/ ssh

RHCE : SSH – Configure additional options described in documentation.

ssh rhce-new redhat-new sshd service /etc/ssh/sshd_config
https://4am.kr/rhce-ssh-configure-additional-options-described-in-documentation/

RHCE : SSH – 설명서에 제시된 추가 옵션 구성

RHCE 주제입니다. 아래 참조된 사이트를 번역 및 내용 추가하였습니다.

설정하기

1. 만약에 SSH서비스가 설치되어 있지 않다면, 다음과 같이 입력한다.
[root@server2 ~]# yum install -y openssh-server
Loaded plugins: fastestmirror, langpacks
RHELREPO                                                        | 3.6 kB  00:00:00     
Loading mirror speeds from cached hostfile
Package openssh-server-6.4p1-8.el7.x86_64 already installed and latest version
Nothing to do
[root@server2 ~]# 
2. SSH서비스를 부팅시 활성화하고, 시작하려면 다음과 같이 입력한다.
[root@server2 ~]# systemctl enable sshd && systemctl start sshd
[root@server2 ~]# 
3. 방화벽에 새로운 서비스를 추가하려면 다음과 같이 입력한다.
[root@server2 ~]# firewall-cmd --permanent --add-service=ssh
success
[root@server2 ~]#
4. 방화벽을 다시 로드하려면 다음과 같이 입력한다.
[root@server2 ~]# firewall-cmd --reload
success
[root@server2 ~]# 
5. ssh와 관련된 설정 내용은 /etc/ssh/sshd_config 파일에서 확인할 수 있다.
[root@server2 ~]# vim /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2
                                                                     1,1        꼭대기
6. 다음은 위에서 확인한 /etc/ssh/sshd_config 파일의 설정값에 대한 설명이다.
Port 22                                 # defines listening port for ssh
AddressFamily any                       # accepts IPv4 et IPv6 addresses
ListenAddress 0.0.0.0                   # allows ssh to listen on all network interfaces
ListenAddress ::                        # listens on IPv6 addresses too
Protocol 2                              # defines version of ssh (version 1 is not used any more)
SyslogFacility AUTHPRIV                 # stores logging attempts in /var/log/secure (see rsyslog.conf file)
LoginGraceTime 2m                       # sets the time to connect
PermitRootLogin yes                     # allows direct login as root: outside lab, this option should be set to 'no'
StrictModes yes                         # allows connection only if the user's home directory is not world-writable
MaxAuthTries 6                          # defines the number of authentication attempts allowed
MaxSessions 10                          # defines the limit of simultaneous open connections
PubKeyAuthentication yes                # enables public key authentication
AuthorizedKeysFile .ssh/authorized_keys # defines the location of the authorized-keys file
HostbasedAuthentication no              # forbids the use of /etc/hosts.equiv
IgnoreUserKnownHosts no                 # reads the .ssh/known_hosts at each connection
IgnoreRhosts yes                        # doesn't read user's ~/.rhosts file
PasswordAuthentication yes              # sets password-based authentication
PermitEmptyPasswords no                 # doesn't allow empty passwords (hopefully!)
ChallengeResponseAuthentication no      # forbids use of one-time passwords
UsePAM yes                              # enables the Pluggable Authentication Module interface
AllowAgentForwarding yes                # allows the ssh-agent to forward private keys
AllowTCPForwarding yes                  # allows TCP communications to be forwarded
GatewayPorts no                         # prevents remote hosts from connecting to ports forwarded for the client
X11Forwarding yes                       # enables X11 forwarding
X11DisplayOffset 10                     # limits the number of GUI display open at the same time
X11UseLocalhost yes                     # defines how the GUI display is bound to the SSH server
PrintMotd yes                           # displays the message of the day
PrintLastLog yes                        # displays the date of the last login
TCPKeepAlive yes                        # allows the system to send TCP keepalive messages
UseLogin no                             # specifies whether login is used for interactive login session
UsePrivilegeSeparation yes              # separates incoming network traffic processing from the rest
PermitUserEnvironment no                # doesn't deal with environment options
Compression delayed                     # specifies that compression is delayed until user authentication
ClientAliveInterval 0                   # doesn't send any message before client deconnection
ClientAliveCountMax 3                   # defines the number of messages before client deconnection
-                                       # if ClientAliveInterval is different from 0
UseDNS yes                              # checks remote hostnames against DNS
PidFile /var/run/sshd.pid               # defines the file where the SSH process ID is stored
MaxStartups 10                          # defines the number of terminals simultaneously allowed
PermitTunnel no                         # doesn't support device forwarding
ChrootDirectory none                    # disables the use of chroot
Subsystem sftp /usr/libexec/openssh/sftp-server # supports the use of SSH encryption for SFTP file transfers

추가 자료