验证sshd配置

Question

如何验证sshd的配置？

例如，我希望确保设置和应用这些设置：

AllowUsers user1 user2 
PasswordAuthentication no
PermitRootLogin no

是手动验证文件sshd_config的内容的唯一方法，还是我可以探测sshd以确保？

Answer 1

有一个扩展的测试模式，它使用命令行选项-T调用，这样就可以做到这一点。例如：

% sudo sshd -T | egrep -i 'allowusers|passwordauth|permitroot'
permitrootlogin yes
passwordauthentication yes

该选项自2008年以来一直存在于便携式OpenSSH中，参考文献。提交e7140f2。这是发布5.1p1，在2008年7月，参考文件。5.1发布说明，因此它存在于今天支持的几乎所有OpenSSH服务器安装中。

Answer 2

sshd的配置通常在以下文件中找到：/etc/ssh/sshd_config。

要查询运行时配置，可以使用扩展测试模式sshd -T，它还允许您测试设置的客户端匹配。

Answer 3

虽然这不会转储所有服务器定义，但您可以尝试使用详细的调试标志：ssh -v user@server连接到服务器。这将为您提供许多反映sshd配置中启用的选项的信息。

例如，使用-v交换机查看此连接的输出(密钥签名、域和IP地址有意伪装)：

OpenSSH_6.0p1, OpenSSL 0.9.8w 23 Apr 2012
debug1: Reading configuration data /home/claudio/.ssh/config
debug1: /home/claudio/.ssh/config line 13: Applying options for serv01
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to somedomain.com [185.113.29.221] port 22.
debug1: Connection established.
debug1: identity file /home/claudio/.ssh/id_dsa type 2
debug1: identity file /home/claudio/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9
debug1: match: OpenSSH_5.9 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 3a:0d:b8:18:ca:67:4c:54:0f:c8:b2:1e:48:53:69:28
debug1: Host '[somedomain.com]:22' is known and matches the ECDSA host key.
debug1: Found key in /home/claudio/.ssh/known_hosts:7
Warning: Permanently added the ECDSA host key for IP address '[185.113.29.221]:22' to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/claudio/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Authentication succeeded (publickey).
Authenticated to somedomain.com ([185.113.29.221]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.

由此您可以看到允许的身份验证方法有:公钥、密码、键盘交互.您还可以看到，此服务器不允许漫游，并且用户claudio可以使用他的公钥进行连接。

您可以增加信息输出的级别，指定更多的"v“字母，但这样您可能会得到比您可能想要的更低级别的信息。