| /etc/ssh/sshd_config | 説明 |
| # Package generated configuration file | |
| # See the sshd_config(5) manpage for details | |
| # What ports, IPs and protocols we listen for | |
| Port 22 | 待ち受けポート番号 |
| # Use these options to restrict which interfaces/protocols sshd will bind to | |
| #ListenAddress :: | 接続を待ち受けるローカルアドレス |
| #ListenAddress 0.0.0.0 | |
| Protocol 2 | サーバ側がサポートするプロトコルバージョン |
| # HostKeys for protocol version 2 | |
| HostKey /etc/ssh/ssh_host_rsa_key | サーバ秘密鍵が格納されているファイル |
| HostKey /etc/ssh/ssh_host_dsa_key | |
| #Privilege Separation is turned on for security | |
| UsePrivilegeSeparation yes | |
| # Lifetime and size of ephemeral version 1 server key | |
| KeyRegenerationInterval 3600 | 鍵の再生成間隔 |
| ServerKeyBits 768 | サーバ鍵のビット数 |
| # Logging | |
| SyslogFacility AUTH | |
| LogLevel INFO | |
| # Authentication: | |
| LoginGraceTime 120 | ログイン猶予時間。120secで未ログインだと切断。0で無制限。 |
| PermitRootLogin no | rootユーザーのログイン可否。yes: 許可、no : 拒否、 |
| without-password : パスワード認証を拒否 | |
| forced-commands-only : 指定コマンドのみ許可(keysファイル記載) | |
| StrictModes yes | ユーザーのファイル、home dirの権限のチェック設定 |
| RSAAuthentication yes | RSAの認証許可設定 |
| PubkeyAuthentication yes | 公開鍵認証許可設定 |
| AuthorizedKeysFile %h/.ssh/authorized_keys | ユーザー認証に使用されるクライアント側の公開鍵の格納先 |
| # Don't read the user's ~/.rhosts and ~/.shosts files | |
| IgnoreRhosts yes | |
| # For this to work you will also need host keys in /etc/ssh_known_hosts | |
| RhostsRSAAuthentication no | |
| # similar for protocol version 2 | |
| HostbasedAuthentication no | 公開鍵ホスト認証成功時の、rhost、/etc/hosts.equiv認証設定 |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
| #IgnoreUserKnownHosts yes | |
| # To enable empty passwords, change to yes (NOT RECOMMENDED) | |
| PermitEmptyPasswords no | 空パスワードの許可設定 |
| # Change to yes to enable challenge-response passwords (beware issues with | |
| # some PAM modules and threads) | |
| ChallengeResponseAuthentication no | チャレンジ・レスポンス認証を許可設定 |
| # Change to no to disable tunnelled clear text passwords | |
| PasswordAuthentication no | パスワード認証許可設定 |
| # Kerberos options | |
| #KerberosAuthentication no | |
| #KerberosGetAFSToken no | |
| #KerberosOrLocalPasswd yes | |
| #KerberosTicketCleanup yes | |
| # GSSAPI options | |
| #GSSAPIAuthentication no | |
| #GSSAPICleanupCredentials yes | |
| X11Forwarding yes | |
| X11DisplayOffset 10 | |
| PrintMotd no | |
| PrintLastLog yes | |
| TCPKeepAlive yes | keepaliveメッセージの送信可否設定 |
| #UseLogin no | |
| #MaxStartups 10:30:60 | |
| #Banner /etc/issue.net | |
| # Allow client to pass locale environment variables | |
| AcceptEnv LANG LC_* | |
| Subsystem sftp /usr/lib/openssh/sftp-server | |
| # Set this to 'yes' to enable PAM authentication, account processing, | |
| # and session processing. If this is enabled, PAM authentication will | |
| # be allowed through the ChallengeResponseAuthentication and | |
| # PasswordAuthentication. Depending on your PAM configuration, | |
| # PAM authentication via ChallengeResponseAuthentication may bypass | |
| # the setting of "PermitRootLogin without-password". | |
| # If you just want the PAM account and session checks to run without | |
| # PAM authentication, then enable this but set PasswordAuthentication | |
| # and ChallengeResponseAuthentication to 'no'. | |
| UsePAM no | |
| # DenyUsers | 指定パターンにマッチするユーザーだけログイン拒否↓ |
| # AllowUsers | 指定パターンにマッチするユーザーだけログイン許可↓ |
| # DenyGroups | 指定パターンにマッチするグループだけログイン拒否↓ |
| # AllowGroups | 指定パターンにマッチするグループだけログイン許可 |
| # ChrootDirectory | chroot jail環境のルートディレクトリ |