SSH服务器安装及配置

plaindealer

1. 安装
ubuntu9.04默认不安装ssh服务器端，需要自己安装：sudo apt-get install ssh
2. 设置开机启动
ubuntu好像默认也没安装图形界面开机系统服务管理工具，安装sysvconfig，设置ssh开机启动
3. 配置文件详解
＃cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22  ＃开放端口
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0  ＃监听主机适配卡
Protocol 2  ＃默认协议
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key    ＃version 2 使用的RSA私钥
HostKey /etc/ssh/ssh_host_dsa_key    ＃version 2 使用的DSA私钥
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes   
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600  ＃重新创建Public key建立连接
ServerKeyBits 768   ＃Sever key的长度
# Logging
SyslogFacility AUTH    ＃日志登录文件相关
LogLevel INFO
# Authentication:
LoginGraceTime 120  ＃ - - 还不知道  
PermitRootLogin yes   ＃重要的，是否允许root登录
StrictModes yes    ＃当host key改变sever不接受联机
RSAAuthentication yes  ＃使用RSA认证
PubkeyAuthentication yes   ＃允许使用Public Key针对version 2
#AuthorizedKeysFile    %h/.ssh/authorized_keys    #用于设置不需要密码用户登录
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes       ＃不用.rhosts 认证
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no    ＃不允许空密码登录
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no  ＃允许任何密码认证，默认设置为no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes  ＃应该是用密码认证
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes    ＃X-Window相关设置
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60     ＃允许的未登录窗口数
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*   ＃语系变量设置
Subsystem sftp /usr/lib/openssh/sftp-server   ＃sftp设置项目
UsePAM yes  ＃用PAM管理认证
4. 安全设置
其实ssh的配置文件已经设置的很到位了，不建议随便修改，只是为了安全起见要修改几点：
1）取消root登录: PermitRootLogin  no
2）不允许多个用户登录，把这几个用户加入同一个组，然后拒绝这个组： DenyGroups  nossh
3）听鸟哥说ssh软件本身并不安全，所以我们最好还是不要设成开机启动了
               
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u3/103721/showart_2042458.html