SSH server configuration
SSH daemon
The OpenSSH daemon is named sshd and typically this is also the process visible in a process listing. The main listener usually has a full path visible, while active SSH sessions get their own child process.
Configuration files
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/*.conf
The configuration file sshd_config is the primary file for the settings. Any settings in a configuration file specified in /etc/ssh/sshd_config.d will overwrite those listed in the primary configuration file.
Suggested file permissions
The configuration files, including the main sshd_config file should only be writable by root. The man page of the project states that it is recommended that users have read access to the file, but it not mandatory. So further hardening the configuration file (e.g. chmod 600) is an option.
Show active configuration
To see all active configuration settings, there are two test modes. By running sshd with -t the configuration is tested for errors. The option -T does an extended test and also displays the active SSH configuration. This option requires typically root permissions as a normal user has not permissions to access all files, such as host keys.
Configuration settings
AcceptEnv
Environment variables from the client system can be copied into the session on the server. One of those enviroment variables is TERM, which is always copied over. AcceptEnv allows an administrator to define what other variables can enter a session on the server.
By default, no environment variables are allowed. While some variables may be useful in a session, there is also a risk involved, such as bypassing restrictions. If not strictly needed, it might be better to leave the setting as-is.
Relevant settings on the client side are SendEnv and SetEnv.
Port
Defines the network port that the server daemon is listening to. By default, the SSH server is configured with port 22 (TCP). You may change the port to reduce authentication attempts when running on a public IP address.
PrintMotd
Show the MOTD as configured in /etc/motd. To enable this, configure a SSH welcome message.
Happy hardening your SSH configuration!
Relevant ssh server configuration commands
Like to learn more about the commands used in this section? Have a look at the cheat sheets or the related command page.
- sshd