory none
101. #VersionAddendum none
102. # no default banner path
103. #Banner none
104. # Accept locale-related environment variables
105. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
106. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
107. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
108. AcceptEnv XMODIFIERS
109. # override default of no subsystems
110. Subsystem sftp /usr/libexec/openssh/sftp-server                    支持 SFTP ，如果注释掉，则不支持sftp连接
111. # Example of overriding settings on a per-user basis
112. #Match User anoncvs
113. # X11Forwarding no
114. # AllowTcpForwarding no
115. # PermitTTY no
116. # ForceCommand cvs server
117. AllowUsers user1 user2                登录白名单（默认没有这个配置，需要自己手动添加），允许远程登录的用户。如果名单中没有的用户，则提示拒绝登录

 

【原文】https://www.cnblogs.com/shaoerwei/articles/7594879.html