/etc/ssh/sshd_config

The /etc/ssh/sshd_config file is a critical configuration file for the SSH daemon (sshd) on Linux systems. It defines various parameters and settings that govern the behavior of the SSH server, including authentication methods, access controls, and SSH protocol options.

Overview of /etc/ssh/sshd_config

Purpose

The primary purpose of /etc/ssh/sshd_config is to configure the SSH server (sshd) to:

  • Securely authenticate users and hosts.

  • Define access policies and restrictions.

  • Specify SSH protocol settings.

  • Configure logging and other operational behaviors.

Key Configuration Directives

  1. Port

    Specifies the port number on which sshd listens for incoming SSH connections:

    Port 22

  2. Protocol

    Specifies the SSH protocol versions allowed:

    Protocol 2

  3. HostKeys

    Specifies the location of host key files used for server authentication:

    HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

  4. Authentication

    Configures authentication methods allowed for user authentication:

    # Enable public key authentication
PubkeyAuthentication yes

# Disable password authentication
PasswordAuthentication no

# Allow root login with password
PermitRootLogin yes

  5. Logging

    Configures logging settings for SSH server activity:

    # Log level (INFO, VERBOSE, DEBUG, etc.)
LogLevel INFO

# Log SSH daemon activities
SyslogFacility AUTH

  6. Access Controls

    Defines access rules and restrictions for SSH connections:

    # Allow users from specific groups
AllowGroups sshusers

# Deny users from specific groups
DenyGroups root

# Allow specific users
AllowUsers user1 user2

# Deny specific users
DenyUsers user3

  7. Other Settings

    There are numerous other settings that can be configured in sshd_config depending on specific security and operational requirements, including:

    • TCPKeepAlive

    • UseDNS

    • PermitEmptyPasswords

    • MaxAuthTries

    • X11Forwarding

    • Match directives for conditional configurations

Example sshd_config

Here's an example of a basic sshd_config file with some common configurations:

# Port to listen on
Port 22

# Protocol versions to use
Protocol 2

# Host keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Authentication methods
PubkeyAuthentication yes
PasswordAuthentication no

# Logging
LogLevel INFO
SyslogFacility AUTH

# Access controls
AllowGroups sshusers
DenyGroups root
AllowUsers user1 user2
DenyUsers user3

Applying Changes

After making changes to /etc/ssh/sshd_config, it's important to restart the SSH daemon (sshd) to apply the new configuration:

sudo systemctl restart sshd

Security Considerations

  • Always use strong authentication methods like public key authentication (PubkeyAuthentication yes) and disable weak methods like password authentication (PasswordAuthentication no) where possible.

  • Regularly review and update sshd_config to adhere to security best practices and organizational policies.

Conclusion

/etc/ssh/sshd_config is a critical file for configuring the SSH server (sshd) on Linux systems. Proper configuration of this file ensures secure and efficient SSH connections, while also enhancing overall system security.

Previous/etc/snortNext/etc/ssh

Last updated