The architecture of SSH is a server/client mode, and the software running on both ends is different. The client software of OpenSSH is ssh, and the server software is sshd. This chapter introduces various knowledge of sshd.
If sshd is not installed, you can install it with the following command.
# Debian $ sudo aptitude install openssh-server # Red Hat $ sudo yum install openssh-server
Generally speaking, sshd will start with the system after installation. If the current sshd is not started, you can start it with the following command.
After the above command is run, if it prompts "sshd re-exec requires execution with an absolute path", you need to use the absolute path to start. This is to prevent someone from placing the software of the same name in the directory pointed to by the
$PATH variable for various purposes, instead of the real sshd.
# Centos, Ubuntu, OS X $ /usr/sbin/sshd
After the above command is run, sshd automatically enters the background, so there is no need to add
& after the command.
In addition to running executable files directly, you can also start sshd through Systemd.
# start up $ sudo systemctl start sshd.service # Stop $ sudo systemctl stop sshd.service # Restart $ sudo systemctl restart sshd.service
The following command will make sshd run automatically the next time the computer is started.
$ sudo systemctl enable sshd.service
sshd configuration file
The sshd configuration file is in the
/etc/ssh directory, the main configuration file is
sshd_config, and there are some keys generated during installation.
/etc/ssh/sshd_config: configuration file -
/etc/ssh/ssh_host_ecdsa_key: ECDSA private key. -
/etc/ssh/ssh_host_ecdsa_key.pub: ECDSA public key. -
/etc/ssh/ssh_host_key: RSA private key for SSH 1 protocol version. -
/etc/ssh/ssh_host_key.pub: RSA public key for SSH 1 protocol version. -
/etc/ssh/ssh_host_rsa_key: RSA private key for SSH 2 protocol version. -
/etc/ssh/ssh_host_rsa_key.pub: RSA public key for SSH 2 protocol version. -
/etc/pam.d/sshd: PAM configuration file.
Note that if sshd is reinstalled, the above keys will be regenerated. When the client reconnects to the ssh server, a warning will pop up and the connection will be refused. To avoid this situation, you can back up the
/etc/ssh directory when reinstalling sshd, and then restore this directory after reinstalling.
The format of the configuration file
sshd_config is that each command occupies one line. Each line is a configuration item and the corresponding value. The case of the configuration item is not sensitive and is separated from the value by a space.
The above configuration command specifies that the value of the configuration item
Port can also be written as
There is another format of the configuration file, that is, there is an equal sign between the configuration item and the value, and the spaces before and after the equal sign are optional.
Port = 2034
In the configuration file, lines beginning with
# indicate comments.
# This is a line of comment
Note that comments can only be placed at the beginning of a line, not at the end of a line.
Port 2034 # Comments are not allowed here
The above wording is wrong.
In addition, blank lines are equivalent to comments.
When sshd starts, it will automatically read the default configuration file. If you want to use another configuration file, you can specify it with the
-f parameter of the sshd command.
$ sshd -f /usr/local/ssh/my_config
The above command specifies sshd to use another configuration file
After modifying the configuration file, you can use the
-t (test) of the sshd command to check for syntax errors.
$ sshd -t
After the configuration file is modified, it will not take effect automatically, and sshd must be restarted.
$ sudo systemctl restart sshd.service
sshd has its own one or more pairs of keys. It uses the key to prove its identity to the client. All keys are a pair of public and private keys. The file name of the public key is usually the file name of the private key plus the suffix
The default key file in DSA format is
/etc/ssh/ssh_host_dsa_key (the public key is
ssh_host_dsa_key.pub), and the key in RSA format is
/etc/ssh/ssh_host_rsa_key (the public key is
ssh_host_rsa_key.pub ). If you need to support the SSH 1 protocol, you must have the key
If the key is not the default file, it can be specified by the
HostKey configuration item of the configuration file
sshd_config. The default key
HostKey is set as follows.
# HostKey for protocol version 1 # HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 # HostKey /etc/ssh/ssh_host_rsa_key # HostKey /etc/ssh/ssh_host_dsa_ke
# in front of the above command means that these lines are all comments, because this is the default value, and whether these lines are the same.
If you want to modify the key, you must remove the
# at the beginning of the line and specify another key.
HostKey /usr/local/ssh/my_dsa_key HostKey /usr/local/ssh/my_rsa_key HostKey /usr/local/ssh/my_old_ssh1_key
sshd configuration items
The following are the configuration items in the
AcceptEnv specifies which environment variables that the client is allowed to send through the
SendEnv command, that is, the client is allowed to set the server's environment variable list, and the variable names are separated by spaces (
AcceptEnv PATH TERM).
AllowGroups specifies the user groups allowed to log in (
AllowGroups groupName, multiple groups are separated by spaces. If this option is not used, all user groups are allowed to log in.
AllowUsers specifies the users who are allowed to log in. The user names are separated by spaces (
AllowUsers user1 user2), or they can be specified by the multi-line
AllowUsers command. User names support wildcards. If this item is not used, all users are allowed to log in. This item can also use the format of
username@domain name (such as
AllowTcpForwarding specifies whether to allow port forwarding, the default value is
local means that only local port forwarding is allowed, and
remote means that only remote port forwarding is allowed.
AuthorizedKeysFile specifies the directory where the user's public key is stored. The default is the
ssh/authorized_keys directory of the user's home directory (
Banner specifies the information file (
Banner /usr/local/etc/warning.txt) displayed by sshd after the user logs in. By default, nothing is displayed.
ChallengeResponseAuthentication specifies whether to use the "keyboard interaction" authentication scheme, the default value is
In theory, the "keyboard interactive" authentication scheme can ask the user multiple questions, but in practice, it usually only asks the user's password. If you want to completely disable password-based authentication, set both
Ciphers specifies the encryption algorithms that sshd can accept (
Ciphers 3des-cbc), and multiple algorithms are separated by commas.
ClientAliveCountMax specifies the number of times the server attempts to connect when the client loses response after the connection is established (
ClientAliveInterval specifies the time that the client is allowed to be in a daze, in seconds (
ClientAliveInterval 180). If the client does not send any signal during this period of time, the SSH connection will be closed.
Compression specifies whether the data transmission between the client and the server is compressed. The default value is
DenyGroups specifies user groups that are not allowed to log in (
DenyUsers specifies the users who are not allowed to log in (
DenyUsers user1), and the user names are separated by spaces, or they can be specified using the multi-line
Only for SSH 1 version, the designated log outputs all Debug information (
HostKey specifies the key of the sshd server, see above for details.
KeyRegenerationInterval specifies the key regeneration interval of SSH version 1, in seconds, the default is 3600 seconds (
ListenAddress specifies the local IP address monitored by sshd, that is, the IP address enabled by sshd. The default is 0.0.0.0 (
ListenAddress 0.0.0.0) which means it is enabled on all network interfaces of the machine. It can be changed to enable it only on a certain network interface (such as
ListenAddress 192.168.10.23), or it can be enabled by specifying a domain name (such as
If you want to listen to multiple specified IP addresses, you can use the multi-line
ListenAddress 172.16.1.1 ListenAddress 192.168.0.1
LoginGraceTime specifies the maximum time that the client is allowed to log in in a daze. For example, if the user does not enter a password, the connection will be automatically disconnected, in seconds (
LoginGraceTime 60). If it is set to
0, it means there is no limit.
LogLevel specifies the level of detail of the log, the possible values are in order of
DEBUG3, The default is
MACs specifies the data verification algorithm that sshd can accept (
MACs hmac-sha1), and multiple algorithms are separated by commas.
MaxAuthTries specifies the maximum number of SSH login attempts (
MaxAuthTries 3). If the password is entered incorrectly for the specified number of times, the SSH connection will be closed.
MaxStartups specifies the number of concurrent SSH connections allowed (MaxStartups). If it is set to
0, it means there is no limit.
This attribute can also be set to the form of
A:B:C, such as
MaxStartups 10:50:20, which means that if there are 10 concurrent connections, the following connection will be rejected with a 50% probability; if it reaches 20 Concurrent connection, the subsequent connection will be 100% rejected.
PasswordAuthentication specifies whether to allow password login, the default value is
PasswordAuthentication yes), it is recommended to change to
no (password login is prohibited, only key login is allowed).
PermitEmptyPasswords specifies whether to allow login with an empty password, that is, whether the user's password can be empty, the default is
PermitEmptyPasswords yes), it is recommended to change to
no (no password login is prohibited).
PermitRootLogin specifies whether to allow root user login, the default is
PermitRootLogin yes), it is recommended to change to
no (root user login is prohibited).
There is another way to write it as
prohibit-password, which means that the root user cannot log in with a password, but can log in with a key.
PermitUserEnvironment specifies whether to allow sshd to load the client's
~/.ssh/environment file and the
environment= options environment variable setting in the
~/.ssh/authorized_keys file. The default value is
Port specifies the port that sshd listens to, that is, the port that the client connects to. The default is 22 (
Port 22). For security reasons, you can change this port (such as
The configuration file can use multiple
Port commands to monitor multiple ports at the same time.
Port 22 Port 80 Port 443 Port 8080
The above example indicates that 4 ports are monitored at the same time.
PrintMotd specifies whether to show the information file
/etc/motd of the system's motd (Message of the day) to the user after logging in. This file is used to inform all users of some important matters, such as system maintenance time, security issues, and so on. The default value is
PrintMotd yes). Since Shell usually displays this information file, it can be changed to
PrintLastLog specifies whether to print the last user login time, the default value is
Protocol specifies the protocol used by sshd.
Protocol 1 means to use SSH 1 protocol, it is recommended to change to
Protocol 2 (using SSH 2 protocol).
Protocol 2,1 means that two versions of the protocol are supported at the same time.
PubKeyAuthentication specifies whether to allow public key login, the default value is
Only for SSH 1 version, only fatal error messages (
QuietMode yes) are output in the specified log.
RSAAuthentication specifies that RSA authentication is allowed, and the default value is
ServerKeyBits specifies the number of bits when the SSH version 1 key is regenerated. The default is 768 (
StrictModes specifies whether sshd checks the permissions of some important files and directories of the user. The default is
StrictModes yes), that is, for the user's SSH configuration file, key file, and directory, SSH requires the owner to be the root user or the user himself, and the user group and other people's write permissions must be closed.
SyslogFacility specifies how Syslog processes sshd logs. The default is Auth (
TCPKeepAlive specifies the keepalive parameter (
TCPKeepAlive yes) to open the TCP connection between sshd and the client.
UseDNS specifies whether the server uses DNS when the user logs in a domain name through SSH, and confirms that the IP address corresponding to the domain name contains the machine (
UseDNS yes). Turning on this option is of little significance, and if the DNS update is not timely, there may be misjudgments, and it is recommended to turn it off.
UseLogin specifies whether to use
/usr/bin/login instead of SSH tool in user authentication. The default is
UserPrivilegeSeparation specifies that after the user is authenticated, another sub-thread is used to process user privilege-related operations, which is beneficial to improve security. The default value is
Only for SSH 2 version, specify the log to output detailed Debug information (
X11Forwarding specifies whether to open X window forwarding, the default value is no (
After modifying the configuration file, you can use the following command to verify whether the configuration file has syntax errors.
$ sshd -t
The new configuration file takes effect and sshd must be restarted.
$ sudo systemctl restart sshd
sshd command line configuration items
The sshd command has some configuration items. These configuration items are specified when invoking and can override the settings of the configuration file.
-d parameter is used to display debug information.
$ sshd -d
-D parameter specifies that sshd does not run as a background daemon.
$ sshd -D
-e parameter causes sshd to write the content of the system log syslog to standard error.
-f parameter specifies the location of the configuration file.
-h parameter is used to specify the key.
$ sshd -h /usr/local/ssh/my_rsa_key
-o parameter specifies a configuration item and corresponding value of the configuration file.
$ sshd -o "Port 2034"
An equal sign can be used between configuration items and corresponding values.
$ sshd -o "Port = 2034"
If you omit the spaces before and after the equal sign, you can also omit the quotation marks.
$ sshd -o Port=2034
-o parameters can be used together to specify multiple configuration keywords.
-p parameter specifies the service port of sshd.
$ sshd -p 2034
The above command specifies that sshd is started on port
-p parameter can specify multiple ports.
$ sshd -p 2222 -p 3333
-t parameter checks whether the syntax of the configuration file is correct.