Sshd_config OpenSSH SSH Process configuration file Configuration description

name

SSHD_CONFIG–OPENSSH SSH Server Daemon configuration file

Outline/etc/ssh/sshd_config

Describe
Sshd reads the configuration information by default from the/etc/ssh/sshd_config file (or the file specified by the-F command-line option).
A configuration file is made up of "instruction value" pairs, one per line. Blank lines and lines that begin with ' # ' are ignored.
If the value contains white space characters or other special symbols, it can be defined by adding double quotation marks (") on both sides.
[note] The value is case-sensitive, but the instruction is case-insensitive.

All current configuration directives that can be used are as follows:

Acceptenv
Specifies which environment variables sent by the client will be passed to the session environment. [note] Only the SSH-2 protocol supports the delivery of environment variables.
Details can refer to the SENDENV configuration directive in Ssh_config.
The value of the instruction is a space-delimited list of variable names (where you can use ' * ' and '? ') As a wildcard character). You can also use multiple acceptenv to achieve the same goal.
It is important to note that some environment variables may be used to bypass environment variables that are forbidden to use by the user. For this reason, the directive should be used with caution.
By default, no environment variables are passed.

AddressFamily
Specifies which address family the sshd should use. The range of values is: "any" (default), "Inet" (IPv4 only), "Inet6″ (IPv6 only).

Allowgroups
This command follows a list of group names separated by spaces (where you can use "*" and "?"). wildcard characters). All groups are allowed to log on by default.
If this directive is used, only the members of those groups will be allowed to log on, and all other groups are denied.
The "group" here refers to the "primary Group" (primary group), which is the set specified in the/etc/passwd file.
Only the name of the group is allowed and the GID is not allowed to be used. The relevant Allow/deny directives are processed in the following order:
Denyusers, Allowusers, Denygroups, allowgroups

Allowtcpforwarding
Whether to allow TCP forwarding, the default value is "Yes".
Preventing TCP forwarding does not enhance security unless users are prevented from accessing the shell because users can install their own forwarders.

Allowusers
This command follows a list of user names separated by spaces (where you can use "*" and "?"). wildcard characters). All users are allowed to log on by default.
If this directive is used, only those users will be allowed to log on and all other users are denied.
User and HOST will be checked at the same time if the [email protected] mode is specified.
Only the user's name is allowed and the UID is not allowed. The relevant Allow/deny directives are processed in the following order:
Denyusers, Allowusers, Denygroups, allowgroups

Authorizedkeysfile
Holds the RSA/DSA public key that the user can use to log on.
The following symbols can be used to unfold according to the actual situation of the connection in this directive:
Percent% means '% ',%h indicates the user's home directory, and%u indicates the user's user name.
The value after the extension must be either an absolute path or a relative path relative to the user's home directory.
The default value is ". Ssh/authorized_keys".

Banner
The contents of the file specified in this directive are displayed to the remote user before the user authenticates.
This feature can only be used for SSH-2, and the default content is not displayed. "None" means disabling this feature.

Challengeresponseauthentication
Whether to allow challenge-answer (challenge-response) authentication. The default value is "Yes".
All authentication methods allowed in the login.conf are supported.

Ciphers
Specifies the encryption algorithm that SSH-2 allows. Separate multiple algorithms with commas. You can use the following algorithm:
"AES128-CBC", "AES192-CBC", "AES256-CBC", "aes128-ctr", "aes192-ctr", "aes256-ctr",
"3DES-CBC", "Arcfour128″," "Arcfour256″," Arcfour "," BLOWFISH-CBC "," CAST128-CBC "
The default value is that all of the above algorithms can be used.

Clientalivecountmax
The maximum number of "alive" messages that sshd is allowed to send before receiving any client response. The default value is 3.
When this limit is reached, sshd forces the connection to be disconnected and the session closed.
It is important to note that the "Alive" message differs greatly from the tcpkeepalive.
The "Alive" message is sent through an encrypted connection and is therefore not spoofed, while tcpkeepalive can be deceived.
If Clientaliveinterval is set to 15 and Clientalivecountmax remains the default value,
Then the non-responsive client will be forced to disconnect approximately 45 seconds later. This directive can only be used for SSH-2 protocols.

Clientaliveinterval
Set a time in seconds, if you have not received any data from the client for more than a long time,
Sshd sends a "alive" message to the client over the secure channel and waits for an answer.
The default value of 0 means that the "alive" message is not sent. This option is only valid for SSH-2.

Compression
Whether to encrypt the communication data, or delay until the authentication succeeds before encrypting the communication data.
Available values: "Yes", "delayed" (default), "No".

Denygroups
This command follows a list of group names separated by spaces (where you can use "*" and "?"). wildcard characters). All groups are allowed to log on by default.
If this directive is used, the members of these groups will be denied login.
The "group" here refers to the "primary Group" (primary group), which is the set specified in the/etc/passwd file.
Only the name of the group is allowed and the GID is not allowed to be used. The relevant Allow/deny directives are processed in the following order:
Denyusers, Allowusers, Denygroups, allowgroups

Denyusers
This command follows a list of user names separated by spaces (where you can use "*" and "?"). wildcard characters). All users are allowed to log on by default.
If this instruction is used, the user will be denied login.
User and HOST will be checked at the same time if the [email protected] mode is specified.
Only the user's name is allowed and the UID is not allowed. The relevant Allow/deny directives are processed in the following order:
Denyusers, Allowusers, Denygroups, allowgroups

Forcecommand
Enforces the command specified here and ignores any commands provided by the client. This command will be executed using the user's login shell (shell-c).
This can be applied to the completion of the shell, command, subsystem, and is typically used in Match blocks.
This command was initially supported by the client through the SSH_ORIGINAL_COMMAND environment variable.

Gatewayports
Whether the remote host is allowed to connect to the local forwarding port. The default value is "no".
SSHD binds remote port forwarding to an loopback address by default. This will prevent other remote hosts from connecting to the forwarding port.
The gatewayports directive allows sshd to bind remote port forwarding to a non-loopback address, allowing the remote host to connect.
"No" means only local connections are allowed, and "yes" means forcing remote port forwarding to the wildcard address (wildcard addresses).
"Clientspecified" means that the client is allowed to choose which address to bind the remote port forwarding to.

Gssapiauthentication
Whether to allow the use of GSSAPI-based user authentication. The default value is "no". For SSH-2 only.

Gssapicleanupcredentials
Whether the user credential cache is automatically destroyed after the user exits the login. The default value is "Yes". For SSH-2 only.

Hostbasedauthentication
This directive is similar to rhostsrsaauthentication, but can only be used with SSH-2. The default value of "No" is recommended.
It is recommended to use the default value of "No" to prohibit this unsafe authentication method.

Hostbasedusesnamefrompacketonly
In the case of opening hostbasedauthentication,
Specifies whether the server will reverse the domain name query when using ~/.shosts ~/.rhosts/etc/hosts.equiv for remote hostname matching.
"Yes" indicates the host name provided by the SSHD Trust client without a reverse query. The default value is "no".

Hostkey
The location of the host private key file. If the permissions are not correct, sshd may refuse to start.
SSH-1 default is/etc/ssh/ssh_host_key.
SSH-2 default is/etc/ssh/ssh_host_rsa_key and/etc/ssh/ssh_host_dsa_key.
A host can have several different private keys. "Rsa1″ is for SSH-1 only," DSA "and" RSA "are used only for SSH-2.

Ignorerhosts
Whether to ignore. rhosts and. shosts files during rhostsrsaauthentication or hostbasedauthentication.
However,/ETC/HOSTS.EQUIV and/ETC/SHOSTS.EQUIV will still be used. It is recommended to set the default value "Yes".

Ignoreuserknownhosts
Whether the user's ~/.ssh/known_hosts file is ignored during the rhostsrsaauthentication or hostbasedauthentication process.
The default value is "no". For increased security, you can set it to "yes".

Kerberosauthentication
Whether the user is required to provide a password for passwordauthentication must pass Kerberos KDC authentication, that is, whether to use Kerberos authentication.
To use Kerberos authentication, the server needs a Kerberos Servtab that can verify the KDC identity. The default value is "no".

Kerberosgetafstoken
If AFS is used and the user has a Kerberos 5 TGT, then when the command is turned on,
Will attempt to obtain an AFS token before accessing the user's home directory. The default is "no".

kerberosorlocalpasswd
If the Kerberos password authentication fails, then the password will pass through other authentication mechanisms (such as/etc/passwd).
The default value is "Yes".

Kerberosticketcleanup
Whether the user's ticket is automatically destroyed after the user exits the login. The default value is "Yes".

Keyregenerationinterval
Under the SSH-1 protocol, a short-lived server key will be set at this instruction for a period of time (in seconds), which is continuously regenerated.
This mechanism can minimize loss of key or hacker attack.
Set to 0 to never regenerate and default to 3600 (seconds).

ListenAddress
Specifies the network address of the SSHD listener, which listens to all addresses by default. You can use the following format:

ListenAddress host| ipv4_addr| Ipv6_addr
ListenAddress host| Ipv4_addr:port
listenaddress [host| IPV6_ADDR]:p ORT

If port is not specified, the value of the port directive is used.
Multiple listenaddress instructions can be used to listen to multiple addresses.

Logingracetime
Limit the user must be successful within the specified time limit, 0 means no limit. The default value is 120 seconds.

LogLevel
Specifies the log level (verbosity) of the sshd. The available values are as follows:
QUIET, FATAL, ERROR, INFO (default), VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3
DEBUG is equivalent to DEBUG1, and DEBUG2 and DEBUG3 specify a more verbose, verbose log output, respectively.
Logs that are more verbose than DEBUG may leak sensitive information from users and are therefore opposed to use.

Macs
Specifies which message digest algorithms are allowed to be used in SSH-2 for data validation.
You can use a comma-delimited list to specify that multiple algorithms are allowed. The default value (which contains all the algorithms that can be used) is:
Hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96

Match
Introduces a conditional block. The end flag of a block is another Match instruction or end of file.
If the conditions specified on the match line are met, subsequent directives override the directives in the global configuration.
The Match value is one or more "conditional-mode" pairs. The available "conditions" are: User, Group, Host, Address.
Only the following commands can be used in the Match block: allowtcpforwarding, Banner,
Forcecommand, Gatewayports, Gssapiauthentication,
Kbdinteractiveauthentication, Kerberosauthentication,
Passwordauthentication, Permitopen, Permitrootlogin,
Rhostsrsaauthentication, Rsaauthentication, X11displayoffset,
X11forwarding, X11uselocalhost

Maxauthtries
Specifies the maximum number of authentications allowed per connection. The default value is 6.
If the number of failed authentications exceeds half of this value, the connection will be forcibly disconnected and additional failure log messages will be generated.

Maxstartups
The maximum number of unauthenticated connections allowed to be maintained. The default value is 10.
When the limit is reached, new connections will no longer be accepted unless the previous connection authentication succeeds or exceeds the logingracetime limit.

Passwordauthentication
Whether to allow password-based authentication. The default is "Yes".

Permitemptypasswords
Whether to allow users with blank passwords to log on remotely. The default is "no".

Permitopen
Specifies the destination allowed for TCP port forwarding, and you can use spaces to separate multiple forwarding destinations. All forwarding requests are allowed by default.
The legal instruction format is as follows:
Permitopen Host:port
Permitopen Ipv4_addr:port
Permitopen [ipv6_addr]:p ORT
"Any" can be used to remove all restrictions and allow all requests to be forwarded.

Permitrootlogin
Whether to allow root login. The available values are as follows:
"Yes" (the default) means Allow. "No" means no.
"Without-password" means that password authentication is forbidden.
"Forced-commands-only" indicates that a public key authentication login is allowed only if the command option is specified.
At the same time, all other authentication methods are prohibited. This value is often used to do things like remote backups.

Permittunnel
Whether to allow Tun device forwarding. The available values are as follows:
"Yes", "point-to-point" (Layer 3), "Ethernet" (Layer 2), "No" (default).
"Yes" also contains "point-to-point" and "Ethernet".

Permituserenvironment
Specifies whether sshd is allowed to handle the environment= option in ~/.ssh/environment and ~/.ssh/authorized_keys.
The default value is "no". Setting "yes" may result in a user having the opportunity to bypass access control using certain mechanisms (such as ld_preload), resulting in a security breach.

Pidfile
Specifies the file in which the SSH daemon's process number is stored, by default the/var/run/sshd.pid file.

Port
Specifies the port number that the sshd daemon listens on, which defaults to 22. You can listen to multiple ports using multiple instructions.
The default is to listen on all network interfaces on this computer, but you can specify to listen on only one particular interface through listenaddress.

Printlastlog
Specifies whether sshd prints the last user's logon time at each interactive logon. The default value is "Yes".

Printmotd
Specifies whether sshd prints the contents of the/etc/motd file at each interactive logon. The default value is "Yes".

Protocol
Specifies the version number of the SSH protocol supported by sshd.
' 1′ and ' 2′ said they only supported the SSH-1 and SSH-2 protocols. "2,1″ says it supports both SSH-1 and SSH-2 protocols.

Pubkeyauthentication
Whether to allow public key authentication. Can only be used for SSH-2. The default value is "Yes".

Rhostsrsaauthentication
Whether to use strong trusted host authentication (by checking the remote host name and the associated user name for authentication). For SSH-1 only.
This is done by checking the ~/.rhosts or/ETC/HOSTS.EQUIV for certification after the RSA certification is successful.
For security reasons, it is recommended to use the default value of "No".

Rsaauthentication
Whether to allow the use of pure RSA public key authentication. For SSH-1 only. The default value is "Yes".

Serverkeybits
Specifies the length of the temporary server key. For SSH-1 only. The default value is 768 (bits). The minimum value is 512.

Strictmodes
Specifies whether sshd is required to check the user's home directory and the associated configuration file for host and permission before accepting the connection request.
It is strongly recommended that you use the default value of "yes" to prevent possible low-level errors.

Subsystem
Configure an external subsystem (for example, a file transfer daemon). Only for SSH-2 protocol.
The value is the name of a subsystem and the corresponding command line (with options and parameters). such as "Sft/bin/sftp-server".

Syslogfacility
Specifies which logging subsystem (facility) The sshd sends log messages through. Valid values are:
DAEMON, USER, AUTH (default), LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7

Tcpkeepalive
Specifies whether the system sends a TCP keepalive message to the client. The default value is "Yes".
This message detects exceptions such as dead connections, improperly connected shutdowns, client crashes, and so on.
Can be set to "no" to turn off this feature.

Usedns
Specifies whether sshd should reverse-parse the remote host name to check if this hostname corresponds to its IP address. The default value is "Yes".

Uselogin
Whether to use login during the logon process of the interactive session. The default value is "no".
If this command is turned on, then x11forwarding will be banned because login does not know how to handle xauthcookies.
It is important to note that login is forbidden for remote execution of commands.
If Useprivilegeseparation is specified, it will be disabled after authentication is complete.

Useprivilegeseparation
Whether to allow sshd to detach permissions by creating a way for the non-privileged child process to process access requests. The default value is "Yes".
After the authentication succeeds, another child process is created as the authenticated user.
This is done to prevent elevated permissions through the defective child process, which makes the system more secure.
Usepam
Whether to log in using Pam.
Reference: http://www.linuxfly.org/post/176/

X11displayoffset
Specifies the first available display number for sshdX11 forwarding. The default value is 10.
This can be used to prevent the sshd from occupying a real X11 server display area, resulting in confusion.

X11forwarding
Whether to allow X11 forwarding. The default value is "No", and set to "Yes" indicates allow.
If X11 is allowed to be forwarded and the display area of the sshd agent is configured to listen on the address containing the wildcard (x11uselocalhost).
Then there may be additional information being leaked. The default value of this directive is "no" due to the possible risk of using X11 forwarding.
It is important to note that banning X11 forwarding does not prevent users from forwarding X11 traffic, because users can install their own forwarders.
If Uselogin is enabled, X11 forwarding is automatically disabled.

X11uselocalhost
Whether sshd should bind the X11 forwarding server to a local loopback address. The default value is "Yes".
SSHD binds the forwarding server to the local loopback address by default and sets the host name portion of the DISPLAY environment variable to "localhost".
This prevents the remote host from connecting to the proxy display. However, some old X11 clients cannot work properly under this configuration.
To be compatible with these old X11 clients, you can set it to "no".

Xauthlocation
Specifies the absolute path to the Xauth program. The default value is/usr/x11r6/bin/xauth

Time format
The time values used in the sshd command line parameters and configuration files can be specified in the following format: Time[qualifier].
Where time is a positive integer, and qualifier can be one of the following units:
< no > Seconds
s | s S
m | M min
H | H hours
D | D Day
W | W Week

You can add time by specifying multiple values, such as:
1h30m 1 hours 30 minutes (90 minutes)

Sshd_config OpenSSH SSH Process configuration file Configuration description