Linux下OpenSSH的安装和配置祥解(2)

tony@tonybox:~$ ssh root@192.168.102.50
The authenticity of host '192.168.102.50 (192.168.102.50)' can't be established.
RSA key fingerprint is c6:d4:e7:23:03:ce:15:2c:08:ec:39:7e:52:29:a5:a6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.102.50' (RSA) to the list of known hosts.
root@192.168.102.50's password:******
Last login: Thu Oct 26 10:38:41 2006
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
vmdebian:~#
默认配置
默认sshd_config文件
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
#默认使用22端口
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
#使用ssh2协议
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#主机密钥存储在此
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
#需要sshd用户启动ssh服务
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
服务器在启动时生成这个密钥。并以固定的周期重新生成。这里指定长度是768位，最小为512，周期为3600。
# Logging
SyslogFacility AUTH
#设置syslog的facility（KERN,DAEMON,USER,AUTH,MAIL等）
LogLevel INFO
#指定记录日志级别为INFO，该值从低到高顺序是：QUIET,FATAL,ERROR,INFO,VERBOSE,DEBUG,使用DEBUG会侵犯用
户的隐私权，这个级别只能用于诊断，而不能用于普通操作。
# Authentication:
LoginGraceTime 120
#设置如果用户不能成功登录，在切断连接之前服务器需要等待的时间（以秒为单位）。
PermitRootLogin yes
#允许root登录
StrictModes yes
#设置ssh在接收登录请求之前是否检查用户家目录和rhosts文件的权限和所有权。这通常是必要的，因为新手经常会把自己的目录和文件设成任何人都有写权限。
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
#完全禁止SSHD使用.rhosts文件
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
#设置是否使用用RSA算法的基于rhosts的安全验证。
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
#设置ssh　daemon是否在进行RhostsRSAAuthentication安全验证的时候忽略用户的“$HOME/.ssh/known_hosts”　
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
#设置不允许使用空密码
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
#关闭挑战响应
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
#设置是否使用明文密码认证
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#有关Kerberos的相关选项
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#有关GSSAPI的相关选项