SSH Configuration File Reference
The sshd_config
file is central to configuring the SSH server (sshd
). This appendix provides an overview of key configuration options available in sshd_config
, along with descriptions of their effects. Modifying this file allows fine-tuning of SSH server behavior, security, and performance.
Key sshd_config
Options and Descriptions
Port
The port on which the SSH daemon listens for incoming connections. By default, this is set to 22
, but changing the port can help mitigate basic scanning attacks.
Example:
Port 2222
PermitRootLogin
Controls whether root login is allowed via SSH. Disabling root login improves security by forcing users to authenticate as a regular user and then escalate privileges if necessary.
Options:
yes
: Allows root login.no
: Disables root login entirely.without-password
: Allows root login only with key-based authentication.
Example:
PermitRootLogin no
PasswordAuthentication
Determines whether password-based authentication is allowed. Disabling password authentication and enforcing key-based authentication enhances security.
Options:
yes
: Allows password authentication.no
: Disables password-based authentication.
Example:
PasswordAuthentication no
PubkeyAuthentication
Enables or disables public key authentication. It is recommended to leave this enabled and combine it with PasswordAuthentication no
for secure, key-based access.
Example:
PubkeyAuthentication yes
AuthorizedKeysFile
Specifies the file where authorized public keys for user authentication are stored. By default, this is ~/.ssh/authorized_keys
, but it can be customized for specific environments.
Example:
AuthorizedKeysFile .ssh/authorized_keys
AllowUsers
and AllowGroups
Restricts which users or groups are allowed to log in via SSH. This is useful for limiting access to only specific accounts or user groups.
Example:
AllowUsers admin user1
AllowGroups sshusers
DenyUsers
and DenyGroups
Specifies which users or groups are denied access via SSH. These directives provide additional control over SSH access by explicitly denying certain accounts.
Example:
DenyUsers guest test
DenyGroups nogroup
MaxAuthTries
Limits the number of authentication attempts allowed per connection. Lowering this value can help prevent brute force attacks.
Example:
MaxAuthTries 3
ClientAliveInterval
and ClientAliveCountMax
These options control the timeout behavior for idle SSH connections. The ClientAliveInterval
defines the interval in seconds between keep-alive messages sent from the server, and ClientAliveCountMax
defines the number of times the server will send these messages before terminating the connection if no response is received.
Example:
ClientAliveInterval 60
ClientAliveCountMax 3
AllowAgentForwarding
and AllowTcpForwarding
These options control whether SSH agent forwarding and TCP forwarding are allowed. Disabling these options may enhance security, but they are required for certain use cases such as tunneling and jump hosts.
Example:
AllowAgentForwarding no
AllowTcpForwarding no