SSHD_CONFIG file in Linux has detailed annotations for easy configuration

17101604:

# If you want to change the port on a SELinux system, you have to tell SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER	Add the new port to the SELinux policy, where PORTNUMBER is the new port number to add. This command will tell SELinux to mark the specified port as type ssh_port_t so that the SSH service can use this port in the SELinux policy . Please make sure you have the semanage tool installed and have the appropriate permissions to execute the command.
#Port 22	Port configuration item, comment it out and the default SSH connection port number is 22 . If you want to change the port number for the SSH connection, you can uncomment and change the value of this line to the port number you want.
#AddressFamily any	AddressFamily configuration item, comment it out to allow connections from any address family. By default, SSH servers allow connections from both IPv4 and IPv6 address families. If you want to restrict connections to only one of the address families, you can uncomment it and set it to ipv4 or ipv6 .
#ListenAddress 0.0.0.0	ListenAddress configuration item, comment it out to allow connections on all network interfaces. By default, SSH servers listen on all available network interfaces. If you want to restrict connections to only a specific network interface, you can uncomment it and set it to the corresponding IP address.
#ListenAddress ::	ListenAddress configuration item, comment it out to allow connections on all IPv6 addresses. By default, SSH servers listen on all available IPv6 addresses. If you want to restrict connections to only specific IPv6 addresses, you can uncomment and set it to the corresponding IPv6 address.
HostKey /etc/ssh/ssh_host_rsa_key	Specifies the path to the RSA host key file used by the SSH server. The RSA host key is used to encrypt communication data during the SSH connection process to ensure the security of the connection.
HostKey /etc/ssh/ssh_host_ecdsa_key	Specifies the path to the ECDSA host key file used by the SSH server. The ECDSA host key is also used to encrypt communication data during the SSH connection process to ensure the security of the connection. ECDSA keys have higher security and smaller key length than RSA keys.
HostKey /etc/ssh/ssh_host_ed25519_key	Specifies the path to the Ed25519 host key file used by the SSH server. The Ed25519 host key is also used to encrypt communication data during the SSH connection process to ensure the security of the connection. Ed25519 keys have higher security and smaller key lengths than RSA and ECDSA keys.
# Ciphers and keying	Configuration items related to Ciphers and keying . By default, the SSHD server uses the default encryption algorithm and key negotiation method. If you want to customize the encryption algorithm and key negotiation method, you can uncomment and set the corresponding configuration items.
#RekeyLimit default none	RekeyLimit configuration item. By default, rekey negotiation for SSH connections is disabled. If you want to enable re-key negotiation and set restrictions on re-key negotiation, you can uncomment and set the corresponding configuration items.
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server
# on command line.
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
# Logging	Log-related configuration items. By default, the SSH server sends log information to the system's system log ( Syslog ) facility.
#SyslogFacility AUTH	SyslogFacility configuration item. By default, the SSH server sends log information to the AUTH facility of the system log. The AUTH facility is used to record log information related to authentication and authorization.
SyslogFacility AUTHPRIV	Specifies the AUTHPRIV facility for the SSH server to send log information to the system log . The AUTHPRIV facility is similar to the AUTH facility and is used to record log information related to authentication and authorization, but provides higher security and privacy protection.
#LogLevel INFO	LogLevel configuration item. By default, the log level of the SSH server is INFO . The INFO level will log critical system events and connection details. If you want to log your SSH server in more detail , you can uncomment and set a more specific log level, such as DEBUG .
# Authentication:	Authentication related configuration items. By default, the SSH server uses default authentication settings.
#LoginGraceTime 2m	LoginGraceTime configuration item, by default, the login grace time of the SSH server is 2 minutes. Login grace time means that after the connection is established, the client needs to complete the authentication operation within the specified time. If authentication is not completed after the grace time, the server will disconnect.
PermitRootLogin yes	Specifies that the root user is allowed to log in via SSH . By default, this option is commented out, which disables the root user from logging in via SSH . If uncommented and set to "yes" , the root user is allowed to log in via SSH .
#StrictModes yes	StrictModes configuration item. By default, the SSH server has StrictModes mode enabled. StrictModes mode enforces stricter permission checks, including permission checks on the user's home directory and .ssh directory.
#MaxAuthTries 6	MaxAuthTries configuration item, by default, the maximum number of authentication attempts allowed by the SSH server is 6 . Without successful authentication after this number of times, the server will disconnect.
#MaxSessions 10	MaxSessions配置项，默认情况下，SSH服务器允许的最大会话数为10个。MaxSessions配置项用于限制同时活动的SSH会话数量。超过该数量，新的SSH会话将被拒绝。
#PubkeyAuthentication yes	PubkeyAuthentication配置项，默认情况下，SSH服务器启用公钥身份验证。公钥身份验证是一种基于密钥对的身份验证方式，用于替代传统的密码身份验证。
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys	指定存放授权密钥的文件路径。默认情况下，公钥授权文件是.ssh/authorized_keys，即用户主目录下的.ssh文件夹中的authorized_keys文件。这个文件包含了允许登录到服务器的公钥列表。
#AuthorizedPrincipalsFile none	Principals授权。Principals是一种更灵活的授权机制，可以使用不同的授权文件来控制不同的用户或主机。
#AuthorizedKeysCommand none	使用外部命令来获取授权密钥。如果启用了该选项，sshd将运行指定的命令来获取用户的公钥，而不是从authorized_keys文件中读取。
#AuthorizedKeysCommandUser nobody	使用默认用户"nobody"来运行AuthorizedKeysCommand指定的命令。可以通过修改该选项来指定运行命令的用户。
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no	启用基于主机的认证。基于主机的认证是一种通过主机间的信任关系来进行身份验证的方式。
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no	默认情况下不忽略用户的known_hosts文件。known_hosts文件是存储已知主机公钥的文件，用于验证主机身份。
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes	默认情况下不忽略用户的.rhosts和.shosts文件。这两个文件是用于基于Rhosts的身份验证。
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes	默认情况下启用密码认证，允许用户使用密码进行身份验证。
#PermitEmptyPasswords no	默认情况下禁止用户使用空密码进行身份验证。
PasswordAuthentication yes	启用密码身份验证，可以使用密码进行SSH身份验证。
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes	默认情况下启用挑战-响应认证。挑战-响应认证是一种使用密码和随机生成的挑战进行身份验证的方式。
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no	默认情况下禁用Kerberos身份验证。
#KerberosOrLocalPasswd yes	默认情况下使用Kerberos票据进行身份验证，如果失败则使用本地密码进行身份验证。
#KerberosTicketCleanup yes	默认情况下在用户退出会话时清理Kerberos票据。
#KerberosGetAFSToken no	默认情况下禁用获取AFS令牌。
# GSSAPI options
GSSAPIAuthentication yes	默认情况下启用GSSAPI身份验证。GSSAPI是一种基于凭证的身份验证机制，它使用Kerberos等安全协议来完成身份验证过程。
GSSAPICleanupCredentials no	默认情况下在用户退出会话时清理GSSAPI凭证。
#GSSAPIStrictAcceptorCheck yes	默认情况下禁用严格的接收者检查。
#GSSAPIKeyExchange no	默认情况下禁用GSSAPI密钥交换。
#GSSAPIEnablek5users no	默认情况下禁用启用k5用户。
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
UsePAM yes	默认情况下启用PAM认证、账户处理和会话处理。
#AllowAgentForwarding yes	默认情况下禁止代理转发。
#AllowTcpForwarding yes	默认情况下禁止TCP转发。
#GatewayPorts no	默认情况下禁用网关端口。
X11Forwarding yes	默认情况下启用X11转发。X11转发允许在SSH连接中显示远程服务器的图形界面。
#X11DisplayOffset 10	默认情况下X11显示偏移为10。
#X11UseLocalhost yes	默认情况下禁用本地主机。
#PermitTTY yes	默认情况下允许TTY。
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no	默认情况下禁用打印欢迎信息
#PrintLastLog yes	默认情况下启用打印最后登录信息。
#TCPKeepAlive yes	默认情况下禁用TCP保持活动连接。
#PermitUserEnvironment no	默认情况下禁用用户环境变量。
#Compression delayed	默认情况下禁用用户环境变量。
#ClientAliveInterval 0	默认情况下客户端活动间隔为0。
#ClientAliveCountMax 3	默认情况下客户端活动计数最大值为3。
#UseDNS no	默认情况下禁用DNS。
#PidFile /var/run/sshd.pid	默认情况下PID文件位于"/var/run/sshd.pid"。
#MaxStartups 10:30:100	默认情况下最大启动数为10:30:100。
#PermitTunnel no	默认情况下禁用隧道。
#ChrootDirectory none	默认情况下根目录未被限制。
#VersionAddendum none	默认情况下版本补充为空。
# no default banner path
#Banner none	默认情况下没有设置横幅。
# Accept locale-related environment variables	默认情况下接受了一系列与语言环境相关的环境变量。
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server	取消默认的子系统配置，并设置了sftp子系统的路径。
# Example of overriding settings on a per-user basis
#Match User anoncvs	默认情况下没有针对特定用户的配置，以下可以设置特定用户的各种参数，例如是否允许X11转发、是否允许TCP转发、是否允许TTY、强制执行的命令等等。
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server