SSH configuration file description

Configuring the "/etc/ssh/ssh_config" file

The "/etc/ssh/ssh_config" file is a OpenSSH system-wide configuration file that allows you to change the way the client program runs by setting different options. Each line of this file contains a "keyword-value" match, where "keyword" is ignored and case-sensitive. The most important keywords are listed below, with the Man command to view the help page (SSH (1)) to get a detailed list.

Edit the "ssh_config" file (vi/etc/ssh/ssh_config) to add or change the following parameters:

# Site-wide defaults for various options
Host *
forwardagent No
ForwardX11 No
rhostsauthentication No
rhostsrsaauthentication No
rsaauthentication Yes
passwordauthentication Yes
Fallbacktorsh No
Usersh No
Batchmode No
Checkhostip Yes
stricthostkeychecking No
identityfile ~/.ssh/identity
Port
Cipher Blowfish
Escapechar ~

The following line shows the option settings above:

Host *
The option "Host" is valid only for computers that can match the following string. "*" means all computers.

Forwardagent No
"Forwardagent" Sets whether the connection is forwarded to the remote computer through the authentication agent (if present).

ForwardX11 No
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and display set.

Rhostsauthentication No
The "rhostsauthentication" setting uses rhosts-based security authentication.

Rhostsrsaauthentication No
The "rhostsrsaauthentication" setting uses rhosts-based security authentication with the RSA algorithm.

Rsaauthentication Yes
The "rsaauthentication" setting uses the RSA algorithm for security verification.

Passwordauthentication Yes
The "passwordauthentication" Setting uses password authentication.

Fallbacktorsh No
The "Fallbacktorsh" setting if an error occurs with an SSH connection automatically uses RSH.

Usersh No
"Usersh" sets whether to use "Rlogin/rsh" on this computer.

Batchmode No
"Batchmode" If set to "yes", the hint of passphrase/password (interactive input password) will be disabled. This option is useful for script files and batch processing tasks when passwords cannot be entered interactively.

Checkhostip Yes
"Checkhostip" sets whether SSH views the IP address of the host connected to the server to prevent DNS spoofing. The recommended setting is "yes".

Stricthostkeychecking No
"Stricthostkeychecking" If set to "Yes", SSH will not automatically add the computer's key "$HOME/.ssh/known_hosts" file, and once the computer's key has changed, refused to connect.

Identityfile ~/.ssh/identity
"Identityfile" sets the file from which to read the user's RSA Security authentication identity.

Port 22
"Port" sets the port to connect to the remote host.

Cipher Blowfish
"Cipher" sets the password for encryption.

Escapechar ~
"Escapechar" sets the escape character.

Configuring the "/etc/ssh/sshd_config" file

"/etc/ssh/sshd_config" is a openssh configuration file that allows setting options to change the operation of this daemon. Each line of this file contains a "keyword-value" match, where "keyword" is ignored and case-sensitive. The following list is the most important keywords, the man command to view the help page (sshd (8)) to get a detailed listing.

Edit the "sshd_config" file (vi/etc/ssh/sshd_config) to add or change the following parameters:

# This is the SSH server systemwide configuration file.
Port 22
ListenAddress 192.168.1.1
Hostkey/etc/ssh/ssh_host_key
Serverkeybits 1024
Logingracetime 600ClientAliveInterval 300
Keyregenerationinterval 3600
Permitrootlogin No
Ignorerhosts Yes
Ignoreuserknownhosts Yes
Strictmodes Yes
X11forwarding No
PRINTMOTD Yes
Syslogfacility AUTH
LogLevel INFO
Rhostsauthentication No
Rhostsrsaauthentication No
Rsaauthentication Yes
Passwordauthentication Yes
Permitemptypasswords No
Allowusers Admin below line-by-row description of the above option settings:

Port 22
"Port" sets the port number of the sshd listener.

ListenAddress 192.168.1.1
"ListenAddress" sets the IP address of the SSHD server binding.

Hostkey/etc/ssh/ssh_host_key

"Hostkey" Sets the file that contains the computer's private key.

Serverkeybits 1024
"Serverkeybits" defines the number of bits of the server key.

Logingracetime 600
"Logingracetime" Sets the time, in seconds, that the server waits before disconnecting the connection if the user cannot log on successfully.
Clientaliveinterval 300 (default = 0)
This parameter means that every 5 minutes, the server sends a message to the client to keep the connection


Keyregenerationinterval 3600
"Keyregenerationinterval" sets the number of seconds after which the server's key is automatically regenerated (if the key is used). The rekey is regenerated to prevent the intercepted information from being decrypted with the stolen key.

Permitrootlogin No
"Permitrootlogin" setting root can be logged in with SSH. This option must not be set to "yes".

Ignorerhosts Yes
The "ignorerhosts" setting verifies whether the "rhosts" and "shosts" files are used.

Ignoreuserknownhosts Yes
"Ignoreuserknownhosts" sets whether SSH daemon ignores the user's "$HOME/.ssh/known_hosts" when Rhostsrsaauthentication security authentication is performed

Strictmodes Yes
"Strictmodes" Sets whether SSH checks the permissions and ownership of the user home directory and the rhosts file before receiving the logon request. This is usually necessary because novices often set their own directories and files to anyone with write access.

X11forwarding No
The "x11forwarding" setting allows X11 forwarding.

PRINTMOTD Yes
"PRINTMOTD" Sets whether sshd displays the information in "/ETC/MOTD" when the user logs in.

Syslogfacility AUTH
"Syslogfacility" sets whether "facility code" is given when recording messages from Sshd.

LogLevel INFO
The "LogLevel" setting records the level of the SSHD log message. Info is a good choice. See the man help page for sshd for more information.

Rhostsauthentication No
The "rhostsauthentication" setting is sufficient for security verification only with rhosts or "/etc/hosts.equiv".

Rhostsrsaauthentication No
The "Rhostsrsa" setting allows for security verification with RSA or "/etc/hosts.equiv" with rhosts.

Rsaauthentication Yes
The "rsaauthentication" setting allows only RSA security authentication.

Passwordauthentication Yes
The "passwordauthentication" setting allows password validation.

Permitemptypasswords No
The "Permitemptypasswords" setting allows you to log in with an account with a blank password.

Allowusers Admin
The "Allowusers" can be followed by any number of user names that match the string (patterns) or[email protected]Such matching strings, which are separated by spaces. The host name can be a DNS name or an IP address. Using SFTP instead of FTP to transfer files
FTP (File Transfer Protocol) is a very extensive way to transfer files across a network, but it is also at risk of network eavesdropping, as it also transmits user authentication information in clear text. In fact, in the SSH package, already contains a security file called SFTP (Secure FTP) transfer subsystem, SFTP itself does not have a separate daemon, it must use the sshd daemon (the port number by default is 22) to complete the corresponding connection operation, so in a sense, SFTP is not like a server program, but more like a client program. SFTP is also used to transmit authentication information and transmitted data using encryption, so it is very safe to use SFTP. However, because this transmission uses the encryption/decryption technology, the transfer efficiency is much lower than the normal FTP, and if you have higher network security requirements, you can use SFTP instead of FTP. To turn on the SFTP feature, you can modify the following contents of the Sshd2_config file:
# subsystem-sftp Sftp-server
Remove the "#" from the beginning of the line, and then restart the SSH server so that you can use SFTP to transfer files simultaneously when you make an SSH connection. About client Settings
The above is the server settings, in fact, in the SSH server has already included some client tools (such as the Ssh,sftp tool). However, more client users use Windows systems, and the following describes the client system settings on Windows.
First download the "Sshsecureshellclient-3.2.3.exe" file and install it from the URL given above. When the installation is complete, it will produce two shortcuts on the desktop, one is "ssh secure Shell Client" for remote administration and the other is "SSH secure file Transfer client" for file transfer with the server. Click "Quick Connnect" in the toolbar, enter the correct hostname and username, then enter the password in the pop-up dialog to complete the login and start executing the command or transfer the file. When using SFTP, the default is to display only the contents of the user's host directory and non-hidden files. However, sometimes you may want to see other directories or hidden files, just select "Show root directory" and "Show hidden File" in the menu "eidt->setting-> file transfer" option. Two + options.

Enable ordinary users to use SFTP only without the permission of the shell
By default, an administrator adds an account to the system with both SFTP and SSH permissions. For ordinary users to use the shell to execute commands is also a great security risk, if you can prohibit users to use the shell to execute commands and only use SFTP to transfer files, can eliminate this security risk, fully implement the function of FTP,
As mentioned above, SFTP does not have a separate daemon, only with the help of the sshd daemon, so we still need to use the SSH server, to ensure that the sshd daemon is running. The implementation method is as follows:
First, you must have the "--enable-static" option in the compilation when compiling the installation. After the installation succeeds, execute the following command in the Bin directory under the installation directory:
[Email protected] bin]# ls-l ssh-dummy-shell* sftp-server2*
You will see the following output:
-rwxr-xr-x 1 root root 1350417 Apr 16:30 sftp-server2
-rwxr-xr-x 1 root root 3566890 Apr 16:30 sftp-server2.static
-rwxr-xr-x 1 root root 72388 Apr 16:30 Ssh-dummy-shell
-rwxr-xr-x 1 root root 1813412 Apr 16:30 ssh-dummy-shell.static
With the "static" suffix name, and the larger two files are added with the "--enable-static" option after the generation, we will use the following two files.
The following is an example of adding a general account test to describe the specific steps.
1. Create a "bin" subdirectory under the "/Home" directory (or the directory where you will store the normal user's directory) and copy the two static files to this directory (rename the static suffix after copying) and execute the following command:
[Email protected] bin]# Cd/usr/local/ssh3.2/bin
[[email protected] bin] #cp Ssh-dummy-shell.static/home/bin/ssh-dummy-shell
[email protected] bin]# CP Sftp-server2.static/home/bin/sftp-server
[[email protected] bin] #chown-R root.root/home/bin
[[email protected] bin] #chmod-R 755/home/bin
2. Add a group so that all future users who prohibit the use of the shell belong to this group, which makes it easier to manage more users:
[[email protected] bin] #groupadd template
3. Use the following command when adding a system account:
[[email protected] root] #useradd-S/bin/ssh-dummy-shell-g template test
[[email protected] root] #passwd test
[[email protected] root] #mkdir/home/test/bin
[[email protected] root] #cd/home/test/bin
[[email protected] bin] #ln/home/bin/ssh-dummy-shell Ssh-dummy-shell
[[email protected] bin] #ln/home/bin/sftp-server sftp-server
[[email protected] bin] #chown-R root.root/home/test/bin
[[email protected] bin] #chmod-R 755/home/test/bin
4. After the user is added successfully, you also need to modify the/etc/ssh2/sshd2_config file to include the following:
#ChRootGroups Sftp,guest
Switch
Chrootgroups sftp,guest,template
Modify the above line, mainly to prohibit ordinary users to view the system's other directories, to restrict their permissions to their own home directory. Restart the SSH server program, in the client using SSH Secure File Transfer Client login, even if you choose to display the root directory, ordinary users can not see any other directory, but instead of their home directory as the root directory. Note that this is done by the group that the user belongs to, which allows all users included in the template group to implement this functionality. If you want to restrict individual users, you can modify the following content:
#ChRootUsers Anonymous,ftp,guest

It turns out that SSH is a very good network security solution, but there are still many administrators using Telnet or FTP as a very insecure tool, hoping to move to SSH as soon as possible to reduce network security risks. This article is reproduced from http://blog.csdn.net/gzh0222/article/details/7690700

SSH configuration file description