The Sshd_Config File Complete Guide for Linux

The SSH or Secure Shell protocol is used to log into a computer remotely and run commands on the remote computer. Data transferred using the SSH protocol is encrypted using special algorithms that make SSH more secure than Telnet. Basically, OpenSSH is a tool that implements this protocol.

What will we cover?

In this guide, we will examine the different aspects of the OpenSSH server configuration file. Let’s start now.

OpenSSH configuration files

There are some core files for both the OpenSSH client and the server. There are two types of configuration files:

1. Client-side files: One of the files is ssh_config. It is a system wide configuration file. This file is located at /etc/ssh/ssh_config.

The other file is config, a user-specific configuration file located at $HOME/.ssh/config.

The SSH program on a host takes the configuration either from these files or via the command line interface. For the above files, the system-wide configuration file ssh_config takes precedence over the user-specific “config” file.

2. sshd_config: Refers to the server side. The OpenSSH server reads this file at startup.

Examine the sshd configuration file

The sshd configuration file contains many directives that can also be customized. Let’s look at the default layout of this file:

$ Cat /Etc/sh/sshd_config

# This is the system wide configuration file of the sshd server. See

# sshd_config(5) for more information.

Harbor 222

ListAddress 0.0.0.0
listening address ::
host key /Etc/sh/ssh_host_key
ServerKeyBits 768

LoginGraceTime 600

KeyRegenerationInterval 3600

Allow root login Yes indeed

IgnoreRhosts Yes indeed

StrictModes Yes indeed

X11forwarding no

AllowTcpForwarding no
PermitTTY no
X11DisplayOffset 10

PrintMotd Yes indeed

stay alive Yes indeed

Syslog Facility AUTH

LogLevel INFO
Rhosts authentication no
RhostsRSA authentication no
RSA authentication Yes indeed

password authentication Yes indeed

PermitEmptyPasswords No
CheckMail no

Any line beginning with “#” is treated as a comment. Let’s examine some of the given parameters:

1. The port directive specifies a port number. This is the port number on which sshd is listening for connections. The default value for this port is 22, which is the default value. In our case, however, we changed it to 222.

Also, we can specify more than one port directive. This way we can use multiple ports to listen on the sshd connections.

2. The ListenAddress contains the IP address for listening. The default action is to listen on all IP addresses bound to the server. Also note that the port directive must follow the ListenAddress directive.

3. The fully qualified path of the RSA host key private file is specified by the HostKey directive. In the previous case, the path is /etc/ssh/ssh_host_key.

4. The PermitRootLogin directive allows root login for sshd when set to yes. This should be set to no unless the hosts.allow and hosts.deny files are used to restrict sshd access.

5. The X11Forwarding directive allows X Window System forwarding when set to yes.

6. Which syslog facility the sshd should use is specified with the SyslogFacility directive. Leave the default value unchanged.

7. The logging level for syslog is specified with the LogLevel directive.

Changing the sshd port

By default, the sshd or OpenSSH server daemon uses port 22 of the TCP protocol. It is recommended to change this port number to a different value in a test environment. This ensures us that server connectivity is available at all times.

Also, it’s a good idea to check the syntax of a new sshd_config file’s configuration before using it, no matter what port it’s running on. To check the syntax we can use the following command:

$ sshd -t

It is also important to note that only the root user should be able to read and write to this file. This means that if a sshd_config configuration file is properly secured, running the previous command will require root privileges.

If no output appears when running the previous syntax check command, it means the file is ok.

Changing the default configuration file and port

In some cases we want to run a new instance of sshd on a different port. This may be because port 22 is already in use or there are some risky areas in changing this port in a production environment. In such situations, we can create an alternative configuration file for our server.

Let’s create a new sshd_config file as sshd_config_new. This file can be used for some other server parameters. Now let’s specify this file to be considered as the new server configuration file on port number 100:

$ sudo /etc/slut/sshd -f /Etc/sh/sshd_config_new – p 100

The sshd daemon is now listening on port 100. We can use any port value, but not the one that is already in use.

Now let’s verify that our new port is working as intended. To do this we need to use an ssh client program and run the following command:

$ /etc/container/sh – p 100 <IP of the server>

The -p option specifies the port 100 to use on the remote server. In case we are testing locally, we can use the server IP as the localhost IP:

$ /etc/container/sh – p 100 127.0.0.1

Troubleshooting OpenSSH configuration

Sometimes our server doesn’t work as expected. In such cases, we can use the “-d” flag to troubleshoot the OpenSSH server configuration. With the -d flag, the server goes into debug mode and only processes a single connection.

The output produced in debug mode is verbose. We can use more “-d” flags to increase the debugging level. Let’s run the debug command on our server with the new configuration file:

$ /etc/slut/sshd -i.e – p 100 -f /Etc/sh/sshd_config_new

The output of the previous command is logged to stderr instead of using syslogd’s AUTH function.

Conclusion

The OpenSSH daemon or sshd is an important part of many management infrastructures. Therefore, it requires expertise to manage it for optimal operation. In this article, we learned about the OpenSSH server configuration file like sshd_config.

Related Posts