# 查看當前 SSH 伺服器的加密和 MACs 配置
sudo sshd -T | grep "\(ciphers\|macs\)"

# Ansible managed: Do NOT edit this file manually!

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# SSH 伺服器監聽的端口
Port 22
#AddressFamily any

# 這表示 SSH 伺服器會監聽所有的 IPv4 和 IPv6 地址
ListenAddress 0.0.0.0
ListenAddress ::

# 啟用協定版本2
Protocol 2

# HOST金鑰的位置
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# 選擇密碼套件
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

# 選擇密鑰交換算法
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

# 選擇訊息驗證碼算法
MACs hmac-sha2-512,hmac-sha2-256

# Logging
# SyslogFacility AUTHPRIV 是用於記錄所有與安全和權限相關的資訊。
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:
# 登入的超時時間(2分鐘)
#LoginGraceTime 2m
# 此選項禁止 root 使用者透過密碼認證登入，但允許公鑰認證。
PermitRootLogin prohibit-password
#StrictModes yes

# 登入嘗試的最大次數
#MaxAuthTries 6

# 允許的最大連接數量
#MaxSessions 10

# 允許公鑰認證
#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# 允許使用密碼認證來登入 SSH 伺服器 To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

# 此選項禁止空密碼認證
PermitEmptyPasswords  no

# 禁止使用鍵盤互動認證 Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
# 開啟 PAM（插入式認證模組）認證
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
# 啟用 X11 轉發，允許客戶端將 X11 圖形介面轉發至遠端主機。
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
# 每次用戶登入時顯示訊息
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed

# 客戶端存活訊息間隔(秒)
#ClientAliveInterval 0
#ClientAliveCountMax 3
# SSH 伺服器不會嘗試解析遠端主機的 DNS 名稱，這可以避免某些 DNS 解析問題導致的連接延遲。
UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
# 允許客戶端傳遞 LANG 和 LC_* 這些環境變數，這些變數通常用於設定語言和地區設定。
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server