ssh_config sshd_config differences and some settings

Others 2020-03-21 19:09:22 views: null

ssh_config, sshd_config differences and some settings

ssh_config and sshd_config are ssh server configuration file, the difference between the two is that, ssh_config configuration file for the client, sshd_config configuration file for the service side. Two configuration files allow you to set different options to change the mode of operation of the client program.
beginning ssh_config file
reads: #This is the ssh client system- wide configuration file.
beginning sshd_config file
reads:. # This is the sshd server system-wide configuration file See sshd_config (5) for more information.

Sshd_config configuration

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
**#ListenAddress ::**

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
**#PermitRootLogin prohibit-password
PermitRootLogin yes**
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
**#PasswordAuthentication yes**
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Some bold authentication period,
period #PasswordAuthentication yes is to make not to use the password.
#PermitRootLogin prohibit-password represents the root password prohibit the use, as long as the Notes removed, will be able to restart the execution
PermitRootLogin yes is a root can not log on.

About UseDNS option, there is no default, and do not need to remove the comment.
If enabled, the server will first be based on the IP address of the client's DNS PTR reverse lookup the host name of the client, and then perform DNS forward A records check, and verify consistent with the original IP address of the query out of the client host name, be prevented by such measures deceive clients. Usually we are dynamic IP does not have a PTR record, so this option is turned without much effect.

#ListenAddress 0.0.0.0 Set the IP address of the sshd server bindings.
This should be able to change your ip address, of course, is a fixed ip outside the network. If this machine is the LAN address of 192.168 at the beginning can only be used in the LAN, not to fill in to the server. In addition to LAN server, it is necessary to LAN less stringent security controls it.

#PubkeyAuthentication yes yes by default
you do not need to remove the comment. I tried it, and remove the comment restart sshd can not remove keys login.

重启ssh:
systemctl restart sshd.service

Misisippi68
Published 10 original articles · won praise 0 · Views 135
Private letter concerns

Guess you like

Origin blog.csdn.net/misisippi68/article/details/105005776
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com