/etc/ssh/sshd_config

The sshd_config file is the main configuration file for the OpenSSH SSH daemon (sshd). It controls various aspects of how sshd operates, including authentication methods, port settings, and user permissions. This file is typically located at /etc/ssh/sshd_config on most Linux systems.

Here is a detailed overview of common settings in /etc/ssh/sshd_config:

Basic Configuration Options

Port:
- Specifies the port number sshd listens on. The default is 22.
- Example:
  Port 22
ListenAddress:
- Specifies the IP address sshd should listen on. You can specify multiple addresses.
- Example:
  ListenAddress 0.0.0.0 ListenAddress ::
PermitRootLogin:
- Controls whether the root user can log in via SSH. Options include yes, no, without-password, prohibit-password.
- Example:
  PermitRootLogin no
PasswordAuthentication:
- Enables or disables password authentication. For improved security, consider using key-based authentication.
- Example:
  PasswordAuthentication yes
PubkeyAuthentication:
- Enables or disables public key authentication.
- Example:
  PubkeyAuthentication yes
PermitEmptyPasswords:
- Allows or disallows login with empty passwords.
- Example:
  PermitEmptyPasswords no
ChallengeResponseAuthentication:
- Enables or disables challenge-response authentication (such as OTP).
- Example:
  ChallengeResponseAuthentication no
UsePAM:
- Specifies whether to use Pluggable Authentication Modules (PAM) for authentication.
- Example:
  UsePAM yes
AllowUsers:
- Specifies which users are allowed to log in via SSH.
- Example:
  AllowUsers user1 user2
DenyUsers:
- Specifies which users are denied SSH access.
- Example:
  DenyUsers user3 user4
AllowGroups:
- Specifies which groups are allowed to log in via SSH.
- Example:
  AllowGroups sshusers
DenyGroups:
- Specifies which groups are denied SSH access.
- Example:
  DenyGroups badusers
X11Forwarding:
- Enables or disables X11 forwarding.
- Example:
  X11Forwarding yes
AllowTcpForwarding:
- Controls whether TCP forwarding is allowed.
- Example:
  AllowTcpForwarding yes
PrintMotd:
- Controls whether the message of the day (MOTD) is printed when a user logs in.
- Example:
  PrintMotd yes
Subsystem:
- Configures subsystems like sftp. By default, OpenSSH provides an SFTP subsystem.
- Example:
  Subsystem sftp /usr/lib/openssh/sftp-server
PermitTunnel:
- Allows or disallows tunnelled sessions.
- Example:
  PermitTunnel no
LogLevel:
- Sets the verbosity of logging. Levels include QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, and DEBUG1, DEBUG2, DEBUG3 for more detailed debugging.
- Example:
  LogLevel INFO

Example Configuration

Here is an example of a more secure sshd_config:

# Port to listen on
Port 22

# Allow only specific users
AllowUsers user1 user2

# Disable root login
PermitRootLogin no

# Enable public key authentication
PubkeyAuthentication yes

# Disable password authentication
PasswordAuthentication no

# Disable empty passwords
PermitEmptyPasswords no

# Enable X11 forwarding
X11Forwarding yes

# Log level
LogLevel VERBOSE

# Subsystem for SFTP
Subsystem sftp /usr/lib/openssh/sftp-server

Reloading Configuration

After making changes to sshd_config, you need to reload or restart the sshd service to apply the changes:

Reload (to apply configuration changes without disconnecting active sessions):
```
sudo systemctl reload sshd
```
Restart (to restart the sshd service):
```
sudo systemctl restart sshd
```

Summary

The sshd_config file is crucial for configuring how the SSH daemon operates, including security settings, authentication methods, and user permissions. Properly configuring this file helps secure SSH access and manage how users connect to the system.

Previous/etc/services Next/etc/ssh

Last updated 10 months ago