Linux under Sshd_confi configuration detailed

#Port 22
Specifies the port number that the sshd (8) daemon listens on, which defaults to 22. You can listen to multiple ports using multiple instructions.
The default is to listen on all network interfaces on this computer, but you can specify to listen on only one particular interface through listenaddress.

#AddressFamily any
Specify which address family the sshd (8) should use, the value range: "any" (default), "Inet" (IPv4 only), "Inet6" (IPV6 only)
#ListenAddress 0.0.0.0
ListenAddress 192.168.1.1 default listener for all interfaces ssh
Specifies the network address that sshd (8) listens on, and listens to all addresses by default. You can use the following format:
ListenAddress host| ipv4_addr| Ipv6_addr
ListenAddress host| Ipv4_addr:port
listenaddress [host| IPV6_ADDR]:p ORT
If port is not specified, the value of the port directive is used.
Multiple listenaddress instructions can be used to listen to multiple addresses.
#ListenAddress::

# Disable Legacy (Protocol version 1) support in the server for new
# installations. In future the default would change to require explicit
# Activation of Protocol 1
Protocol 2
Specifies the version number of the SSH protocol supported by SSHD (8).
' 1 ' and ' 2 ' indicate only support for SSH-1 and SSH-2 protocols. "2,1" indicates support for both SSH-1 and SSH-2 protocols.


# Hostkey for protocol version 1
#HostKey/etc/ssh/ssh_host_key//ssh version 1 using the RSA1 private key
# Hostkeys for protocol version 2
#HostKey/etc/ssh/ssh_host_rsa_key//SSH version 2 uses the RSA private key
#HostKey/etc/ssh/ssh_host_dsa_key//ssh version 2 using the DSA private key
A host can have several different private keys. "RSA1" is for SSH-1 only, "DSA" and "RSA" are used only for SSH-2

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
Under the SSH-1 protocol, a short-lived server key will be set at this instruction for a period of time (in seconds), which is continuously regenerated.
This mechanism can minimize loss of key or hacker attack.
Set to 0 to never regenerate and default to 3600 (seconds).

#ServerKeyBits 1024
Specifies the length of the temporary server key. For SSH-1 only. The default value is 768 (bits). The minimum value is 512.

# Logging
# obsoletes Quietmode and Fascistlogging
#SyslogFacility AUTH//Specify SSHD (8) to send log messages through which log subsystem (facility). Valid values are:
DAEMON, USER, AUTH (default), LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7
Log SSH login information to/var/log/secure

Syslogfacility Authpriv
#SyslogFacility AUTH
Syslogfacility Authpriv
#LogLevel INFO
Specifies the log level (verbosity) of sshd (8). The available values are as follows:
QUIET, FATAL, ERROR, INFO (default), VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3
DEBUG is equivalent to DEBUG1, and DEBUG2 and DEBUG3 specify a more verbose, verbose log output, respectively.
Logs that are more verbose than DEBUG may leak sensitive information from users and are therefore opposed to use.

# Authentication:

#LoginGraceTime 2m
0 Unlimited default 120 seconds after #用户连上SSH server, when entering password screen, successfully connecting to SSH server
#PermitRootLogin Yes
Whether to allow root login. The available values are as follows:
"Yes" (the default) means Allow. "No" means no.
"Without-password" means that password authentication is forbidden.
"Forced-commands-only" indicates that a public key authentication login is allowed only if the command option is specified.
At the same time, all other authentication methods are prohibited. This value is often used to do things like remote backups.

#StrictModes Yes
Specifies whether sshd (8) is required to perform host and permission checks on the user's home directory and related configuration files before accepting the connection request.
It is strongly recommended that you use the default value of "yes" to prevent possible low-level errors.

#MaxAuthTries 6
Specifies the maximum number of authentications allowed per connection. The default value is 6.
If the number of failed authentications exceeds half of this value, the connection will be forcibly disconnected and additional failure log messages will be generated.

#MaxSessions 10

#RSAAuthentication Yes
Whether to allow the use of pure RSA public key authentication. For SSH-1 only. The default value is "Yes".

#PubkeyAuthentication Yes
Whether to allow public key authentication. Can only be used for SSH-2. The default value is "Yes".

#AuthorizedKeysFile. Ssh/authorized_keys
User login RSA/DSA Public key storage path, the directive can be used according to the actual situation of the following symbols, percent of '% ',%h represents the user's home directory,%u indicates the user's user name
#AuthorizedKeysCommand None
#AuthorizedKeysCommandRunAs Nobody

Also need host keys in/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication No
Whether to use strong trusted host authentication (by checking the remote host name and the associated user name for authentication). For SSH-1 only.
This is done by checking the ~/.rhosts or/ETC/HOSTS.EQUIV for certification after the RSA certification is successful.
For security reasons, it is recommended to use the default value of "No".


# Similar for protocol version 2
#HostbasedAuthentication No
This option is intended for version 2 and is certified using the Rhosts file in/etc/hosts.equiv with RSA checking methods.
It is recommended to use the default value of No to prohibit this unsafe authentication method
#HostbasedUsesNameFromPacketOnly
In the case of opening hostbasedauthentication,
Specifies whether the server will reverse the domain name query when using ~/.shosts ~/.rhosts/etc/hosts.equiv for remote hostname matching.
"Yes" indicates that sshd (8) trusts the host name provided by the client without making a reverse query. The default value is "no".

# change-to-yes if you don ' t trust ~/.ssh/known_hosts for
# Rhostsrsaauthentication and Hostbasedauthentication
#IgnoreUserKnownHosts No
Whether to ignore. rhosts and. shosts files during rhostsrsaauthentication or hostbasedauthentication.
However,/ETC/HOSTS.EQUIV and/ETC/SHOSTS.EQUIV will still be used. It is recommended to set the default value "Yes".

# Don ' t read the user ' s ~/.rhosts and ~/.shosts files
#IgnoreRhosts Yes
Whether to ignore. rhosts and. shosts files during rhostsrsaauthentication or hostbasedauthentication.
However,/ETC/HOSTS.EQUIV and/ETC/SHOSTS.EQUIV will still be used. It is recommended to set the default value "Yes".

# To disable tunneled clear text passwords, change to No here!
#PasswordAuthentication Yes//Whether password-based authentication is allowed and the default is Yes
#PermitEmptyPasswords no//Allow users with blank passwords to Telnet, default to No
Passwordauthentication Yes

# Change to No to disable S/key passwords
#ChallengeResponseAuthentication Yes
Challengeresponseauthentication Yes
Whether to allow query-answer (challenge-response) authentication, the default value is "Yes"
Accept all password authentication methods stipulated by LOGIN.CONF (5)
Ciphers
Specifies the encryption algorithm that SSH-2 allows. Separate multiple algorithms with commas. You can use the following algorithm:
"AES128-CBC", "AES192-CBC", "AES256-CBC", "aes128-ctr", "aes192-ctr", "aes256-ctr",
"3DES-CBC", "arcfour128", "arcfour256", "Arcfour", "BLOWFISH-CBC", "CAST128-CBC"
The default value is that all of the above algorithms can be used.


# Kerberos Options
#KerberosAuthentication No
Whether the user is required to provide a password for passwordauthentication must pass Kerberos KDC authentication, that is, whether to use Kerberos authentication.
To use Kerberos authentication, the server needs a Kerberos Servtab that can verify the KDC identity. The default value is "no".
#KerberosOrLocalPasswd Yes
If the Kerberos password authentication fails, then the password will pass through other authentication mechanisms (such as/etc/passwd).
The default value is "Yes".
#KerberosTicketCleanup Yes
Whether the user's ticket is automatically destroyed after the user exits the login. The default value is "Yes"
#KerberosGetAFSToken No
Whether the user is required to provide a password for passwordauthentication must pass Kerberos KDC authentication, that is, whether to use Kerberos authentication.
To use Kerberos authentication, the server needs a Kerberos Servtab that can verify the KDC identity. The default value is "no".
#KerberosUseKuserok Yes


# GSSAPI Options
#GSSAPIAuthentication No
Gssapiauthentication Yes
Whether to allow the use of GSSAPI-based user authentication. The default value is "no". For SSH-2 only
#GSSAPICleanupCredentials Yes
Gssapicleanupcredentials Yes
Whether the user credential cache is automatically destroyed after the user exits the login. The default value is "Yes". For SSH-2 only
#GSSAPIStrictAcceptorCheck Yes
#GSSAPIKeyExchange No

# Set this to ' yes ' to enable PAM authentication, account processing,
# and session processing. If This is enabled, PAM authentication would
# be allowed through the challengeresponseauthentication and
# passwordauthentication. Depending on your PAM configuration,
# PAM authentication via Challengeresponseauthentication may bypass
# The setting of "Permitrootlogin Without-password".
# If You just want the PAM account and session checks to run without
# PAM Authentication, then enable this but set passwordauthentication
# and Challengeresponseauthentication to ' no '.
#UsePAM No
Usepam Yes

# Accept locale-related Environment variables
Acceptenv LANG lc_ctype lc_numeric lc_time lc_collate lc_monetary lc_messages
Acceptenv lc_paper lc_name lc_address lc_telephone lc_measurement
Acceptenv lc_identification Lc_all LANGUAGE
Acceptenv xmodifiers
Specifies which environment variables sent by the client will be passed to the session environment. [note] Only the SSH-2 protocol supports the delivery of environment variables.
For details, refer to the SENDENV configuration directive in Ssh_config (5).
The value of the instruction is a space-delimited list of variable names (where you can use ' * ' and '? ') As a wildcard character). You can also use multiple acceptenv to achieve the same goal.
It is important to note that some environment variables may be used to bypass environment variables that are forbidden to use by the user. For this reason, the directive should be used with caution.
By default, no environment variables are passed.
Acceptenv xmodifiers

#AllowAgentForwarding Yes
#AllowTcpForwarding Yes
#GatewayPorts No
Whether the remote host is allowed to connect to the local forwarding port. The default value is "no".
SSHD (8) binds remote port forwarding to the loopback address by default. This will prevent other remote hosts from connecting to the forwarding port.
The gatewayports directive allows sshd to bind remote port forwarding to a non-loopback address, allowing the remote host to connect.
"No" means only local connections are allowed, and "yes" means forcing remote port forwarding to the wildcard address (wildcard addresses).
"Clientspecified" means that the client is allowed to choose which address to bind the remote port forwarding to.
#X11Forwarding no//x-windows Related settings
x11forwarding Yes
Whether to allow X11 forwarding. The default value is "No", and set to "Yes" indicates allow.
If X11 forwarding is allowed and the display area of the SSHD (8) proxy is configured to listen on the address containing the wildcard (x11uselocalhost).
Then there may be additional information being leaked. The default value of this directive is "no" due to the possible risk of using X11 forwarding.
It is important to note that banning X11 forwarding does not prevent users from forwarding X11 traffic, because users can install their own forwarders.
If Uselogin is enabled, X11 forwarding is automatically disabled.


#X11DisplayOffset 10
Specifies the first available display number for sshd (8) X11 forwarding. The default value is 10.
This can be used to prevent the sshd from occupying a real X11 server display area, resulting in confusion.


#X11UseLocalhost Yes
SSHD (8) Whether the X11 forwarding server should be bound to a local loopback address. The default value is "Yes".
SSHD binds the forwarding server to the local loopback address by default and sets the host name portion of the DISPLAY environment variable to "localhost" >
。
This prevents the remote host from connecting to the proxy display. However, some old X11 clients cannot work properly under this configuration.
To be compatible with these old X11 clients, you can set it to "no".


#PrintMotd Yes
Specifies whether sshd (8) Prints the contents of the/etc/motd file at each interactive logon. The default value is "Yes".
#PrintLastLog Yes
Specifies whether sshd (8) Prints the last user's logon time at each interactive logon. The default value is "Yes".
#TCPKeepAlive Yes
Specifies whether the system sends a TCP keepalive message to the client. The default value is "Yes".
This message detects exceptions such as dead connections, improperly connected shutdowns, client crashes, and so on.
Can be set to "no" to turn off this feature.

#UseLogin No
Whether to use Login (1) During the logon process of the interactive session. The default value is "no".
If this command is turned on, then x11forwarding will be banned because login (1) does not know how to handle Xauth (1) Cookies
。
It is important to note that login (1) is forbidden for remote execution of commands.
If Useprivilegeseparation is specified, it will be disabled after authentication is complete.


#UsePrivilegeSeparation Yes
Allows sshd (8) to detach permissions by creating a way for the non-privileged child process to process the access request. The default value is "Yes".
After the authentication succeeds, another child process is created as the authenticated user.
This is done to prevent elevated permissions through the defective child process, which makes the system more secure.


#PermitUserEnvironment No
Specifies whether sshd (8) is allowed to handle ~/.ssh/environment and environment= in ~/.ssh/authorized_keys >
Options.
The default value is "no". If set to "yes" may result in the user having the opportunity to bypass access control using certain mechanisms (such as ld_preload), creating
into security vulnerabilities.

#Compression delayed
Whether to encrypt the communication data, or delay until the authentication succeeds before encrypting the communication data.
Available values: "Yes", "delayed" (default), "No".
#ClientAliveInterval 0
Set a time in seconds, if you have not received any data from the client for more than a long time,
SSHD (8) sends a "Alive" message to the client over a secure channel and waits for an answer.
The default value of 0 means that the "alive" message is not sent. This option is only valid for SSH-2.
#ClientAliveCountMax 3
SSHD (8) allows the maximum number of "alive" messages to be sent before any client response is received. The default value is 3.
When this limit is reached, sshd (8) will forcibly disconnect and close the session.
It is important to note that the "Alive" message differs greatly from the tcpkeepalive.
The "Alive" message is sent through an encrypted connection and is therefore not spoofed, while tcpkeepalive can be deceived.
If Clientaliveinterval is set to 15 and Clientalivecountmax remains the default value,
Then the non-responsive client will be forced to disconnect approximately 45 seconds later. This directive can only be used for SSH-2 protocols.
#ShowPatchLevel No
#UseDNS Yes
Specifies whether sshd (8) should reverse-parse the remote host name to check if this hostname corresponds to its IP address. Default Value >
To "yes".


#PidFile/var/run/sshd.pid
Specifies the file in which the SSH daemon's process number is stored, by default the/var/run/sshd.pid file.
#MaxStartups 10:30:100
Allow several online screens that are not yet logged in, connect to SSH yet to enter a password, the online interface, default 10
#PermitTunnel No
Whether to allow Tun (4) device forwarding. The available values are as follows:
"Yes", "point-to-point" (Layer 3), "Ethernet" (Layer 2), "No" (default).
"Yes" also contains "point-to-point" and "Ethernet".

#ChrootDirectory None

# no default banner path
#Banner None
Banner the contents of the file specified in this instruction to the remote user before the user authenticates
This feature can only be used for SSH-2, and the default content is not displayed. "None" means disable this feature

# Override default of No subsystems
Subsystem Sftp/usr/libexec/openssh/sftp-server
Configure an external subsystem (for example, a file transfer daemon). Only for SSH-2 protocol.
The value is the name of a subsystem and the corresponding command line (with options and parameters). such as "Sft/bin/sftp-server".


#MACs
Specifies which message digest algorithms are allowed to be used in SSH-2 for data validation.
You can use a comma-delimited list to specify that multiple algorithms are allowed. The default value (which contains all the algorithms that can be used) is:
Hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96

# Example of overriding settings on a per-user basis
#Match User Anoncvs
Introduces a conditional block. The end flag of a block is another Match instruction or end of file.
If the conditions specified on the match line are met, subsequent directives override the directives in the global configuration.
The Match value is one or more "conditional-mode" pairs. The available "conditions" are: User, Group, Host, Address.
Only the following commands can be used in the Match block: allowtcpforwarding, Banner,
Forcecommand, Gatewayports, Gssapiauthentication,
Kbdinteractiveauthentication, Kerberosauthentication,
Passwordauthentication, Permitopen, Permitrootlogin,
Rhostsrsaauthentication, Rsaauthentication, X11displayoffset,
X11forwarding, X11uselocalhost
# x11forwarding No
# allowtcpforwarding No
# forcecommand CVS Server

#DenyGroups *
The instruction follows a list of group names separated by spaces (you can use "*" and "?"). wildcard characters). All groups are allowed to log on by default.
If this directive is used, the members of these groups will be denied login.
The "group" here refers to the "primary Group" (primary group), which is the set specified in the/etc/passwd file.
Only the name of the group is allowed and the GID is not allowed to be used. The relevant Allow/deny directives are processed in the following order:
Denyusers, Allowusers, Denygroups, allowgroups

#DenyUsers Test
The instruction follows a list of user names separated by spaces (you can use "*" and "?"). wildcard characters). All users are allowed to log on by default.
If this instruction is used, the user will be denied login.
User and HOST will be checked at the same time if the [email protected] mode is specified.
Only the user's name is allowed and the UID is not allowed. The relevant Allow/deny directives are processed in the following order:
Denyusers, Allowusers, Denygroups, allowgroups

#AllowGroups
This command follows a list of group names separated by spaces (where you can use "*" and "?"). wildcard characters). All groups are allowed to log on by default.
If this directive is used, only the members of those groups will be allowed to log on, and all other groups are denied.
The "group" here refers to the "primary Group" (primary group), which is the set specified in the/etc/passwd file.
Only the name of the group is allowed and the GID is not allowed to be used. The relevant Allow/deny directives are processed in the following order:
Denyusers, Allowusers, Denygroups, allowgroups

#AllowTcpForwarding
Whether to allow TCP forwarding, the default value is "Yes".
Preventing TCP forwarding does not enhance security unless users are prevented from accessing the shell because users can install their own forwarders.

#AllowUsers
This command follows a list of user names separated by spaces (where you can use "*" and "?"). wildcard characters). All users are allowed to log on by default.
If this directive is used, only those users will be allowed to log on and all other users are denied.
User and HOST will be checked at the same time if the [email protected] mode is specified.
Only the user's name is allowed and the UID is not allowed. The relevant Allow/deny directives are processed in the following order:
Denyusers, Allowusers, Denygroups, allowgroups

# forcecommand CVS Server
Enforces the command specified here and ignores any commands provided by the client. This command will be executed using the user's login shell (shell-c).
This can be applied to the completion of the shell, command, subsystem, and is typically used in Match blocks.
This command was initially supported by the client through the SSH_ORIGINAL_COMMAND environment variable.

This article is from the "Rookie Growth Road" blog, please be sure to keep this source http://francis905.blog.51cto.com/3048056/1722319

Linux under Sshd_confi configuration detailed