/etc/ssh/sshd_config
The sshd_config
file is the main configuration file for the OpenSSH SSH daemon (sshd
). It controls various aspects of how sshd
operates, including authentication methods, port settings, and user permissions. This file is typically located at /etc/ssh/sshd_config
on most Linux systems.
Here is a detailed overview of common settings in /etc/ssh/sshd_config
:
Basic Configuration Options
Port:
Specifies the port number
sshd
listens on. The default is 22.Example:
Port 22
ListenAddress:
Specifies the IP address
sshd
should listen on. You can specify multiple addresses.Example:
ListenAddress 0.0.0.0 ListenAddress ::
PermitRootLogin:
Controls whether the root user can log in via SSH. Options include
yes
,no
,without-password
,prohibit-password
.Example:
PermitRootLogin no
PasswordAuthentication:
Enables or disables password authentication. For improved security, consider using key-based authentication.
Example:
PasswordAuthentication yes
PubkeyAuthentication:
Enables or disables public key authentication.
Example:
PubkeyAuthentication yes
PermitEmptyPasswords:
Allows or disallows login with empty passwords.
Example:
PermitEmptyPasswords no
ChallengeResponseAuthentication:
Enables or disables challenge-response authentication (such as OTP).
Example:
ChallengeResponseAuthentication no
UsePAM:
Specifies whether to use Pluggable Authentication Modules (PAM) for authentication.
Example:
UsePAM yes
AllowUsers:
Specifies which users are allowed to log in via SSH.
Example:
AllowUsers user1 user2
DenyUsers:
Specifies which users are denied SSH access.
Example:
DenyUsers user3 user4
AllowGroups:
Specifies which groups are allowed to log in via SSH.
Example:
AllowGroups sshusers
DenyGroups:
Specifies which groups are denied SSH access.
Example:
DenyGroups badusers
X11Forwarding:
Enables or disables X11 forwarding.
Example:
X11Forwarding yes
AllowTcpForwarding:
Controls whether TCP forwarding is allowed.
Example:
AllowTcpForwarding yes
PrintMotd:
Controls whether the message of the day (MOTD) is printed when a user logs in.
Example:
PrintMotd yes
Subsystem:
Configures subsystems like
sftp
. By default, OpenSSH provides an SFTP subsystem.Example:
Subsystem sftp /usr/lib/openssh/sftp-server
PermitTunnel:
Allows or disallows tunnelled sessions.
Example:
PermitTunnel no
LogLevel:
Sets the verbosity of logging. Levels include
QUIET
,FATAL
,ERROR
,INFO
,VERBOSE
,DEBUG
, andDEBUG1
,DEBUG2
,DEBUG3
for more detailed debugging.Example:
LogLevel INFO
Example Configuration
Here is an example of a more secure sshd_config
:
# Port to listen on
Port 22
# Allow only specific users
AllowUsers user1 user2
# Disable root login
PermitRootLogin no
# Enable public key authentication
PubkeyAuthentication yes
# Disable password authentication
PasswordAuthentication no
# Disable empty passwords
PermitEmptyPasswords no
# Enable X11 forwarding
X11Forwarding yes
# Log level
LogLevel VERBOSE
# Subsystem for SFTP
Subsystem sftp /usr/lib/openssh/sftp-server
Reloading Configuration
After making changes to sshd_config
, you need to reload or restart the sshd
service to apply the changes:
Reload (to apply configuration changes without disconnecting active sessions):
sudo systemctl reload sshd
Restart (to restart the
sshd
service):sudo systemctl restart sshd
Summary
The sshd_config
file is crucial for configuring how the SSH daemon operates, including security settings, authentication methods, and user permissions. Properly configuring this file helps secure SSH access and manage how users connect to the system.
Last updated