SSH learning 2 OpenSSH Configuration File Parsing

The following describes the options of the SSH configuration file. ssh_config is the configuration file of the OpenSSH client, and sshd_config is the configuration file of the OpenSSH server.

Ssh_configThe content is as follows:

# This is the ssh client system-wide configuration file. See ssh_config (5) for more information. This file provides ults for users, and the values can be changed in

# Er-user configuration files or on the command line.

# Configuration data is parsed as follows: // priority of the Configuration option
#1. command line options // command line options
#2. user-specific file // file specified by the user
#3. system-wide file // system-wide file
# Any configuration value is only changed the first time it is set. Thus, host-specific definitions shoshould be at the beginning of the configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive list of available options, their meanings and defaults, please see the ssh_config (5) man page.


Host * // The range of computers used. '*' indicates all
# ForwardAgent no // set whether the connection has been verified by the proxy (if any) and forwarded to the remote computer
# ForwardX11 no // sets whether the X11 connection is automatically redirected to a secure channel and Display Set
# ForwardX11Trusted yes // whether to allow X11 session forwarding
# RhostsRSAAuthentication no // set whether to use RSA for rhosts security verification
# RSAAuthentication yes // sets whether to use RSA for security verification
# PasswordAuthentication yes // set whether password verification is required
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no // If yes, the prompt (passphrase/password prompt) when the password is entered is disabled.
# CheckHostIP yes // set whether to check the IP address of the host connected to the server through SSH to prevent DNS spoofing. We recommend that you set it to yes.
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask // If set to yes, SSH will not automatically add the computer's key to the $ HOME/. ssh/known_hosts file. Once the computer's key changes, the connection will be rejected.
# IdentityFile ~ /. Ssh/identity
# IdentityFile ~ /. Ssh/id_rsa // the location of the RSA Security Authentication File
# IdentityFile ~ /. Ssh/id_dsa // location of the DSA security verification file
# Port 22 // server Port
# Protocol 2, 1 // The SSH Protocol used
# Cipher 3des // sets the encryption method
# Ciphers aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc
# MACs hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160
# EscapeChar ~ // Set the Escape Character
# Tunnel no
# TunnelDevice any: any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh-q-W % h: % p gateway.example.com
SendEnv lang lc _ * // local environment variable
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no

Sshd_configThe content is as follows:

# Package generated configuration file See the sshd_config (5) manpage for details

# What ports, IPs and protocols we listen
Port 22 // The listening Port number of sshd. The default value is 22.
# Use these options to restrict which interfaces/protocols sshd will bind
# ListenAddress ::
# ListenAddress 0.0.0.0 // set the IP address bound to the sshd service. 0.0.0.0 indicates listening to all IP addresses
Protocol 2 // by default, only the 2. * version of SSH Protocol is used
# HostKeys for protocol version 2
HostKey/etc/ssh/ssh_host_rsa_key // The storage location of the RSA key for SSH2
Storage location of the DSA key for HostKey/etc/ssh/ssh_host_dsa_key // SSH2
HostKey/etc/ssh/ssh_host_ecdsa_key // storage location of the ECDSA key for SSH2
# Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600 // The Key is generated every 1 hour
ServerKeyBits 768 // number of digits of the SSH server key

# Logging
SyslogFacility AUTH // set the log type used by sshd to send to syslog
// Set whether facility code is provided when the message from sshd is recorded
LogLevel INFO // syslog Log Level

# Authentication:
LoginGraceTime 120 // if the user cannot log on successfully, sshd will disconnect (in seconds) after the time specified by this configuration parameter)
PermitRootLogin yes // If yes, the root user is allowed to log on via ssh. If no, the root user is not allowed to log on via ssh.
StrictModes yes // configure sshd to check whether the user's home directory, rhosts file permissions, owner, and other information are checked before receiving the Logon Request. Prevents anyone from having the write permission on directories and files.


RSAAuthentication yes // whether RSA Authentication is allowed
PubkeyAuthentication yes // whether public key verification is allowed
AuthorizedKeysFile % h/. ssh/authorized_keys // location where the public key file is stored


# Don't read the user's ~ /. Rhosts and ~ /. Shosts files
IgnoreRhosts yes // whether to use '~ during verification '~ /. Rhosts 'and '~ /. Shosts 'file
# For this to work you will also need host keys in/etc/ssh_known_hosts
RhostsRSAAuthentication no // set whether to allow security verification with rhosts or/etc/hosts. equiv and RSA
# Similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~ /. Ssh/known_hosts for RhostsRSAAuthentication
# IgnoreUserKnownHosts yes // sets whether sshd trusts the user's '~ /. Ssh/known_hosts 'file

# To enable empty passwords, change to yes (not recommended)
PermitEmptyPasswords no // you can specify whether to use an empty password to log on.

# Change to yes to enable challenge-response passwords (beware issues
# Some PAM modules and threads)
ChallengeResponseAuthentication no // sets whether prompt/response authentication is allowed. Sshd supports all authentication types defined in the login. conf file

# Change to no to disable tunnelled clear text passwords
# PasswordAuthentication yes // set whether password verification is required. The default value is yes.

# Kerberos options // Kerneros Verification
# Define custom uthentication no
# KerberosGetAFSToken no
# KerberosOrLocalPasswd yes
# Define osticketcleanup yes

# GSSAPI options // GSSAPI Verification
# GSSAPIAuthentication no
# GSSAPICleanupCredentials yes // clear the verification information

X11Forwarding yes // sets whether sshd allows X11 forwarding. The default value is allow.
X11DisplayOffset 10
PrintMotd no // set whether sshd displays information in/etc/motd upon user logon
PrintLastLog yes // whether to output the date and time of the last user logon during interactive Login
TCPKeepAlive yes // TCP activity persistence
# UseLogin no // specify whether the login command can be used for interactive login sessions

# MaxStartups 10: 30: 60
# Banner/etc/issue.net // set the file location for saving banner information. The user will display the banner information after logon.

# Allow client to pass locale environment variables
AcceptEnv lang lc _ * // specify the environment variables sent by the client to be copied to the running environment of the current session (the client needs to set the SendEnv parameter in the ssh_config configuration file)

Subsystem sftp/usr/lib/openssh/sftp-server // used to configure an external service program, such as file transfer server sftp-server. The value of the configuration parameter should be a system name and command that can be run based on the request of the customer system. The sftp-server command implements the sftp file transmission subsystem. This configuration parameter only uses

# Set this to 'yes' to enable PAM authentication, account processing, and session processing. If this is enabled, PAM authentication will be allowed through

# ChallengeResponseAuthentication and PasswordAuthentication. Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication

# May bypass the setting of "PermitRootLogin without-password". If you just want the PAM account and session checks to run without PAM authentication, then enable

# This but set PasswordAuthentication and ChallengeResponseAuthentication to 'no '.

UsePAM yes // whether to enable the PAM plug-in authentication module. The default value is yes.