Last updated
Last updated
sshd
(OpenSSH Daemon) is the server-side component of the OpenSSH suite, responsible for handling incoming SSH connections and managing secure remote login sessions. It allows users to securely connect to a remote machine over a network.
sshd
Command-Line OptionsWhen starting sshd
, you can use various command-line options to control its behavior. Here are some of the most important options:
sshd
:-D
: Run sshd
in the foreground. Useful for debugging or running sshd
in environments where a daemon is not desirable.
-f config_file
: Specify a custom configuration file instead of the default /etc/ssh/sshd_config
.
-p port
: Specify a port number for sshd
to listen on. By default, sshd
listens on port 22.
-h
: Print a help message showing all available options.
-t
: Test the configuration file for errors without starting sshd
.
-u
: Enable user-based options. This is useful for overriding default options with user-specific settings.
-a
: Enable authentication methods specified in the configuration file. This option is not commonly used directly but is more relevant in internal or script contexts.
The main configuration file for sshd
is /etc/ssh/sshd_config
. Some key settings you can configure in this file include:
Port
: Specifies the port number for sshd
to listen on.
PermitRootLogin
: Controls whether root can log in via SSH. Options include yes
, no
, without-password
, or prohibit-password
.
PasswordAuthentication
: Enables or disables password authentication. For better security, consider using key-based authentication.
PubkeyAuthentication
: Enables or disables public key authentication.
AllowUsers
: Specifies which users are allowed to log in via SSH.
DenyUsers
: Specifies which users are denied SSH access.
PermitEmptyPasswords
: Allows or denies login with empty passwords. It is generally advised to disable this for security reasons.
AllowTcpForwarding
: Controls whether TCP forwarding is permitted.
X11Forwarding
: Enables or disables X11 forwarding.
ChallengeResponseAuthentication
: Controls whether challenge-response authentication is allowed (e.g., for 2FA).
UsePAM
: Specifies whether to use Pluggable Authentication Modules (PAM) for authentication.
Start sshd
with a custom configuration file and in the foreground:
Test the sshd
configuration for errors:
Start sshd
on a non-default port:
The sshd
command is central to managing SSH connections on a server. Understanding its command-line options and configuration file settings allows administrators to securely and efficiently manage remote access. For robust security, ensure that sshd
is configured to use key-based authentication, restrict root access, and implement other best practices.