An Introduction to OpenSSH
SSH uses the form of cipher text to transmit data on the network to achieve a higher level of security. It is a secure alternative to the Telenet service. sshd is the server-side daemon process of OpenSSH, and the corresponding client software under Windows includes: There are many, commonly used are SecureCRT, Xshell, Putty and so on. Remotely connect to Linux system through SecureCRT, which is not affected by network speed and bandwidth. Whether you are using fiber optic Internet access or broadband dial-up Internet access, you can easily connect and operate and maintain easily.
OpenSSH is installed by default in the CentOS Linux distribution. It is generally installed in /etc/ssh, and the corresponding server configuration file is /etc/ssh/sshd_config. Taking the CentOS7 version as an example, the terminal describes the meaning of each option in the sshd_config configuration file.
Two sshd_config file common configuration instructions
//"Port" is used to set the port that sshd listens on. If it is not modified, the default is port 22.
#Port 22
//ListenAddress is used to set the IP address bound to the sshd server, no special settings are required, keep the default.
#ListenAddress 0.0.0.0
//Set the SSH protocol used, the default is SSH2, in fact, there are SSH1 protocols available, but SSH1 has a very low security level and is basically not used.
#Protocol 2
//HostKey is used to set the path of the server key file, keep the default.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
//Used to set how long after the system automatically regenerates the server's secret key.
#KeyRegenerationInterval 1h
//Used to define the length of the server key, the default is 1024 bits
#ServerKeyBits 1024
//Used to set whether to give "facility code" when logging messages from sshd)
SyslogFacility AUTHPRIV
//Used to set the sshd log message level
#LogLevel INFO
//Used to set the time, in seconds, that the server needs to wait before cutting off the connection if the user fails to log in.
#LoginGraceTime 2m
//Used to set whether the super root can log in with SSH. It is very dangerous for root to log in to Linux remotely, so it is recommended to set this option to no when logging in to the Linux system remotely through ssh
#PermitRootLogin yes
//Used to set whether to check the permissions and ownership of the user's root directory and rhoses file before SSH login request. It is recommended to set this option to yes.
#StrictModes yes
//Used to set whether to enable RAS key verification. If the RAS key login method is used, enable this option.
#RSAAuthentication yes
//Used to set whether to open the public key authentication method, if the public key authentication method is used to log in, enable this option.
#PubkeyAuthentication yes
//Used to set the path of the public key file, used in conjunction with PubkeyAuthentication.
AuthorizedKeysFile.ssh/authorized_keys
//Used to set SSH to ignore the user's $HOME/.ssh/known_hosts file when performing security authentication.
#IgnoreUserKnownHosts no
//Used to set whether to use the ~/.rhosts and ~/.shosts files when verifying.
#IgnoreRhosts yes
//Used to set whether to enable the password verification mechanism, if the password is used to log in to the system, set to yes.
#PasswordAuthentication yes
//Used to set whether to allow the account with an empty password to log in to the system.
#PermitEmptyPasswords does not
Three attention
对sshd_config文件配置完毕后,接着重启sshd守护进程,使修改生效。
systemctl restart sshd
开机自动重启,则需要执行下面的命令。
systemctl enable sshd