RHEL 5.1 配置SSHD范例

s-N#m4\xSS05.1下调试成功, root限制登录 注意生成的rsa key文件格式要对

root@postfix woo]# cat /etc/ssh/sshd_configDOIT博客2uG!lIW#u

Port 22
:_hB`._R.G5Yc0Protocol 2
4_&D9a'S3k [3s0ListenAddress 0.0.0.0DOIT博客C)T3MGR

# Logging
o"r\#AK+q%N'g0# obsoletes QuietMode and FascistLogging
HvVe sErV0SyslogFacility AUTHPRIVDOIT博客 F'{2E$tm$s,pJ%b
LogLevel INFO

# Authentication:DOIT博客4[2_s!c UI$w
gy

y4|\q-Z#bU
_0#LoginGraceTime 2mDOIT博客j8elm6Te
PermitRootLogin noDOIT博客Y1iu@2f]
#StrictModes yesDOIT博客fX5\[*x't
#MaxAuthTries 6DOIT博客Jetc}

*PN?!N&p5`1M\L-F0#RSAAuthentication yes
.t'z-W~[*CwTo0PubkeyAuthentication yesDOIT博客*t}Vh$OD
AuthorizedKeysFile      .ssh/authorized_keys

dC:vG WE7j0# For this to work you will also need host keys in /etc/ssh/ssh_known_hostsDOIT博客P,b[kN3_b0u
RhostsRSAAuthentication noDOIT博客\1v+[3{5u
zC
# similar for protocol version 2DOIT博客g5xc;dYg6ys|
HostbasedAuthentication no
m7kd+k9X8O+B(y}0# Change to yes if you don't trust ~/.ssh/known_hosts for
z3]sW%FD1p0# RhostsRSAAuthentication and HostbasedAuthentication
&Y]C7i*R|$l0IgnoreUserKnownHosts noDOIT博客)e&z*D8[C(V2r,p
# Don't read the user's ~/.rhosts and ~/.shosts filesDOIT博客5u Ze8s.zhJ-N
IgnoreRhosts yesDOIT博客Pt#J"B-Jb%FsJ

# To disable tunneled clear text passwords, change to no here!
^]_DB7E0#PasswordAuthentication yes
.Q)u$Yq;A7~ Ek,m4?0#PermitEmptyPasswords no
T4`%]5n+l2s0PasswordAuthentication no

# Change to no to disable s/key passwordsDOIT博客;X*K}Kx6B#^g+G
#ChallengeResponseAuthentication yesDOIT博客z@#IL8Kxw8a
ChallengeResponseAuthentication noDOIT博客&xB;K4HM8se

gt?G:\)w%C^0# Kerberos optionsDOIT博客)u z_ h6`,q
#KerberosAuthentication no
~8Fyp#z J[^S,{Sd0#KerberosOrLocalPasswd yesDOIT博客"Q,N"gK0d rW
#KerberosTicketCleanup yesDOIT博客6RT$e:pgP)T
#KerberosGetAFSToken no

s5hFi9{0# GSSAPI options
$^6v8t:aj$oh0#GSSAPIAuthentication noDOIT博客8QZ ^D.A_N[Q
GSSAPIAuthentication yes
W[z{9Fa0#GSSAPICleanupCredentials yesDOIT博客q N'J|U5l
_}
GSSAPICleanupCredentials yesDOIT博客t nNc E B

_GL @;ZI(nh gr0# Set this to 'yes' to enable PAM authentication, account processing,
$q2Gg/FB-@0# and session processing. If this is enabled, PAM authentication willDOIT博客S&w|c|0X!BahH.T$W
# be allowed through the ChallengeResponseAuthentication mechanism.
i!P9Y5hZs,X7Uy1qA0# Depending on your PAM configuration, this may bypass the setting ofDOIT博客q&K"F+_Z6y:w+Z(l
# PasswordAuthentication, PermitEmptyPasswords, andDOIT博客7DXn0Z(e{ w#AQ
# "PermitRootLogin without-password". If you just want the PAM account andDOIT博客&E R|:Fg bW
# session checks to run without PAM authentication, then enable this but set
9Z4]6sxS zR0# ChallengeResponseAuthentication=noDOIT博客BZD*C)an4Ue K7}g
#UsePAM no
)MKFF;_ k0UsePAM yesDOIT博客&i2C"LuO

# Accept locale-related environment variablesDOIT博客o;W7Tn5\;Q
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESDOIT博客elp9]0yv8A
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
R:NB BR:WQ"E0AcceptEnv LC_IDENTIFICATION LC_ALL
kv'^6j:X0#AllowTcpForwarding yes
0qMX5~S5G!`R1Rjkl0#GatewayPorts no
Q`*e;Y`G3}0#X11Forwarding noDOIT博客^I c6t+Rh4L
X11Forwarding yes
%bE7W?!en(|:SiDF0#X11DisplayOffset 10
%r4[/m/Z"m(_v0#X11UseLocalhost yes
#YnT-XC*R8J*OD0PrintMotd yesDOIT博客`2x4p;u1l|-F3x
PrintLastLog yesDOIT博客3Y{%FqF
TCPKeepAlive yesDOIT博客p&_
[K0I;|
UseLogin noDOIT博客2P2z4Uqw)vIXR-K
#UsePrivilegeSeparation yes
v k9K#du?qK0#PermitUserEnvironment no
xM1L(nQP,H/y~u0?0#Compression delayed
] L1Z?_x!L0#ClientAliveInterval 0
/ZA-FZ_U
m!T0Q0#ClientAliveCountMax 3DOIT博客/`;n*r(Y'c2{F b
#ShowPatchLevel no
@p1Y,H]j0#UseDNS yesDOIT博客5M2P"^ ?C3M
#PidFile /var/run/sshd.pidDOIT博客r2ogJxyb
MaxStartups 10
2b!oqs].vD0#PermitTunnel no

# no default banner pathDOIT博客4Q|6zS fZyj;I
#Banner /some/pathDOIT博客#Yz;h4R6p
an

# override default of no subsystems
$i{t5Rti+?V0Subsystem       sftp    /usr/libexec/openssh/sftp-serverDOIT博客!D2Qr#O/}0TaX@H{