sshd
sshd
(OpenSSH Daemon) is the server-side component of the OpenSSH suite, responsible for handling incoming SSH connections and managing secure remote login sessions. It allows users to securely connect to a remote machine over a network.
Important sshd
Command-Line Options
sshd
Command-Line OptionsWhen starting sshd
, you can use various command-line options to control its behavior. Here are some of the most important options:
Starting sshd
:
sshd
:-D
: Runsshd
in the foreground. Useful for debugging or runningsshd
in environments where a daemon is not desirable./usr/sbin/sshd -D
-f config_file
: Specify a custom configuration file instead of the default/etc/ssh/sshd_config
./usr/sbin/sshd -f /path/to/custom_sshd_config
-p port
: Specify a port number forsshd
to listen on. By default,sshd
listens on port 22./usr/sbin/sshd -p 2222
-h
: Print a help message showing all available options./usr/sbin/sshd -h
-t
: Test the configuration file for errors without startingsshd
./usr/sbin/sshd -t
-u
: Enable user-based options. This is useful for overriding default options with user-specific settings./usr/sbin/sshd -u
-a
: Enable authentication methods specified in the configuration file. This option is not commonly used directly but is more relevant in internal or script contexts.
Configuration File Options
The main configuration file for sshd
is /etc/ssh/sshd_config
. Some key settings you can configure in this file include:
Port
: Specifies the port number forsshd
to listen on.Port 22
PermitRootLogin
: Controls whether root can log in via SSH. Options includeyes
,no
,without-password
, orprohibit-password
.PermitRootLogin no
PasswordAuthentication
: Enables or disables password authentication. For better security, consider using key-based authentication.PasswordAuthentication yes
PubkeyAuthentication
: Enables or disables public key authentication.PubkeyAuthentication yes
AllowUsers
: Specifies which users are allowed to log in via SSH.AllowUsers user1 user2
DenyUsers
: Specifies which users are denied SSH access.DenyUsers user3 user4
PermitEmptyPasswords
: Allows or denies login with empty passwords. It is generally advised to disable this for security reasons.PermitEmptyPasswords no
AllowTcpForwarding
: Controls whether TCP forwarding is permitted.AllowTcpForwarding yes
X11Forwarding
: Enables or disables X11 forwarding.X11Forwarding yes
ChallengeResponseAuthentication
: Controls whether challenge-response authentication is allowed (e.g., for 2FA).ChallengeResponseAuthentication no
UsePAM
: Specifies whether to use Pluggable Authentication Modules (PAM) for authentication.UsePAM yes
Example Usage
Start
sshd
with a custom configuration file and in the foreground:/usr/sbin/sshd -f /etc/ssh/sshd_config.custom -D
Test the
sshd
configuration for errors:/usr/sbin/sshd -t
Start
sshd
on a non-default port:/usr/sbin/sshd -p 2222
Summary
The sshd
command is central to managing SSH connections on a server. Understanding its command-line options and configuration file settings allows administrators to securely and efficiently manage remote access. For robust security, ensure that sshd
is configured to use key-based authentication, restrict root access, and implement other best practices.
Last updated