开源中文网

您的位置: 首页 > OpenBSD > 正文

sshd_config 设置

来源:  作者:

# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $ 
# $FreeBSD: src/crypto/openssh/sshd_config,v 1.42.2.1 2005/09/11 16:50:35 des Exp $ 

# This is the sshd server system-wide configuration file. See 
# sshd_config(5) for more information. 

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 

# The strategy used for options in the default sshd_config shipped with 
# OpenSSH is to specify options with their default value where 
# possible, but leave them commented. Uncommented options change a 
# default value. 

# Note that some of FreeBSD's defaults differ from OpenBSD's, and 
# FreeBSD has a few additional options. 

#VersionAddendum FreeBSD-20050903 

Port 22 
Protocol 2 
AddressFamily any 
ListenAddress 172.16.8.95 
#ListenAddress :: 

#HostKey for protocol version 1 
#HostKey /etc/ssh/ssh_host_key 
#HostKeys for protocol version 2 
#HostKey /etc/ssh/ssh_host_dsa_key 

# Lifetime and size of ephemeral version 1 server key 
#KeyRegenerationInterval 1h 
#ServerKeyBits 768 

# Logging 
# obsoletes QuietMode and FascistLogging 
#SyslogFacility AUTH 
#LogLevel INFO 

# Authentication: 

#LoginGraceTime 2m 
PermitRootLogin yes 
#StrictModes yes 
#MaxAuthTries 6 

#RSAAuthentication yes 
#PubkeyAuthentication yes 
#AuthorizedKeysFile .ssh/authorized_keys 

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
#RhostsRSAAuthentication no 
# similar for protocol version 2 
#HostbasedAuthentication no 
# Change to yes if you don't trust ~/.ssh/known_hosts for 
# RhostsRSAAuthentication and HostbasedAuthentication 
#IgnoreUserKnownHosts no 
# Don't read the user's ~/.rhosts and ~/.shosts files 
#IgnoreRhosts yes 

# Change to yes to enable built-in password authentication. 
PasswordAuthentication yes 
PermitEmptyPasswords yes 
UseDNS no 

# Change to no to disable PAM authentication 
ChallengeResponseAuthentication yes 

# Kerberos options 
#KerberosAuthentication no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes 
#KerberosGetAFSToken no 

# GSSAPI options 
#GSSAPIAuthentication no 
#GSSAPICleanupCredentials yes 

# Set this to 'no' to disable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no 
#UsePAM no 

#AllowTcpForwarding yes 
#GatewayPorts no 
#X11Forwarding yes 
#X11DisplayOffset 10 
#X11UseLocalhost yes 
#PrintMotd yes 
#PrintLastLog yes 
#TCPKeepAlive yes 
#UseLogin no 
#UsePrivilegeSeparation yes 
PermitUserEnvironment no 
#Compression delayed 
#ClientAliveInterval 0 
#ClientAliveCountMax 3 
#UseDNS yes 
#PidFile /var/run/sshd.pid 
#MaxStartups 10 

# no default banner path 
#Banner /some/path 

# override default of no subsystems 
Subsystem sftp /usr/libexec/sftp-server 

==================================================================== 
中文解释: 


#服务器端配置 /etc/ssh/sshd_config 
#只考虑协议版本2 

#全局配置 
VersionAddendum TecZm-20050505 #在telnet ip 22时只能看出openssh的版本,看不出OS 
Protocol 2 #使用协议版本2 
Port 22 #sshd监听22端口 
ListenAddress 192.168.7.1 #sshd只监听目标ip为192.168.7.1的请求 
AllowGroups wheel myguest #允许wheel组和myguest组的用户登录 
AllowUsers teczm authen@192.168.8.5 #允许来自以上组的teczm用户和authen用户登录, 
#且authen用户只能从主机192.168.8.5登录 
#DenyGroups #拒绝登录的组,参数设置和AllowGroups一样 
#DenyUsers #拒绝登录的用户,参数设置和AllowUsers一样 
#AllowTcpForwarding yes #是否转发的TCP包都被允许。默认是 ``yes''。 
LoginGraceTime 60 #60秒内客户端不能登录即登录超时,sshd切断连接。 
KeyRegenerationInterval 1800 #1800秒(30分钟)后自动重新生成服务器的密匙。 
MaxStartups 3 #设置同时发生的未验证的并发量,即同时可以有几个 
UseDNS no #不使用DNS查询客户端。 
PermitRootLogin no #不允许root登录,root可由wheel组用户登录后su。 
X11Forwarding no #禁止用户运行远程主机上的X程序,我没有X,所以无所谓。 
UseLogin yes #禁止X11Forwarding 

#认证配置(口令认证、PAM认证、非对称密钥认证任选其一) 

#口令认证 
PubkeyAuthentication no #不使用非对称密钥认证 
PasswordAuthentication yes #使用口令认证 
PermitEmptyPasswords no #不允许使用空密码的用户登录 


#非对称密钥认证 
PasswordAuthentication no #不使用口令认证 
PubkeyAuthentication yes #使用非对称密钥认证 
UsePam no #yes的话非对称密钥验证失败,仍然可用口令登录 
AuthorizedKeysFile .ssh/authorized_keys #用户认证使用的公钥。 

Subsystem sftp /usr/libexec/sftp-server

Tags:
相关文章列表:
关于开源中文网 - 联系我们 - 广告服务 - 网站地图 - 版权声明