Linux ssh_config and sshd_config configuration file Learning

Source: Internet
Author: User
Tags auth openssh server ssh server rekey dns spoofing

In the remote management of the Linux system is basically used to SSH, the reason is simple: Telnet, FTP and other transmission methods are in clear text transmission of user authentication information, is inherently unsafe, there is the risk of network eavesdropping. Secure Shell is now more reliable and is a protocol designed to provide security for Telnet sessions and other network services. The SSH protocol can effectively prevent the information leakage in the remote management process, through SSH can encrypt all the transmitted data, also can prevent DNS spoofing and IP spoofing.

Ssh_config and Sshd_config are both configuration files for the SSH server, the difference being that the former is a client-side configuration file, and the latter is a configuration file for the service end. Two profiles allow you to change the way the client program runs by setting different options. Listed below are two of the most important keywords in the configuration file, each behavior "keyword & value" form, where "keywords" is ignored case. 1. Edit the/etc/ssh/ssh_config file

# Site-wide defaults for various options
Host *
Forwardagent No
ForwardX11 No
Rhostsauthentication No
Rhostsrsaauthentication No
Rsaauthentication Yes
Passwordauthentication Yes
Fallbacktorsh No
Usersh No
Batchmode No
Checkhostip Yes
Stricthostkeychecking No
Identityfile ~/.ssh/identity
Port 22
Cipher Blowfish
Escapechar ~

The above option parameters are explained on a case-by-case basis: # Site-wide defaults for various options
With "#" indicates that the sentence is not annotated, the sentence is not part of the original configuration file, intended to indicate that the following options are the system's initial default options. Note that there are also many options in the actual configuration file preceded by a "#" comment, although the indication does not work, in fact, this is the system default initialization settings. Host *
"Host" is valid only for computers that match the following string, and "*" indicates all computers. As you can see from the front of the item format, this is a global-like option that indicates that the options below indent apply to this setting, and you can specify that a computer replaces the * number so that the following options are only available for that machine. Forwardagent No
"Forwardagent" Sets whether the connection is forwarded to the remote computer through the authentication agent (if present). ForwardX11 No
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and display set. Rhostsauthentication No
The "rhostsauthentication" setting uses rhosts-based security authentication. Rhostsrsaauthentication No
The "rhostsrsaauthentication" setting uses rhosts-based security authentication with the RSA algorithm. rsaauthentication Yes
The "rsaauthentication" setting uses the RSA algorithm for security verification. passwordauthentication Yes
The "passwordauthentication" Setting uses password authentication. Fallbacktorsh No
"Fallbacktorsh" Setting this option should be set to "no" if an error with SSH connection is automatically using RSH because RSH is not secure. Usersh No
The "Usersh" setting uses "Rlogin/rsh" on this computer for the same reason that is set to "no". Batchmode No
"Batchmode": Batch mode, generally set to "no", if set to "yes", interactive input password prompt will be banned, this option is useful for script files and batch processing tasks. Checkhostip Yes
"Checkhostip" sets whether SSH views the IP address of the host connected to the server to prevent DNS spoofing. The recommended setting is "yes". stricthostkeychecking No
"Stricthostkeychecking" If set to "Yes", SSH will not automatically add the computer's key to the "$HOME/.ssh/known_hosts" file, and once the computer's key has changed, refused to connect. Identityfile ~/.ssh/identity
The "Identityfile" setting reads the user's RSA Security authentication identity. Port 22
"Port" sets the port to connect to the remote host, and the SSH default port is 22. Cipher Blowfish
"Cipher" Set the encryption key, Blowfish can be set freely. Escapechar ~
"Escapechar" sets the escape character. 2. Edit the/etc/ssh/sshd_config file:

# This is the SSH server systemwide configuration file.
Port 22
ListenAddress 192.168.1.1
Hostkey/etc/ssh/ssh_host_key
Serverkeybits 1024
Logingracetime 600
Keyregenerationinterval 3600
Permitrootlogin No
Ignorerhosts Yes
Ignoreuserknownhosts Yes
Strictmodes Yes
X11forwarding No
PRINTMOTD Yes
Syslogfacility AUTH
LogLevel INFO
Rhostsauthentication No
Rhostsrsaauthentication No
Rsaauthentication Yes
Passwordauthentication Yes
Permitemptypasswords No
Allowusers Admin

The following line shows the option settings above: Port 22
"Port" sets the port number of the sshd listener. listenaddress 192.168.1.1
"ListenAddress" sets the IP address of the SSHD server binding. Hostkey/etc/ssh/ssh_host_key
"Hostkey" Sets the file that contains the computer's private key. serverkeybits 1024
"Serverkeybits" defines the number of bits of the server key. Logingracetime 600
"Logingracetime" Sets the time, in seconds, that the server waits before disconnecting the connection if the user cannot log on successfully. Keyregenerationinterval 3600
"Keyregenerationinterval" sets the number of seconds after which the server's key is automatically regenerated (if the key is used). The rekey is regenerated to prevent the intercepted information from being decrypted with the stolen key. Permitrootlogin No
The "Permitrootlogin" setting allows root login via SSH. This option should be set to "no" from a security standpoint. ignorerhosts Yes
The "ignorerhosts" setting verifies whether the "rhosts" and "shosts" files are used. ignoreuserknownhosts Yes
"Ignoreuserknownhosts" sets whether SSH daemon ignores the user's "$HOME/.ssh/known_hosts" when Rhostsrsaauthentication security authentication is performed Strictmodes Yes
"Strictmodes" Sets whether SSH checks the permissions and ownership of the user home directory and the rhosts file before receiving the logon request. This is usually necessary because novices often set their own directories and files to anyone with write access. x11forwarding No
The "x11forwarding" setting allows X11 forwarding. PRINTMOTD Yes
"PRINTMOTD" Sets whether sshd displays the information in "/ETC/MOTD" when the user logs in. syslogfacility AUTH
"Syslogfacility" sets whether "facility code" is given when recording messages from Sshd. LogLevel INFO
The "LogLevel" setting records the level of the SSHD log message. Info is a good choice. See the man help page for sshd for more information. Rhostsauthentication No
The "rhostsauthentication" setting is sufficient for security verification only with rhosts or "/etc/hosts.equiv". Rhostsrsaauthentication No
The "Rhostsrsa" setting allows for security verification with RSA or "/etc/hosts.equiv" with rhosts. rsaauthentication Yes
The "rsaauthentication" setting allows only RSA security authentication. passwordauthentication Yes
The "passwordauthentication" setting allows password validation. Permitemptypasswords No
The "Permitemptypasswords" setting allows you to log in with an account with a blank password. allowusers Admin
The "Allowusers" can be followed by any number of user names that match the string, separated by spaces. The host name can be a domain name or an IP address.

Usually when we connect the OpenSSH server, if the USEDNS option is open, the server will be based on the client's IP address DNS PTR reverse query out the host name of the client, and then based on the queried client hostname DNS forward a record query, and verify whether the original IP addresses are consistent, and this measure prevents client spoofing. Usually we are dynamic IP does not have PTR records, so opening this option does not have much effect. We can improve the speed of connecting to the OpenSSH server by turning off this feature.

The service-side steps are as follows:
Editing a configuration file/etc/ssh/sshd_config
Vim/etc/ssh/sshd_config
Find the Usedns option, if there is no comment, comment it
#UseDNS Yes
Add to
Usedns No

Find the Gssapiauthentication option, if there is no comment, comment it
#GSSAPIAuthentication Yes
Add to
Gssapiauthentication No

Save configuration file

Restarting the OPENSSH server
/etc/init.d/sshd restart

================================================================================

SSH is composed of client and server software, the software that can be used on client is SECURECRT, putty, Xshell, etc.
And on the server side is an sshd service, by using SSH, all the transmitted data can be encrypted, but also can
Prevent DNS and IP spoofing, in addition, the data transferred by SSH is compressed and can speed up the transfer

The configuration file on its server side is/etc/ssh/sshd_config

[Email protected] ~]# Cat/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 Reyk EXP $

# This is the SSHD server system-wide configuration file. See
# Sshd_config (5) For more information.

# This sshd is compiled with Path=/usr/local/bin:/bin:/usr/bin

# The strategy used for options on the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. uncommented Options Change A
# default value.

############ #1. About the overall setting of SSH Server ##############
#Port 22
# #port用来设置sshd监听的端口, for security reasons, it is recommended to change the default 22 port to 5-bit or more unfamiliar ports
#Protocol 2,1
Protocol 2
# #设置协议版本为SSH1或SSH2, SSH1 there are loopholes and flaws, choose SSH2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress用来设置sshd服务器绑定的IP地址
# #监听的主机适配卡, for example, if you have two IPs, namely 192.168.0.11 and 192.168.2.20, you just want to
# # # #开放 192.168.0.11, you can set it to: ListenAddress 192.168.0.11
# # # #表示只监听来自 192.168.0.11 ssh online for this IP. If you do not use the settings, the default all interfaces will accept SSH

############ #2. Description The host's Private Key is placed on the file ##########                 
#ListenAddress::
# #HostKey用来设置服务器秘钥文件的路径
# Hostkey for protocol version 1
#HostKey/etc/ssh/ssh_host_key
# #设置SSH The private key used by version 1

# Hostkeys for protocol version 2
#HostKey/etc/ssh/ssh_host_rsa_key
# #设置SSH The RSA private key used by version 2

#HostKey/etc/ssh/ssh_host_dsa_key
# #设置SSH The DSA private key used by version 2


#Compression Yes
# #设置是否可以使用压缩指令

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
# #KeyRegenerationInterval用来设置多长时间后系统自动重新生成服务器的秘钥,
# # # (if the key is used). The rekey is regenerated to prevent the intercepted information from being decrypted with the stolen key.

#ServerKeyBits 768
# #ServerKeyBits用来定义服务器密钥的长度
# # #指定临时服务器密钥的长度. For SSH-1 only. The default value is 768 (bits). The minimum value is 512.


# Logging
# obsoletes Quietmode and Fascistlogging
#SyslogFacility AUTH
Syslogfacility Authpriv
# #SyslogFacility用来设定在记录来自sshd的消息的时候, whether to give "facility code"

#LogLevel INFO
# #LogLevel用来设定sshd日志消息的级别


################ #3. Setting ################ for safety certification
############ #3.1, about the security login settings ###############
# Authentication:
# #限制用户必须在指定的时限内认证成功, 0 means no limit. The default value is 120 seconds.

#LoginGraceTime 2m
# #LoginGraceTime用来设定如果用户登录失败, the time the server needs to wait before disconnecting the connection, the unit is wonderful

#PermitRootLogin Yes
# #PermitRootLogin用来设置能不能直接以超级用户ssh登录, root telnet to Linux is dangerous, it is recommended to log out or set to No

#StrictModes Yes
# #StrictModes用来设置ssh在接收登录请求之前是否检查用户根目录和rhosts文件的权限和所有权, recommend opening
# # #建议使用默认值 "Yes" to prevent low-level errors that may occur.

#RSAAuthentication Yes
# #RSAAuthentication用来设置是否开启RSA密钥验证, only for SSH1

#PubkeyAuthentication Yes
# #PubkeyAuthentication用来设置是否开启公钥验证, set to Yes if you are logged on using public key authentication

#AuthorizedKeysFile. Ssh/authorized_keys
# #AuthorizedKeysFile用来设置公钥验证文件的路径, used in conjunction with pubkeyauthentication, the default value is ". Ssh/authorized_keys".
# # #该指令中可以使用下列根据连接时的实际情况进行展开的符号: percent% means '% ',%h indicates the user's home directory,%u indicates the user's user name
# # # #经过扩展之后的值必须要么是绝对路径, or relative path relative to the user's home directory.

############ #3.2, security verification of the setting ###############
Also need host keys in/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication No
# #是否使用强可信主机认证 (authentication by checking the remote host name and associated user name). For SSH-1 only.
# # #这是通过在RSA认证成功后再检查 ~/.rhosts or/ETC/HOSTS.EQUIV for certification. For security reasons, it is recommended to use the default value of "No".

# Similar for protocol version 2
#HostbasedAuthentication No
# #这个指令与 rhostsrsaauthentication similar, but can only be used for SSH-2.

# change-to-yes if you don ' t trust ~/.ssh/known_hosts for
# Rhostsrsaauthentication and Hostbasedauthentication

#IgnoreUserKnownHosts No
# #IgnoreUserKnownHosts用来设置ssh在进行RhostsRSAAuthentication安全验证时是否忽略用户的 "/$HOME/.ssh/known_hosts" file
# Don ' t read the user ' s ~/.rhosts and ~/.shosts files

#IgnoreRhosts Yes
# #IgnoreRhosts用来设置验证的时候是否使用 "~/.rhosts" and "~/.shosts" files

# To disable tunneled clear text passwords, change to No here!
#PasswordAuthentication Yes
# #PasswordAuthentication用来设置是否开启密码验证机制, if you log in to the system with a password, set Yes

#PermitEmptyPasswords No
#PermitEmptyPasswords用来设置是否允许用口令为空的账号登录系统, set No

#PasswordAuthentication Yes
# #是否允许使用基于密码的认证. The default is "Yes".
Passwordauthentication Yes

# Change to No to disable S/key passwords
# #设置禁用s/key Password
#ChallengeResponseAuthentication Yes
# #ChallengeResponseAuthentication whether to allow question-answer (Challenge-response) authentication
Challengeresponseauthentication No

####### #3.3, Kerberos-related parameter settings, specifying whether to allow Kerberos-based user authentication ########
#Kerberos Options
#KerberosAuthentication No
# #是否要求用户为PasswdAuthentication提供的密码必须通过Kerberos KDC authentication, to use Kerberos authentication,
# # #服务器必须提供一个可以校验KDC The identity of the Kerberos Servtab. Default value is no

#KerberosOrLocalPasswd Yes
# #如果Kerberos密码认证失败, then the password will also be passed through other authentication mechanisms, such as/etc/passwd
# # #在启用此项后, if Kerberos authentication is not possible, the correctness of the password will be determined by the local mechanism, such as/etc/passwd, which defaults to Yes

#KerberosTicketCleanup Yes
# #设置是否在用户退出登录是自动销毁用户的ticket

#KerberosGetAFSToken No
# #如果使用AFS并且该用户有一个Kerberos 5 TGT, then when the command is turned on,
# # #将会在访问用户的家目录前尝试获取一个AFS token, and attempt to transmit AFS token to Server side, default to No

# # # #3.4, parameter settings related to GSSAPI, specifying whether GSSAPI-based user authentication is allowed, only applicable to ssh2####
# #GSSAPI is a common network security system interface similar to Kerberos 5.
# # # #如果你拥有一套 GSSAPI Library, you can directly establish a CVS connection via TCP connection, which is GSSAPI for security identification.

# GSSAPI Options
#GSSAPIAuthentication No
# #GSSAPIAuthentication Specifies whether GSSAPI-based user authentication is allowed, the default is no

Gssapiauthentication Yes
#GSSAPICleanupCredentials Yes
# #GSSAPICleanupCredentials Set whether the user's credential cache will be automatically destroyed when users log out
Gssapicleanupcredentials Yes

# Set this to ' yes ' to enable PAM authentication, account processing,
# and session processing. If This is enabled, PAM authentication would
# be allowed through the challengeresponseauthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# passwordauthentication, Permitemptypasswords, and
# "Permitrootlogin Without-password". If you just want the PAM account and
# session checks to run without PAM authentication and then enable this but set
# Challengeresponseauthentication=no
#UsePAM No
# #设置是否通过PAM验证
Usepam Yes

# Accept locale-related Environment variables
# #AcceptEnv specifies which environment variables sent by the client will be passed to the session environment.
###[note] Only the SSH-2 protocol supports the delivery of environment variables. The value of the instruction is a space-delimited list of variable names (where you can use ' * ' and '? ') As a wildcard character).
# # # #也可以使用多个 Acceptenv Achieve the same goal. It is important to note that some environment variables may be used to bypass environment variables that are forbidden to use by the user.
# # # # #由于这个原因, this instruction should be used with care. By default, no environment variables are passed.

Acceptenv LANG lc_ctype lc_numeric lc_time lc_collate lc_monetary lc_messages
Acceptenv lc_paper lc_name lc_address lc_telephone lc_measurement
Acceptenv lc_identification Lc_all
allowtcpforwarding Yes

# #AllowTcpForwarding设置是否允许允许tcp端口转发, protect other TCP connections

#GatewayPorts No
# #GatewayPorts setting whether to allow remote clients to use the port forwarding feature of the localhost, it is recommended to prohibit it for security reasons

############ #3.5, X-window use the relevant settings ###############

#X11Forwarding No
# #X11Forwarding used to set whether X11 forwarding is allowed
x11forwarding Yes

#X11DisplayOffset 10
# #指定X11 The first available display number to be forwarded. The default value is 10.
# # # #可以用于防止 sshd occupies a real X11 server display area, resulting in confusion.
X11displayoffset 10

#X11UseLocalhost Yes

################ #3.6. Post-Login Related Settings #################

#PrintMotd Yes
# #PrintMotd用来设置sshd是否在用户登录时显示 The information in "/ETC/MOTD", optionally add a warning in "/ETC/MOTD"

#PrintLastLog Yes
#PrintLastLog if the last logon information is displayed

#TCPKeepAlive Yes
# #TCPKeepAlive Whether the connection is persistent, set Yes to prevent dead connections
# # #一般而言, if you set this project, then SSH Server will send KeepAlive message to client side to ensure that both are online properly!
# # # #这种消息可以检测到死连接, improper connection shutdown, client crash and other exceptions. In this case, any end of the dead, SSH can immediately know, without the occurrence of the zombie program!

#UseLogin No
# #UseLogin set whether to use during the logon process of the interactive session. The default value is "no".
# # # #如果开启此指令, then x11forwarding will be banned because login does not know how to handle xauth cookies.
# # # #需要注意的是, under SSH will not accept login This program login, if it refers to useprivilegeseparation, then it would be disabled after the completion of authentication.
Userlogin No

#UsePrivilegeSeparation Yes
# #UsePrivilegeSeparation Setting the user's permissions
#PermitUserEnvironment No
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel No

#UseDNS Yes
# #UseDNS是否使用dns反向解析

#PidFile/var/run/sshd.pid

#MaxStartups 10
# #MaxStartups setting allows several online connections that are not yet logged in, when a user connects to SSH but does not enter a password so called online,
# # #在这个联机中, in order to protect the host, so you need to set the maximum value, preset to 10, and has been set up online does not count in,
# # # #所以一般5个即可, this setting prevents malicious connections to the server

#MaxAuthTries 6
# #MaxAuthTries used to set the maximum number of failed attempts to log on to 6, a reasonable set of resignation, can prevent the attacker to poor lift logon server
#PermitTunnel No

########### #3.7, open prohibit user settings ############

#AllowUsers < username 1> < user name 2> < user name 3> ...
# #指定允许通过远程访问的用户, multiple users are separated by a space

#AllowGroups < Group name 1> < group name 2> < group name 3> ...
# #指定允许通过远程访问的组, multiple groups are separated by a space. When multiple users need to log in to the system via SSH, all users can be added to a group.

#DenyUsers < username 1> < user name 2> < user name 3> ...
# #指定禁止通过远程访问的用户, multiple users are separated by a space

#DenyGroups < Group name 1> < group name 2> < group name 3> ...
# #指定禁止通过远程访问的组, multiple groups are separated by a space.

# no default banner path
#Banner/some/path

# Override default of No subsystems
Subsystem Sftp/usr/libexec/openssh/sftp-server
Clientaliveinterval 3600
Clientalivecountmax 0

Linux ssh_config and sshd_config configuration file Learning

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.