sshd

sshd (OpenSSH Daemon) is the server-side component of the OpenSSH suite, responsible for handling incoming SSH connections and managing secure remote login sessions. It allows users to securely connect to a remote machine over a network.

Important sshd Command-Line Options

When starting sshd, you can use various command-line options to control its behavior. Here are some of the most important options:

Starting sshd:

• -D: Run sshd in the foreground. Useful for debugging or running sshd in environments where a daemon is not desirable.

  /usr/sbin/sshd -D

• -f config_file: Specify a custom configuration file instead of the default /etc/ssh/sshd_config.

  /usr/sbin/sshd -f /path/to/custom_sshd_config

• -p port: Specify a port number for sshd to listen on. By default, sshd listens on port 22.

  /usr/sbin/sshd -p 2222

• -h: Print a help message showing all available options.

  /usr/sbin/sshd -h

• -t: Test the configuration file for errors without starting sshd.

  /usr/sbin/sshd -t

• -u: Enable user-based options. This is useful for overriding default options with user-specific settings.

  /usr/sbin/sshd -u

• -a: Enable authentication methods specified in the configuration file. This option is not commonly used directly but is more relevant in internal or script contexts.

Configuration File Options

The main configuration file for sshd is /etc/ssh/sshd_config. Some key settings you can configure in this file include:

• Port: Specifies the port number for sshd to listen on.

  Port 22

• PermitRootLogin: Controls whether root can log in via SSH. Options include yes, no, without-password, or prohibit-password.

  PermitRootLogin no

• PasswordAuthentication: Enables or disables password authentication. For better security, consider using key-based authentication.

  PasswordAuthentication yes

• PubkeyAuthentication: Enables or disables public key authentication.

  PubkeyAuthentication yes

• AllowUsers: Specifies which users are allowed to log in via SSH.

  AllowUsers user1 user2

• DenyUsers: Specifies which users are denied SSH access.

  DenyUsers user3 user4

• PermitEmptyPasswords: Allows or denies login with empty passwords. It is generally advised to disable this for security reasons.

  PermitEmptyPasswords no

• AllowTcpForwarding: Controls whether TCP forwarding is permitted.

  AllowTcpForwarding yes

• X11Forwarding: Enables or disables X11 forwarding.

  X11Forwarding yes

• ChallengeResponseAuthentication: Controls whether challenge-response authentication is allowed (e.g., for 2FA).

  ChallengeResponseAuthentication no

• UsePAM: Specifies whether to use Pluggable Authentication Modules (PAM) for authentication.

  UsePAM yes

Example Usage

• Start sshd with a custom configuration file and in the foreground:

  /usr/sbin/sshd -f /etc/ssh/sshd_config.custom -D

• Test the sshd configuration for errors:

  /usr/sbin/sshd -t

• Start sshd on a non-default port:

  /usr/sbin/sshd -p 2222

Summary

The sshd command is central to managing SSH connections on a server. Understanding its command-line options and configuration file settings allows administrators to securely and efficiently manage remote access. For robust security, ensure that sshd is configured to use key-based authentication, restrict root access, and implement other best practices.