日本語で補足を書いた。 /etc /ssh/ にあるのはArchだけかもしれない。RHEL系は/etc/ sshd/ だった気がする。 Source:openssh-VERSION-x86_64.pkg.tar.xz
Last active
December 7, 2019 18:30
-
-
Save koumaza/cd05ea35feb1d791b724cae83a5505f4 to your computer and use it in GitHub Desktop.
sshdについて。日本語で。
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/ssh/sshd_config | |
| # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ | |
| # This is the sshd server system-wide configuration file. See | |
| # sshd_config(5) for more information. | |
| # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin | |
| # The strategy used for options in the default sshd_config shipped with | |
| # OpenSSH is to specify options with their default value where | |
| # possible, but leave them commented. Uncommented options override the | |
| # default value. | |
| ### 受信ポートは変えたほうがいいです。(変えたほうがセキュリティが強くなります。) | |
| ## 初期設定 22 | |
| #Port 22 | |
| ## 下の設定のほうが強固。5桁なら大丈夫だと思います。(1~60035) | |
| Port 60000 | |
| ### これはIPV4,IPV6を許可するかの設定です。通常変える必要はないです。 | |
| ## 全部許可(IPV4+IPV6) | |
| #AddressFamily any | |
| ## IPV4だけ許可 | |
| #AddressFamily inet | |
| ## IPV6だけ許可 | |
| #AddressFamily inet6 | |
| ### アクセスできるIPを設定します。(未設定だとどのアドレスからでもアクセスが可能です。) | |
| ## IPV4 | |
| #ListenAddress 0.0.0.0 | |
| ## IPV6 | |
| #ListenAddress :: | |
| ### 秘密鍵のパスを設定(特にいじる必要はない。) | |
| #HostKey /etc/ssh/ssh_host_rsa_key | |
| #HostKey /etc/ssh/ssh_host_ecdsa_key | |
| #HostKey /etc/ssh/ssh_host_ed25519_key | |
| ### セッション鍵の再生成(特にいじる必要はない。) | |
| # Ciphers and keying | |
| #RekeyLimit default none | |
| ### ログ(初期値で問題ないです。) | |
| #SyslogFacility AUTH | |
| ## ログレベル(順にレベルが下っていく) EMERGE -> ALERT -> CRIT -> ERROR -> WARN -> NOTICE -> INFO -> DEBUG | |
| ## 初期値 | |
| #LogLevel INFO | |
| LogLevel DEBUG | |
| ### 認証 | |
| ## 認証可能時間の制限(mは分の事) EX: 制限時間19秒以内 -> LoginGraceTime 19 | |
| #LoginGraceTime 2m | |
| ## Rootログインの許可(noか初期値にしましょう。また、インストール時などならyesでもいい。) 禁止 -> no 許可 -> yes パスワードのみの認証を禁止 -> prohibit-password or without-password | |
| PermitRootLogin prohibit-password | |
| ## パーティションのチェック(初期値yesでよろしい。) | |
| #StrictModes yes | |
| ## 認証にトライできる回数の上限(初期値でよろしい。) | |
| #MaxAuthTries 6 | |
| ## 同時接続数の上限(初期値から減らしてもいい。自分の環境に合わせて。) | |
| #MaxSessions 10 | |
| ## 公開鍵認証の許可(普通はyes) | |
| PubkeyAuthentication yes | |
| # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | |
| # but this is overridden so installations will only check .ssh/authorized_keys | |
| ## 公開鍵登録ファイルのパス | |
| AuthorizedKeysFile .ssh/authorized_keys | |
| #AuthorizedPrincipalsFile none | |
| #AuthorizedKeysCommand none | |
| #AuthorizedKeysCommandUser nobody | |
| # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | |
| #HostbasedAuthentication no | |
| # Change to yes if you don't trust ~/.ssh/known_hosts for | |
| # HostbasedAuthentication | |
| #IgnoreUserKnownHosts no | |
| # Don't read the user's ~/.rhosts and ~/.shosts files | |
| #IgnoreRhosts yes | |
| # To disable tunneled clear text passwords, change to no here! | |
| #PasswordAuthentication yes | |
| #PermitEmptyPasswords no | |
| # Change to no to disable s/key passwords | |
| ChallengeResponseAuthentication no | |
| # Kerberos options | |
| #KerberosAuthentication no | |
| #KerberosOrLocalPasswd yes | |
| #KerberosTicketCleanup yes | |
| #KerberosGetAFSToken no | |
| # GSSAPI options | |
| #GSSAPIAuthentication no | |
| #GSSAPICleanupCredentials yes | |
| # Set this to 'yes' to enable PAM authentication, account processing, | |
| # and session processing. If this is enabled, PAM authentication will | |
| # be allowed through the ChallengeResponseAuthentication and | |
| # PasswordAuthentication. Depending on your PAM configuration, | |
| # PAM authentication via ChallengeResponseAuthentication may bypass | |
| # the setting of "PermitRootLogin without-password". | |
| # If you just want the PAM account and session checks to run without | |
| # PAM authentication, then enable this but set PasswordAuthentication | |
| # and ChallengeResponseAuthentication to 'no'. | |
| UsePAM yes | |
| #AllowAgentForwarding yes | |
| #AllowTcpForwarding yes | |
| #GatewayPorts no | |
| #X11Forwarding no | |
| #X11DisplayOffset 10 | |
| #X11UseLocalhost yes | |
| #PermitTTY yes | |
| PrintMotd no # pam does that | |
| #PrintLastLog yes | |
| #TCPKeepAlive yes | |
| #PermitUserEnvironment no | |
| #Compression delayed | |
| #ClientAliveInterval 0 | |
| #ClientAliveCountMax 3 | |
| #UseDNS no | |
| #PidFile /run/sshd.pid | |
| #MaxStartups 10:30:100 | |
| #PermitTunnel no | |
| #ChrootDirectory none | |
| #VersionAddendum none | |
| # no default banner path | |
| #Banner none | |
| # override default of no subsystems | |
| Subsystem sftp /usr/lib/ssh/sftp-server | |
| # Example of overriding settings on a per-user basis | |
| #Match User anoncvs | |
| # X11Forwarding no | |
| # AllowTcpForwarding no | |
| # PermitTTY no | |
| # ForceCommand cvs server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment