参考:sshd_config - How to configure the OpenSSH server

常见配置更改

Cryptographic policy

1
2
3
4
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1

Root login

To disable passwords for root, but still allow key-based access without forced command, use:

1
PermitRootLogin prohibit-password

To disable passwords and only allow key-based access with a forced command, use:

1
PermitRootLogin forced-commands-only

Verbose logging

1
LogLevel VERBOSE

AuthorizedKeysFile location

1
AuthorizedKeysFile /etc/ssh/authorized-keys/%u