ssh配置說明
#Port 22 <==默認ssh端口,生產環境中建議改成五位數的端口
#AddressFamily any <==地址家族,any表示同時監聽ipv4和ipv6地址
#ListenAddress 0.0.0.0 <==監聽本機所有ipv4地址
#ListenAddress :: <==監聽本機所有ipv6地址
HostKey /etc/ssh/ssh_host_rsa_key <==ssh所使用的RSA私鑰路徑
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key <==ssh所使用的ECDSA私鑰路徑
HostKey /etc/ssh/ssh_host_ed25519_key <==ssh所使用的ED25519私鑰路徑
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV <==設定在記錄來自sshd的消息的時候,是否給出“facility code”
#LogLevel INFO <==日誌記錄級別,默認為info
# Authentication:
#LoginGraceTime 2m <==限定用戶認證時間為2min
#PermitRootLogin yes <==是否允許root賬戶ssh登錄,生產環境中建議改成no,使用普通賬戶ssh登錄
#StrictModes yes <==設置ssh在接收登錄請求之前是否檢查用戶根目錄和rhosts文件的權限和所有權,建議開啟
#MaxAuthTries 6 <==指定每個連接最大允許的認證次數。默認值是 6
#MaxSessions 10 <==最大允許保持多少個連接。默認值是 10
#PubkeyAuthentication yes <==是否開啟公鑰驗證
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys <==公鑰驗證文件路徑
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication <==指定服務器在使用 ~/.shosts ~/.rhosts /etc/hosts.equiv 進行遠程主機名匹配時,是否進行反向域名查詢
#IgnoreUserKnownHosts no <==是否在 RhostsRSAAuthentication 或 HostbasedAuthentication 過程中忽略用戶的 ~/.ssh/known_hosts 文件
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes <==是否在 RhostsRSAAuthentication 或 HostbasedAuthentication 過程中忽略 .rhosts 和 .shosts 文件
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no <==是否允許空密碼
PasswordAuthentication yes <==是否允許密碼驗證,生產環境中建議改成no,只用密鑰登錄
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no <==是否允許質疑-應答(challenge-response)認證
# Kerberos options
#KerberosAuthentication no <==是否使用Kerberos認證
#KerberosOrLocalPasswd yes <==如果 Kerberos 密碼認證失敗,那麽該密碼還將要通過其它的認證機制(比如 /etc/passwd)
#KerberosTicketCleanup yes <==是否在用戶退出登錄後自動銷毀用戶的 ticket
#KerberosGetAFSToken no <==如果使用了AFS並且該用戶有一個 Kerberos 5 TGT,那麽開啟該指令後,將會在訪問用戶的家目錄前嘗試獲取一個AFS token
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes <==是否允許基於GSSAPI的用戶認證
GSSAPICleanupCredentials no <==是否在用戶退出登錄後自動銷毀用戶憑證緩存
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes <==是否通過PAM驗證
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no <==是否允許遠程主機連接本地的轉發端口
X11Forwarding yes <==是否允許X11轉發
#X11DisplayOffset 10 <==指定sshd(8)X11轉發的第一個可用的顯示區(display)數字。默認值是10
#X11UseLocalhost yes <==是否應當將X11轉發服務器綁定到本地loopback地址
#PermitTTY yes
#PrintMotd yes <==指定sshd(8)是否在每一次交互式登錄時打印 /etc/motd 文件的內容
#PrintLastLog yes <==指定sshd(8)是否在每一次交互式登錄時打印最後一位用戶的登錄時間
#TCPKeepAlive yes <==指定系統是否向客戶端發送 TCP keepalive 消息
#UseLogin no <==是否在交互式會話的登錄過程中使用 login(1)
#UsePrivilegeSeparation sandbox <==是否讓 sshd(8) 通過創建非特權子進程處理接入請求的方法來進行權限分離
#PermitUserEnvironment no <==指定是否允許sshd(8)處理~/.ssh/environment以及 ~/.ssh/authorized_keys中的 environment= 選項
#Compression delayed <==是否對通信數據進行加密,還是延遲到認證成功之後再對通信數據加密
#ClientAliveInterval 0 <==sshd(8)長時間沒有收到客戶端的任何數據,不發送"alive"消息
#ClientAliveCountMax 3 <==sshd(8)在未收到任何客戶端回應前最多允許發送多個"alive"消息,默認值是 3
#ShowPatchLevel no
#UseDNS no <==是否使用dns反向解析
#PidFile /var/run/sshd.pid <==指定存放SSH守護進程的進程號的路徑
#MaxStartups 10:30:100 <==最大允許保持多少個未認證的連接
#PermitTunnel no <==是否允許tun(4)設備轉發
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none <==將這個指令指定的文件中的內容在用戶進行認證前顯示給遠程用戶,默認什麽內容也不顯示,"none"表示禁用這個特性
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server <==配置一個外部子系統sftp及其路徑
# Example of overriding settings on a per-user basis
#Match User anoncvs <==引入一個條件塊。塊的結尾標誌是另一個 Match 指令或者文件結尾
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
ssh配置說明