rkey

rkey

HomeArchives

Detailed Explanation of sshd_config File Parameters

#arch linux#ssh182
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document provides an explanation of common parameters in the SSH configuration file `/etc/ssh/sshd_config`. Key parameters include: 1. **Include**: Allows modular configuration by including additional `.conf` files. 2. **PermitRootLogin**: Controls root user SSH access, with options for password and key-based logins. 3. **AuthorizedKeysFile**: Specifies the path for authorized public keys. 4. **PasswordAuthentication**: Determines if password authentication is allowed. 5. **PermitEmptyPasswords**: Controls whether empty passwords are permitted. 6. **KbdInteractiveAuthentication**: Enables keyboard-interactive authentication methods. 7. **UsePAM**: Indicates if PAM is used for authentication and session management. 8. **Subsystem sftp**: Defines the SFTP service path. 9. **Match User**: Allows specific configurations for designated users or groups. 10. **X11Forwarding**: Controls X11 forwarding capabilities. 11. **AllowTcpForwarding**: Determines if TCP forwarding is allowed. 12. **PermitTTY**: Controls TTY allocation for sessions. 13. **PrintMotd**: Decides if the message of the day is displayed upon login. 14. **PrintLastLog**: Shows last login information. 15. **TCPKeepAlive**: Enables TCP keep-alive packets to prevent timeout. 16. **UseDNS**: Controls DNS resolution for client IP addresses. 17. **ClientAliveInterval**: Sets the interval for sending keep-alive packets to clients. 18. **ClientAliveCountMax**: Limits the number of unresponsive client connections before disconnection. 19. **PidFile**: Specifies the path for the SSH server's PID file. 20. **MaxStartups**: Controls the maximum number of unauthenticated connections. 21. **Banner**: Specifies a banner file to display before login. 22. **ChrootDirectory**: Sets a chroot directory for user confinement. 23

The file path is
/etc/ssh/sshd_config

Parameter details:

Of course, here are explanations for some common parameters in the sshd_config file:

1. Include /etc/ssh/sshd_config.d/*.conf#

  • Meaning: Includes all configuration files ending with .conf in the /etc/ssh/sshd_config.d/ directory. This allows configurations to be spread across multiple files for easier management and maintenance.
  • Effect: Makes the configuration files more modular, facilitating the addition or modification of configurations in different scenarios.

2. PermitRootLogin yes#

  • Meaning: Allows the root user to log in via SSH.
  • Effect: If set to yes, the root user can log in using a password or key. If set to prohibit-password, the root user can only log in using a key, not a password. If set to without-password or without-password,prohibit-password, the root user cannot log in using a password but can log in using a key. If set to no, the root user cannot log in via SSH.

3. AuthorizedKeysFile .ssh/authorized_keys#

  • Meaning: Specifies the path to the file that stores authorized public keys.
  • Effect: By default, SSH looks for authorized public keys in the user's ~/.ssh/authorized_keys file. This file contains a list of public keys that are allowed to log in.

4. PasswordAuthentication yes#

  • Meaning: Whether to allow authentication using a password.
  • Effect: If set to yes, users are allowed to log in using a password. If set to no, password logins are prohibited, and only keys or other authentication methods can be used.

5. PermitEmptyPasswords no#

  • Meaning: Whether to allow login with empty passwords.
  • Effect: If set to yes, login with an empty password is allowed. If set to no, login with an empty password is not allowed. For security reasons, it is generally recommended to set this to no.

6. KbdInteractiveAuthentication yes#

  • Meaning: Whether to allow keyboard interactive authentication.
  • Effect: If set to yes, keyboard interactive authentication, such as PAM (Pluggable Authentication Modules) authentication, is allowed. This is often used for multi-factor authentication.

7. UsePAM no#

  • Meaning: Whether to use PAM for authentication, account processing, and session handling.
  • Effect: If set to yes, SSH will use PAM for authentication. This allows for more complex authentication policies through PAM configuration files, such as multi-factor authentication and account locking. If set to no, PAM is not used.

8. Subsystem sftp /usr/lib/ssh/sftp-server#

  • Meaning: Defines the SFTP subsystem.
  • Effect: Specifies the path to the SFTP service. SFTP is the SSH File Transfer Protocol used for securely transferring files. /usr/lib/ssh/sftp-server is the default path for the SFTP server.

9. Match User anoncvs#

  • Meaning: Matches configurations for specific users or user groups.
  • Effect: Specific configurations can be set for certain users or user groups. For example, X11 forwarding, TCP forwarding, or TTY allocation can be disabled for a specific user.

10. X11Forwarding no#

  • Meaning: Whether to enable X11 forwarding.
  • Effect: If set to yes, X11 graphical interface forwarding is allowed via SSH. This is useful for running graphical applications remotely. If set to no, X11 forwarding is prohibited.

11. AllowTcpForwarding yes#

  • Meaning: Whether to allow TCP forwarding.
  • Effect: If set to yes, TCP connections can be forwarded via SSH. This is useful for setting up port forwarding. If set to no, TCP forwarding is prohibited.

12. PermitTTY yes#

  • Meaning: Whether to allow TTY allocation.
  • Effect: If set to yes, TTY can be allocated for login sessions. This is useful for interactive shell sessions. If set to no, TTY allocation is prohibited, typically used for non-interactive sessions, such as command execution or SFTP.

13. PrintMotd yes#

  • Meaning: Whether to print the motd (Message of the Day) file.
  • Effect: If set to yes, the contents of the /etc/motd file are printed when a user logs in. This file typically contains system announcements or important information.

14. PrintLastLog yes#

  • Meaning: Whether to print last login information.
  • Effect: If set to yes, the time and location of the last login are printed when a user logs in. This helps users understand the usage of their accounts.

15. TCPKeepAlive yes#

  • Meaning: Whether to enable TCP keepalive.
  • Effect: If set to yes, SSH will periodically send keepalive packets to prevent connection timeouts. If set to no, keepalive packets are not sent.

16. UseDNS no#

  • Meaning: Whether to use DNS to resolve the client's IP address.
  • Effect: If set to yes, SSH will attempt to resolve the client's IP address via DNS. If set to no, DNS resolution is not performed, which can improve connection speed, especially in cases of slow DNS resolution.

17. ClientAliveInterval 0#

  • Meaning: The interval time (in seconds) for keeping the client alive.
  • Effect: If set to a non-zero value, SSH will periodically send keepalive packets to prevent connection timeouts. For example, setting it to 60 means sending a keepalive packet every 60 seconds.

18. ClientAliveCountMax 3#

  • Meaning: The maximum number of times the client can fail to respond before disconnection.
  • Effect: If set to 3, SSH will disconnect after three consecutive failures to receive a response from the client. This helps to automatically clean up dead connections.

19. PidFile /run/sshd.pid#

  • Meaning: Specifies the path to the SSH server's PID file.
  • Effect: The PID file is used to record the process ID of the SSH server for easier management and monitoring.

20. MaxStartups 10:30:100#

  • Meaning: Controls the maximum number of unauthenticated connections that can be started simultaneously.
  • Effect: The format is start:rate:full, where start is the number of unauthenticated connections at which new connections will be refused, rate is the rate at which the refusal rate increases for each unauthenticated connection, and full is the number of unauthenticated connections at which new connections will be completely refused. For example, 10:30:100 means that when the number of unauthenticated connections reaches 10, the refusal rate increases by 30% for each additional connection, and when the number reaches 100, new connections will be completely refused.

21. Banner none#

  • Meaning: Specifies the path to the banner file displayed before login.
  • Effect: If set to a file path, SSH will display the contents of that file before the user logs in. This can be used to show login warnings or legal statements.

22. ChrootDirectory none#

  • Meaning: Specifies the chroot directory for users.
  • Effect: If set to a directory path, users will be restricted to that directory upon login and will not be able to access other directories. This helps enhance system security.

23. VersionAddendum none#

  • Meaning: Additional information added to the SSH server's version string.
  • Effect: If set to a string, that string will be added to the SSH server's version string. This can be used to customize version information.

24. Subsystem sftp /usr/lib/ssh/sftp-server#

  • Meaning: Defines the SFTP subsystem.
  • Effect: Specifies the path to the SFTP service. SFTP is the SSH File Transfer Protocol used for securely transferring files. /usr/lib/ssh/sftp-server is the default path for the SFTP server.

25. Match User anoncvs#

  • Meaning: Matches configurations for specific users or user groups.
  • Effect: Specific configurations can be set for certain users or user groups. For example, X11 forwarding, TCP forwarding, or TTY allocation can be disabled for a specific user.

The configuration of these parameters can significantly affect the behavior and security of the SSH server. Configuring these parameters appropriately based on your specific needs can enhance the security and usability of the system.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.