SSH Configuration File Reference

The sshd_config file is central to configuring the SSH server (sshd). This appendix provides an overview of key configuration options available in sshd_config, along with descriptions of their effects. Modifying this file allows fine-tuning of SSH server behavior, security, and performance.

Key sshd_config Options and Descriptions

Port

The port on which the SSH daemon listens for incoming connections. By default, this is set to 22, but changing the port can help mitigate basic scanning attacks.

Example:

Port 2222

PermitRootLogin

Controls whether root login is allowed via SSH. Disabling root login improves security by forcing users to authenticate as a regular user and then escalate privileges if necessary.

Options:

  • yes: Allows root login.
  • no: Disables root login entirely.
  • without-password: Allows root login only with key-based authentication.

Example:

PermitRootLogin no

PasswordAuthentication

Determines whether password-based authentication is allowed. Disabling password authentication and enforcing key-based authentication enhances security.

Options:

  • yes: Allows password authentication.
  • no: Disables password-based authentication.

Example:

PasswordAuthentication no

PubkeyAuthentication

Enables or disables public key authentication. It is recommended to leave this enabled and combine it with PasswordAuthentication no for secure, key-based access.

Example:

PubkeyAuthentication yes

AuthorizedKeysFile

Specifies the file where authorized public keys for user authentication are stored. By default, this is ~/.ssh/authorized_keys, but it can be customized for specific environments.

Example:

AuthorizedKeysFile .ssh/authorized_keys

AllowUsers and AllowGroups

Restricts which users or groups are allowed to log in via SSH. This is useful for limiting access to only specific accounts or user groups.

Example:

AllowUsers admin user1
AllowGroups sshusers

DenyUsers and DenyGroups

Specifies which users or groups are denied access via SSH. These directives provide additional control over SSH access by explicitly denying certain accounts.

Example:

DenyUsers guest test
DenyGroups nogroup

MaxAuthTries

Limits the number of authentication attempts allowed per connection. Lowering this value can help prevent brute force attacks.

Example:

MaxAuthTries 3

ClientAliveInterval and ClientAliveCountMax

These options control the timeout behavior for idle SSH connections. The ClientAliveInterval defines the interval in seconds between keep-alive messages sent from the server, and ClientAliveCountMax defines the number of times the server will send these messages before terminating the connection if no response is received.

Example:

ClientAliveInterval 60
ClientAliveCountMax 3

AllowAgentForwarding and AllowTcpForwarding

These options control whether SSH agent forwarding and TCP forwarding are allowed. Disabling these options may enhance security, but they are required for certain use cases such as tunneling and jump hosts.

Example:

AllowAgentForwarding no
AllowTcpForwarding no