/etc/ssh/sshd_config

The /etc/ssh/sshd_config file is a critical configuration file for the SSH daemon (sshd) on Linux systems. It defines various parameters and settings that govern the behavior of the SSH server, including authentication methods, access controls, and SSH protocol options.

Overview of /etc/ssh/sshd_config

Purpose

The primary purpose of /etc/ssh/sshd_config is to configure the SSH server (sshd) to:

• Securely authenticate users and hosts.

• Define access policies and restrictions.

• Specify SSH protocol settings.

• Configure logging and other operational behaviors.

Key Configuration Directives

1. Port

   Specifies the port number on which sshd listens for incoming SSH connections:

   Port 22

2. Protocol

   Specifies the SSH protocol versions allowed:

   Protocol 2

3. HostKeys

   Specifies the location of host key files used for server authentication:

   HostKey /etc/ssh/ssh_host_rsa_key
   HostKey /etc/ssh/ssh_host_ed25519_key

4. Authentication

   Configures authentication methods allowed for user authentication:

   # Enable public key authentication
   PubkeyAuthentication yes
   
   # Disable password authentication
   PasswordAuthentication no
   
   # Allow root login with password
   PermitRootLogin yes

5. Logging

   Configures logging settings for SSH server activity:

   # Log level (INFO, VERBOSE, DEBUG, etc.)
   LogLevel INFO
   
   # Log SSH daemon activities
   SyslogFacility AUTH

6. Access Controls

   Defines access rules and restrictions for SSH connections:

   # Allow users from specific groups
   AllowGroups sshusers
   
   # Deny users from specific groups
   DenyGroups root
   
   # Allow specific users
   AllowUsers user1 user2
   
   # Deny specific users
   DenyUsers user3

7. Other Settings

   There are numerous other settings that can be configured in sshd_config depending on specific security and operational requirements, including:

   • TCPKeepAlive

   • UseDNS

   • PermitEmptyPasswords

   • MaxAuthTries

   • X11Forwarding

   • Match directives for conditional configurations

Example sshd_config

Here's an example of a basic sshd_config file with some common configurations:

# Port to listen on
Port 22

# Protocol versions to use
Protocol 2

# Host keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Authentication methods
PubkeyAuthentication yes
PasswordAuthentication no

# Logging
LogLevel INFO
SyslogFacility AUTH

# Access controls
AllowGroups sshusers
DenyGroups root
AllowUsers user1 user2
DenyUsers user3

Applying Changes

After making changes to /etc/ssh/sshd_config, it's important to restart the SSH daemon (sshd) to apply the new configuration:

sudo systemctl restart sshd

Security Considerations

• Always use strong authentication methods like public key authentication (PubkeyAuthentication yes) and disable weak methods like password authentication (PasswordAuthentication no) where possible.

• Regularly review and update sshd_config to adhere to security best practices and organizational policies.

Conclusion

/etc/ssh/sshd_config is a critical file for configuring the SSH server (sshd) on Linux systems. Proper configuration of this file ensures secure and efficient SSH connections, while also enhancing overall system security.