rkey

rkey

HomeArchives

Detailed Explanation of sshd_config File Parameters

#arch linux#ssh183
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document provides an explanation of common parameters in the SSH daemon configuration file (`sshd_config`). Key parameters include: 1. **Include**: Allows modular configuration by including additional `.conf` files. 2. **PermitRootLogin**: Controls root login via SSH, with options for password or key-based access. 3. **AuthorizedKeysFile**: Specifies the path for authorized public keys. 4. **PasswordAuthentication**: Determines if password authentication is allowed. 5. **PermitEmptyPasswords**: Controls whether empty passwords are permitted. 6. **KbdInteractiveAuthentication**: Allows keyboard-interactive authentication, often used for multi-factor authentication. 7. **UsePAM**: Indicates if PAM (Pluggable Authentication Modules) is used for authentication. 8. **Subsystem sftp**: Defines the path for the SFTP subsystem. 9. **Match User**: Allows specific configurations for designated users or groups. 10. **X11Forwarding**: Controls X11 forwarding for graphical applications. 11. **AllowTcpForwarding**: Determines if TCP forwarding is allowed. 12. **PermitTTY**: Controls TTY allocation for interactive sessions. 13. **PrintMotd**: Specifies if the message of the day should be displayed upon login. 14. **PrintLastLog**: Indicates if the last login information should be shown. 15. **TCPKeepAlive**: Enables TCP keep-alive packets to prevent timeouts. 16. **UseDNS**: Controls DNS resolution for client IP addresses. 17. **ClientAliveInterval**: Sets the interval for sending keep-alive packets to clients. 18. **ClientAliveCountMax**: Defines the maximum number of missed responses before disconnecting. 19. **PidFile**: Specifies the path for the SSH server's PID file. 20. **MaxStartups**: Controls the maximum number of unauthenticated connections. 21. **Banner**: Specifies a banner file to display before login. 22.

The file path is
/etc/ssh/sshd_config

Parameter details:

Of course, here are explanations for some common parameters in the sshd_config file:

1. Include /etc/ssh/sshd_config.d/*.conf#

  • Meaning: Includes all configuration files ending with .conf in the /etc/ssh/sshd_config.d/ directory. This allows configurations to be spread across multiple files for easier management and maintenance.
  • Effect: Makes the configuration file more modular, facilitating the addition or modification of configurations in different scenarios.

2. PermitRootLogin yes#

  • Meaning: Allows the root user to log in via SSH.
  • Effect: If set to yes, the root user can log in using a password or key. If set to prohibit-password, the root user can only log in using a key, not a password. If set to without-password or without-password,prohibit-password, the root user cannot log in using a password but can log in using a key. If set to no, the root user cannot log in via SSH.

3. AuthorizedKeysFile .ssh/authorized_keys#

  • Meaning: Specifies the path to the file that stores authorized public keys.
  • Effect: By default, SSH looks for authorized public keys in the user's ~/.ssh/authorized_keys file. This file contains a list of public keys that are allowed to log in.

4. PasswordAuthentication yes#

  • Meaning: Whether to allow authentication using a password.
  • Effect: If set to yes, users are allowed to log in using a password. If set to no, password logins are prohibited, and only keys or other authentication methods can be used.

5. PermitEmptyPasswords no#

  • Meaning: Whether to allow login with an empty password.
  • Effect: If set to yes, logins with an empty password are allowed. If set to no, logins with an empty password are not allowed. For security reasons, it is generally recommended to set this to no.

6. KbdInteractiveAuthentication yes#

  • Meaning: Whether to allow keyboard interactive authentication.
  • Effect: If set to yes, keyboard interactive authentication, such as PAM (Pluggable Authentication Modules) authentication, is allowed. This is often used for multi-factor authentication.

7. UsePAM no#

  • Meaning: Whether to use PAM for authentication, account processing, and session handling.
  • Effect: If set to yes, SSH will use PAM for authentication. This allows for more complex authentication policies through PAM configuration files, such as multi-factor authentication, account locking, etc. If set to no, PAM is not used.

8. Subsystem sftp /usr/lib/ssh/sftp-server#

  • Meaning: Defines the SFTP subsystem.
  • Effect: Specifies the path for the SFTP service. SFTP is the SSH File Transfer Protocol used for securely transferring files. /usr/lib/ssh/sftp-server is the default path for the SFTP server.

9. Match User anoncvs#

  • Meaning: Configuration that matches specific users or user groups.
  • Effect: Allows specific configurations to be set for certain users or user groups. For example, it can disable X11 forwarding, TCP forwarding, or TTY allocation for a specific user.

10. X11Forwarding no#

  • Meaning: Whether to enable X11 forwarding.
  • Effect: If set to yes, X11 graphical interfaces can be forwarded through SSH. This is useful for running graphical applications remotely. If set to no, X11 forwarding is prohibited.

11. AllowTcpForwarding yes#

  • Meaning: Whether to allow TCP forwarding.
  • Effect: If set to yes, TCP connections can be forwarded through SSH. This is useful for setting up port forwarding. If set to no, TCP forwarding is prohibited.

12. PermitTTY yes#

  • Meaning: Whether to allow TTY allocation.
  • Effect: If set to yes, TTY can be allocated for login sessions. This is useful for interactive shell sessions. If set to no, TTY allocation is prohibited, typically used for non-interactive sessions, such as command execution or SFTP.

13. PrintMotd yes#

  • Meaning: Whether to print the motd (Message of the Day) file.
  • Effect: If set to yes, the contents of the /etc/motd file will be printed when a user logs in. This file usually contains system announcements or important information.

14. PrintLastLog yes#

  • Meaning: Whether to print last login information.
  • Effect: If set to yes, the time and location of the last login will be printed when a user logs in. This helps users understand the usage of their accounts.

15. TCPKeepAlive yes#

  • Meaning: Whether to enable TCP keepalive.
  • Effect: If set to yes, SSH will periodically send keepalive packets to prevent connection timeouts. If set to no, keepalive packets are not sent.

16. UseDNS no#

  • Meaning: Whether to use DNS to resolve the client's IP address.
  • Effect: If set to yes, SSH will attempt to resolve the client's IP address via DNS. If set to no, DNS resolution is not performed, which can improve connection speed, especially when DNS resolution is slow.

17. ClientAliveInterval 0#

  • Meaning: The interval time (in seconds) for keeping the client alive.
  • Effect: If set to a non-zero value, SSH will periodically send keepalive packets to prevent connection timeouts. For example, setting it to 60 means sending a keepalive packet every 60 seconds.

18. ClientAliveCountMax 3#

  • Meaning: The maximum number of times the client can fail to respond before disconnection.
  • Effect: If set to 3, SSH will disconnect after three consecutive failures to receive a response from the client. This helps automatically clean up dead connections.

19. PidFile /run/sshd.pid#

  • Meaning: Specifies the path to the SSH server's PID file.
  • Effect: The PID file is used to record the process ID of the SSH server for easier management and monitoring.

20. MaxStartups 10:30:100#

  • Meaning: Controls the maximum number of unauthenticated connections that can be started simultaneously.
  • Effect: The format is start:rate:full, where start is the number of unauthenticated connections at which new connections will be refused, rate is the rate at which the refusal rate increases for each unauthenticated connection, and full is the number of unauthenticated connections at which new connections will be completely refused. For example, 10:30:100 means that when the number of unauthenticated connections reaches 10, the refusal rate increases by 30% for each additional connection, and when the number reaches 100, new connections are completely refused.

21. Banner none#

  • Meaning: Specifies the path to the banner file displayed before login.
  • Effect: If set to a file path, SSH will display the contents of that file before the user logs in. This can be used to display login warnings or legal disclaimers.

22. ChrootDirectory none#

  • Meaning: Specifies the user's chroot directory.
  • Effect: If set to a directory path, the user will be restricted to that directory upon login and cannot access other directories. This helps enhance system security.

23. VersionAddendum none#

  • Meaning: Additional information added to the SSH server's version string.
  • Effect: If set to a string, that string will be appended to the SSH server's version string. This can be used to customize version information.

24. Subsystem sftp /usr/lib/ssh/sftp-server#

  • Meaning: Defines the SFTP subsystem.
  • Effect: Specifies the path for the SFTP service. SFTP is the SSH File Transfer Protocol used for securely transferring files. /usr/lib/ssh/sftp-server is the default path for the SFTP server.

25. Match User anoncvs#

  • Meaning: Configuration that matches specific users or user groups.
  • Effect: Allows specific configurations to be set for certain users or user groups. For example, it can disable X11 forwarding, TCP forwarding, or TTY allocation for a specific user.

The configuration of these parameters can significantly affect the behavior and security of the SSH server. Configuring these parameters appropriately based on your specific needs can enhance the security and usability of the system.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.