Linux Operations Configuration explained--sshd-config

Source: Internet
Author: User

File configuration:
1,/etc/ssh/sshd_config
SSH configuration file
2,/etc/shadow
Password file
3,/etc/sudoers
Authorizing users to manage files
4,/etc/issue
System Information file, can be deleted
5,/etc/issue.net
Remote Login welcome information needs to be changed
6,/etc/redhat-release
Operating system and version information are best changed
7,/ETC/MOTD
File System Bulletin, the login system will be displayed in the user's terminal
8, Control-alt-delete
Key combination Restart System shortcut Change location:
Centos5. X:/etc/inittab
Centos6. Change under X:/etc/init/control-alt-delete.con
9, File/etc/ssh/sshd_config configuration details:
Port 22:port for setting the SSHD listener
Protocol 2: Set the version with SSH protocol to SSH1 or SSH2 SSH1 version vulnerability so set 2
ListenAddress 0.0.0.0 used to set the IP address of the SSH service bindings
Hostkey/etc/ssh/ssh_host_dsa_key the path used to set the server key file
Keyregenerationinterval 1h is used to set how long after the system freezes the generated server's key, regenerates the key placement to decrypt the intercepted information using the stolen key
Serverkeybits 1024 Key length
Syslogfacility Authpriv Sets whether the facility code is given when the SHH message is recorded
LogLevel INFO record SSH log message level
Logingracetime 2m user failed to log in, cut off the connection wait time
Permitrootlogin Yes setting cannot root remote login server
Strictmodes Yes accept SSH login before checking user root permissions
Rsaauthentication Yes whether to set RSA key verification
Pubkeyauthentication Yes set whether public key validation
Authorizedkeysfile.ssh/authorized_keys setting the public key validation file path
Authorizedkeyscommand None
Authorizedkeyscommandrunas Nobody
  
For the work you'll also need host keys in/etc/ssh/ssh_known_hosts
Rhostsrsaauthentication No
Similar for protocol version 2
Hostbasedauthentication No
Change to Yes if you don ' t trust ~/.ssh/known_hosts for
Rhostsrsaauthentication and Hostbasedauthentication
Ignoreuserknownhosts no SSH for security verification when the user is ignored "$HOME/. Ssh/known_hosts "
Don ' t read the user ' s ~/.rhosts and ~/.shosts files
Ignorerhosts Yes sets whether to use "~/rhosts" "~/shorts" file when verifying
To disable tunneled clear text passwords, change to No here!
Passwordauthentication Yes when password verification is enabled
Permitemptypasswords no set whether to allow empty password account log in System
Passwordauthentication Yes

Change to No to disable S/key passwords
Challengeresponseauthentication Yes disable S/key password
Challengeresponseauthentication No

Kerberos Options
Kerberosauthentication No
KERBEROSORLOCALPASSWD Yes
Kerberosticketcleanup Yes
Kerberosgetafstoken No
Kerberosusekuserok Yes

GSSAPI Options
Gssapiauthentication No
Gssapiauthentication Yes
Gssapicleanupcredentials Yes
Gssapicleanupcredentials Yes
Gssapistrictacceptorcheck Yes
Gssapikeyexchange No

Set this to ' yes ' to enable PAM authentication, account processing,
and session processing. If This is enabled, PAM authentication would
be allowed through the challengeresponseauthentication and
Passwordauthentication. Depending on your PAM configuration,
PAM authentication via Challengeresponseauthentication may bypass
The setting of "Permitrootlogin Without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set passwordauthentication
and challengeresponseauthentication to ' no '.
Usepam no does not pass PAM validation
Usepam Yes

Accept locale-related Environment variables
Acceptenv LANG lc_ctype lc_numeric lc_time lc_collate lc_monetary lc_messages
Acceptenv lc_paper lc_name lc_address lc_telephone lc_measurement
Acceptenv lc_identification Lc_all LANGUAGE
Acceptenv xmodifiers

allowagentforwarding Yes
allowtcpforwarding Yes
Gatewayports No
X11forwarding No
X11forwarding Yes sets whether to allow X11 forwarding
X11displayoffset 10
X11uselocalhost Yes
PRINTMOTD Yes sets whether the SSD displays "/ETC/MOTD" when the user is logged in
Printlastlog Yes whether to display the last login information
Tcpkeepalive Yes to prevent dead links
Uselogin No
Useprivilegeseparation Yes
Permituserenvironment No
Compression delayed
Clientaliveinterval 0
Clientalivecountmax 3
Showpatchlevel No
Usedns Yes
Pidfile/var/run/sshd.pid
Maxstartups 10:30:100 settings allow several online not yet logged in
Permittunnel No
Chrootdirectory None

No default banner path
Banner None

Override default of No subsystems
Subsystemsftp/usr/libexec/openssh/sftp-server
  
Example of overriding settings on a per-user basis
Match User Anoncvs
X11forwarding No
Allowtcpforwarding No
Forcecommand CVS Server
Ten,/ETC/BASHRC
User Environment variables
11,/etc/profile
System variables
/etc/host.allow &&/etc/host.deny
Main parameters
Service: Proxy server name
Hosts host name or IP address
Action actions
All servers or IP
All except Remove

Linux Operations Configuration explained--sshd-config

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.