linux ssh配置文件的詳解

# This is the sshd server system-wide configuration file.   See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented.   Uncommented options change a# default value.#Port 22 SSH 默認的堅挺端口#Protocol 2,1 選擇SSH的版本#ListenAddress 0.0.0.0 監聽的IP地址#ListenAddress ::# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key SSH VERSION 1 使用的密鑰 # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key SSH VERSION 2 使用的RSA私鑰#HostKey /etc/ssh/ssh_host_dsa_key SSH VAESION 2 使用的 DSA私鑰# Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 3600 版本一的密鑰重新生成時間間隔#ServerKeyBits 768 SERVER_KEY 的長度# Logging#obsoletes QuietMode and FascistLogging#SyslogFacility AUTH SSH登錄系統 記錄信息   記錄的位置 默認是/VAR/LOG/SECUER SyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#UserLogin no 在SSH 下不接受LOGIN 程序登錄#LoginGraceTime 120 #PermitRootLogin yes        是否讓ROOT用戶登錄#StrictModes yes        用戶的HOST_KEY 改面的時候不讓登錄#RSAAuthentication yes        是否使用純的RAS認證 針對VERSION 1#PubkeyAuthentication yes 是否使用PUBLIC_KEY 針對VERSION 2#AuthorizedKeysFile .ssh/authorized_keys     使用不須要密碼登錄的的賬號時賬號的存放文件所在的文件名# rhosts authentication should not be used#RhostsAuthentication no 本機系統不使用 RHOSTS 使用RHOSTS 不安全# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes 是否取消上面的認證方式 固然選是# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no 不使用針對 VERSION 1 使用RHOSTS 文件在/ETC/HOSTS.EQUIV 配合RAS進行認證 不建議使用# similar for protocol version 2#HostbasedAuthentication no 針對VERSION 2 也是上面的功能# Change to yes if you don't trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no 是否忽略主目錄的 ~/.ssh/known_hosts文件記錄# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes 是否須要密碼驗證#PermitEmptyPasswords no 是否容許空密碼登錄# Change to no to disable s/key passwords#ChallengeResponseAuthentication yes 挑戰任何密碼驗證# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#AFSTokenPassing no# Kerberos TGT Passing only works with the AFS kaserver#KerberosTgtPassing no# Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication'#PAMAuthenticationViaKbdInt no#X11Forwarding noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PrintMotd yes 是否顯示上次登錄信息#PrintLastLog yes 顯示上次登錄信息#KeepAlive yes 發送鏈接信息#UseLogin no #UsePrivilegeSeparation yes 用戶權限設置#PermitUserEnvironment no #Compression yes#MaxStartups 10 鏈接的畫面的設置 從鏈接就是登錄畫面# no default banner path#Banner /some/path#VerifyReverseMapping no# override default of no subsystemsSubsystem sftp /usr/libexec/openssh/sftp-serverDenyUsers * 設置受阻的用戶 表明所有用戶DenyUsers testDenyGroups testSSH 自動登錄設置１設置CLIENT端創建PUBLIC_KEY 和 PRIVATE_KEY [TEST@TEST TEST] SSH-KEYGEN –T RSA   //-T 說明使用RSA 加密算法 生成密鑰的文件夾 $HOME/.SSH/ID_RSA上傳PUBLIC_KEY 到SERVERSFTP TEST@TEST LCD /HOME/.SSHPUT ID_RSA.PUB EXIT 登錄到SERVER 執行命令[TEST@TEST SSH] CAT ../ID_RSA.PUB >> AUTHORIZED_KEYS相關的安全設置/ETC/SSH/SSHD_CONFIG/ETC/HOSTS.ALLOW/ETC/HOSTS.DENYIPTABLES編輯/ETC/HOSTS.DENYSSHD : ALL :SPAWN (/BIN/ECHO SECURITY NOTICE FROM HOST `/BIN/HOSTNAME` ;\/BIN/ECHO ; /USR/SBIN/SAFE_FINGER @%H )|\/BIN/MAIL –S 「%d -%H SECURITY」 ROOT@LOCALHOST &\:TWIST (/BIN/ECHO –E 「\N\nWARNING connection not allowed. You attempt has been logged. \n\n\n   警告信息