sshd_config
Table of Contents
If you want to send us your comments, please do so. Thanks
More on comments
sshd_config
The server side config file
See man 5 sshd_config
After a change do systemctl restart sshd . Any connection will remain open
See also network security
PAM
PAM stands for Pluggable Authentication Modules. It is a powerful and flexible framework for authentication on Unix-like systems, allowing system administrators to implement a wide range of authentication methods and policies
Some settgings
- Port change.
- This is security by obscurity and might not be a good idea.
- In a few weeks the botnet will have discovered your alternative ssh port and make it useless
- If you want to change the port number do as root
- change the Port number in /etc/ssh/ssh_config
- change the Port number in /etc/ssh/sshd_config
sshd_config on the server
- AllowUsers user1 user2 Allow only users who need ssh to use it
- PermitEmptyPasswords no
- PubkeyAuthentication yes
- PasswordAuthentication yes as long as it is needed
- ChallengeResponseAuthentication no
- AuthenticationMethods publickey password
- UsePAM no
- X11Forwarding no, unless a graphical userinterface is used
- Autologout
- ClientAliveInterval 1800
- ClientAliveCountMax 0
- HostbasedAuthentication no
- IgnoreRhosts yes
- ListenAddress IPtheconnectionoriginatesform Mostly this is your router's LAN side IP address since it uses NAT
- If the router does NAT it might be possible to set the ACL (Access Control List) in the router
- You can also use denyhosts (not in the Debian repository) or fail2ban if your router exposes the IP address from the WAN side on the LAN side, is in bridge mode.
- Save
- Restart ssh use one of
- systemctl restart sshd
- Old: /etc/init.d/sshd restart
- Old: service ssh restart
- Test if you can login with the key and if you can login with the password
All options
Our recommended settings, change where needed
The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. So the ones earlier in the list take precedent over the following
| Option | Setting | Remark |
|---|---|---|
| AcceptEnv | LANG LC_* | Default for Debian. Otherwise: empty (Do not accept environment variables) |
| AddressFamily | inet | Use IPv4 only |
| AllowAgentForwarding | no | Deny users shell access to be more secure |
| AllowGroups | ssh | Create a group ssh and add the useres to it who need ssh access. Space separated list |
| AllowStreamLocalForwarding | no | Deny users shell access to be more secure |
| AllowTcpForwarding | yes | Default |
| AllowUsers | user1 user2 user3 | Space separated list |
| AuthenticationMethods | any | Default: any (single authentication method) otherwise multiple authentication methods are needed to get access. Comma separated list |
| AuthorizedKeysCommand | ||
| AuthorizedKeysCommandUser | ||
| AuthorizedKeysFile | ||
| AuthorizedPrincipalsCommand | ||
| AuthorizedPrincipalsCommandUser | ||
| AuthorizedPrincipalsFile | ||
| Banner | none | Default. Send a message to the client before logon |
| ChallengeResponseAuthentication | no | Default for Debian. Otherwise “yes” |
| ChrootDirectory | none | Default |
| Ciphers | chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com | Default. Comma separated list |
| ClientAliveCountMax | 3 | Default. Not spoofable. See also ClientAliveInterval |
| ClientAliveInterval | 0 | Default. No messages are sent |
| Compression | yes | Default |
| Banner | yes | Default |
| DenyGroups | Space separated list | |
| DenyUsers | Space separated list | |
| DisableForwarding | Leave default. Pressumeably “no” | |
| FingerprintHash | sha256 | Default |
| ForceCommand | ||
| GatewayPorts | no | Default |
| GSSAPIAuthentication | no | Default |
| GSSAPIKeyExchange | ||
| GSSAPICleanupCredentials | ||
| GSSAPIStrictAcceptorCheck | ||
| GSSAPIStoreCredentialsOnRekey | ||
| HostbasedAcceptedKeyTypes | ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa | Comma separated list |
| HostbasedAuthentication | no | Default |
| HostbasedUsesNameFromPacketOnly | no | Default |
| HostCertificate | No file. This is the default | |
| HostKey | file containing a private host key used by SSH | Defaults: /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key and /etc/ssh/ssh_host_ed25519_key |
| HostKeyAgent | ||
| HostKeyAlgorithms | ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa | Default |
| IgnoreRhosts | yes | Default |
| IgnoreUserKnownHosts | no | Default |
| IPQoS | lowdelay throughput | Default. Space separated |
| KbdInteractiveAuthentication | yes | Default |
| KerberosAuthentication | no | Default |
| KerberosGetAFSToken | ||
| KerberosOrLocalPasswd | ||
| KerberosTicketCleanup | ||
| KexAlgorithms | curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 | Default. Comma separated list |
| ListenAddress | Default: Listen on all local addresses | |
| LoginGraceTime | 120 seconds | Default |
| LogLevel | INFO | Default |
| MACs | umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 | Default. Comma separated list |
| Match | Conditional block | |
| MaxAuthTries | 6 | Default |
| MaxSessions | 10 | Default |
| MaxStartups | 10:30:100 | Default. start:rate:full |
| PasswordAuthentication | yes | Default. When the authentication key is functioning set this to “no” |
| PermitEmptyPasswords | no | Default |
| PermitOpen | all | Default |
| PermitRootLogin | no | Options: yes, prohibit-password, without-password, forced-commands-only, or no. Default: prohibit-password |
| PermitTTY | yes | Default |
| PermitTunnel | no | Default |
| PermitUserEnvironment | no | Default |
| PermitUserRC | yes | Default. Executes: ~/.ssh/rc |
| PidFile | /run/sshd.pid | Default |
| Port | 22 | Default |
| PrintLastLog | yes | Default. Print the date and time of the last user login |
| PrintMotd | no | Default for Debian. Otherwise “yes”. Prints: /etc/motd |
| PubkeyAcceptedKeyTypes | ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa | Default. Comma separated list |
| PubkeyAuthentication | yes | Default |
| RekeyLimit | none | Default |
| RevokedKeys | none | Default |
| StreamLocalBindMask | 0177 | Default |
| StreamLocalBindUnlink | no | Default |
| StrictModes | yes | Default |
| Subsystem | sftp /usr/lib/openssh/sftp-server | Default on Debian, otherwise none specified |
| SyslogFacility | AUTH | Default |
| TCPKeepAlive | yes | Default |
| TrustedUserCAKeys | ||
| UseDNS | no | Default |
| UsePAM | no | Is login with a password is needed ad 'password' to the 'AuthenticationMethods' option |
| UsePrivilegeSeparation | sandbox | Default |
| VersionAddendum | none | Default |
| X11DisplayOffset | 10 | Default |
| X11Forwarding | no | “yes” is graphics, X windows, is used |
| X11UseLocalhost | yes | Default |
| XAuthLocation | /usr/bin/xauth | Default |
Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy
RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2024 Webevaluation.nl and the authors
Changes reserved.
sshd_config.txt · Last modified: 08-06-2023 15:02 by wim