************************************************
SSHサーバー設定
SSHサーバーを外部に開放せず、内部ユーザーも信頼できる場合は、SSHサーバーの設定はデフォルトのままで、パスワード方式によるログイン方式でもよい
[root@falcon21 ~]# vi /etc/ssh/sshd_config
1 # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
2
3 # This is the sshd server system-wide configuration file. See
4 # sshd_config(5) for more information.
5
6 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
7
8 # The strategy used for options in the default sshd_config shipped with
9 # OpenSSH is to specify options with their default value where
10 # possible, but leave them commented. Uncommented options override the
11 # default value.
12
13 # If you want to change the port on a SELinux system, you have to tell
14 # SELinux about this change.
15 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
16 #
17 #Port 22
18 #AddressFamily any
19 #ListenAddress 0.0.0.0
20 #ListenAddress ::
21
22 HostKey /etc/ssh/ssh_host_rsa_key
23 HostKey /etc/ssh/ssh_host_ecdsa_key
24 HostKey /etc/ssh/ssh_host_ed25519_key
25
26 # Ciphers and keying
27 #RekeyLimit default none
28
29 # System-wide Crypto policy:
30 # This system is following system-wide crypto policy. The changes to
31 # Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
32 # effect here. They will be overridden by command-line options passed on
33 # the server start up.
34 # To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
35 # variable in /etc/sysconfig/sshd to overwrite the policy.
36 # For more information, see manual page for update-crypto-policies(8).
37
38 # Logging
39 #SyslogFacility AUTH
40 SyslogFacility AUTHPRIV
41 #LogLevel INFO
42
43 # Authentication:
44
45 #LoginGraceTime 2m
46 PermitRootLogin no
48 #MaxAuthTries 6
49 #MaxSessions 10
50
51 PubkeyAuthentication yes
52
53 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
54 # but this is overridden so installations will only check .ssh/authorized_keys
55 AuthorizedKeysFile .ssh/authorized_keys
56
57 #AuthorizedPrincipalsFile none
58
59 #AuthorizedKeysCommand none
60 #AuthorizedKeysCommandUser nobody
61
62 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
63 #HostbasedAuthentication no
64 # Change to yes if you don't trust ~/.ssh/known_hosts for
65 # HostbasedAuthentication
66 #IgnoreUserKnownHosts no
67 # Don't read the user's ~/.rhosts and ~/.shosts files
68 #IgnoreRhosts yes
69
70 # To disable tunneled clear text passwords, change to no here!
71 #PasswordAuthentication yes
72 #PermitEmptyPasswords no
73 PasswordAuthentication yes
74
75 # Change to no to disable s/key passwords
76 #ChallengeResponseAuthentication yes
77 ChallengeResponseAuthentication no
78
79 # Kerberos options
80 #KerberosAuthentication no
81 #KerberosOrLocalPasswd yes
82 #KerberosTicketCleanup yes
83 #KerberosGetAFSToken no
84 #KerberosUseKuserok yes
85
86 # GSSAPI options
87 GSSAPIAuthentication yes
88 GSSAPICleanupCredentials no
89 #GSSAPIStrictAcceptorCheck yes
90 #GSSAPIKeyExchange no
91 #GSSAPIEnablek5users no
92
93 # Set this to 'yes' to enable PAM authentication, account processing,
94 # and session processing. If this is enabled, PAM authentication will
95 # be allowed through the ChallengeResponseAuthentication and
96 # PasswordAuthentication. Depending on your PAM configuration,
97 # PAM authentication via ChallengeResponseAuthentication may bypass
98 # the setting of "PermitRootLogin without-password".
99 # If you just want the PAM account and session checks to run without
100 # PAM authentication, then enable this but set PasswordAuthentication
101 # and ChallengeResponseAuthentication to 'no'.
102 # WARNING: 'UsePAM no' is not supported in Fedora and may cause several
103 # problems.
104 UsePAM yes
105
106 #AllowAgentForwarding yes
107 #AllowTcpForwarding yes
108 #GatewayPorts no
109 X11Forwarding yes
110 #X11DisplayOffset 10
111 #X11UseLocalhost yes
112 #PermitTTY yes
113
114 # It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
115 # as it is more configurable and versatile than the built-in version.
116 PrintMotd no
117
118 #PrintLastLog yes
119 #TCPKeepAlive yes
120 #PermitUserEnvironment no
121 #Compression delayed
122 #ClientAliveInterval 0
123 #ClientAliveCountMax 3
124 #UseDNS no
125 #PidFile /var/run/sshd.pid
126 #MaxStartups 10:30:100
127 #PermitTunnel no
128 #ChrootDirectory none
129 #VersionAddendum none
130
131 # no default banner path
132 #Banner none
133
134 # Accept locale-related environment variables
135 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
136 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
137 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
138 AcceptEnv XMODIFIERS
139
140 # override default of no subsystems
141 Subsystem sftp /usr/libexec/openssh/sftp-server
142
143 # Example of overriding settings on a per-user basis
144 #Match User anoncvs
145 # X11Forwarding no
146 # AllowTcpForwarding no
147 # PermitTTY no
148 # ForceCommand cvs server