How to configure an SSH server under Debian

Source: Internet
Author: User
Tags ssh ssh server dns spoofing


Implemented in the Debian 503 version, Debian defaults to a lack of SSH support.

installation of SSH
Apt-get Install Openssh-server
Apt-get Install SSH
Configuration of SSH
OpenSSH's configuration is concentrated in the/etc/ssh/ssh_config file
Edit the "ssh_config" file (vim/etc/ssh/ssh_config) to add or change the following parameters:

# Site-wide defaults for various options
Host *
Forwardagent No
ForwardX11 No
Rhostsauthentication No
Rhostsrsaauthentication No
Rsaauthentication Yes
Passwordauthentication Yes
Fallbacktorsh No
Usersh No
Batchmode No
Checkhostip Yes
Stricthostkeychecking No
Identityfile ~/.ssh/identity
Port 22
Cipher Blowfish
Escapechar ~

The following line-by-row description of the above option settings: Www.111cn.net

Host *
Option ' Host ' is valid only for computers that can match the back string. "*" means all computers.

Forwardagent No
"Forwardagent" Sets whether the connection is authenticated by proxy (if present) to the remote computer.

ForwardX11 No
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and display set.

Rhostsauthentication No
Whether the "Rhostsauthentication" setting uses rhosts security authentication.

Rhostsrsaauthentication No
Whether the "Rhostsrsaauthentication" setting uses rhosts security authentication with the RSA algorithm.

Rsaauthentication Yes
Whether the "Rsaauthentication" setting uses the RSA algorithm for security authentication.

Passwordauthentication Yes
Whether the "Passwordauthentication" Setting uses password authentication.

Fallbacktorsh No
The "Fallbacktorsh" setting automatically uses RSH if an error occurs with an SSH connection.

Usersh No
Whether the "Usersh" setting uses "Rlogin/rsh" on this machine.

Batchmode No
If "Batchmode" is set to "Yes", the Prompt for Passphrase/password (interactive input password) will be disabled. This option is useful for scripting files and batch tasks when the password cannot be entered interactively.

Checkhostip Yes
"Checkhostip" sets whether SSH will view the IP address of the host connected to the server to prevent DNS spoofing. The recommended setting is yes.

Stricthostkeychecking No
If "stricthostkeychecking" is set to "yes", SSH does not automatically add the computer's key to the "$HOME/.ssh/known_hosts" file and rejects the connection once the computer's key has changed.
Ssh
#服务器端配置/etc/ssh/sshd_config
#只考虑协议版本2
#全局配置
Versionaddendum TecZm-20050505 #在telnet IP 22 o'clock can only see the openssh version, do not see the OS
Protocol 2 #使用协议版本2
Port #sshd监听22端口
ListenAddress 192.168.7.1 #sshd只监听目标ip为192.168.7.1 's request
Allowgroups Wheel Myguest #允许wheel组和myguest组的用户登录
Allowusers Teczm authen@192.168.8.5 #允许来自以上组的teczm用户和authen用户登录,
#且authen用户只能从主机192.168.8.5 Login
#DenyGroups #拒绝登录的组, parameter settings are the same as allowgroups
#DenyUsers #拒绝登录的用户, parameter settings are the same as Allowusers
#AllowTcpForwarding Yes #是否转发的TCP包都被允许. The default is yes.
Logingracetime #60秒内客户端不能登录即登录超时, sshd cut off the connection.
Keyregenerationinterval 1800 #1800秒 (30 minutes) automatically regenerate the server's keys.
Maxstartups 3 #设置同时发生的未验证的并发量, that can also have several
Usedns no #不使用DNS查询客户端.
Permitrootlogin no #不允许root登录, root can be logged in by Wheel group user su.
X11forwarding no #禁止用户运行远程主机上的X程序, I don't have x, so it doesn't matter.
Uselogin Yes #禁止X11Forwarding
#认证配置 (password authentication, PAM authentication, asymmetric key authentication optional)
#口令认证
Pubkeyauthentication No #不使用非对称密钥认证
Passwordauthentication Yes #使用口令认证
Permitemptypasswords No #不允许使用空密码的用户登录
#PAM认证
Passwordauthentication No #不使用口令认证
Usepam #使用pam认证
Challengeresponseauthentication Yes #允许挑战应答方式
#非对称密钥认证
Passwordauthentication No #不使用口令认证
Pubkeyauthentication Yes #使用非对称密钥认证
Authorizedkeysfile. Ssh/authorized_keys #用户认证使用的公钥.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.