Skip to content

Click on each book below to review & buy on Amazon.

As an Amazon Associate, I earn from qualifying purchases.

CompTIA Linux+ XK0-005 - 2.4 - SSH: Configuration Files - /etc/ssh/sshd_config

Secure Shell (SSH) is a widely used protocol for secure remote access to Linux systems. As part of the CompTIA Linux+ exam objectives, it is important to understand the SSH configuration file, /etc/ssh/sshd_config, and its key settings. This guide will provide you with a detailed explanation of the important configuration settings within the SSH configuration file and how to customize them to enhance the security and functionality of your SSH server.

SSH Configuration File /etc/ssh/sshd_config

The SSH configuration file, /etc/ssh/sshd_config, is used to configure the behavior and options for the SSH server (sshd). This file contains various settings that control how the SSH server operates and how clients can authenticate and connect to it. Let's explore some key configuration settings within the file:

  • Port: The Port directive specifies the port number on which the SSH server listens for incoming connections. By default, SSH uses port 22. However, it is recommended to change this to a non-standard port to add an extra layer of security and mitigate potential brute-force attacks.

  • PermitRootLogin: The PermitRootLogin directive controls whether root login via SSH is allowed. It is generally recommended to disable direct root logins and instead use a regular user account to log in and then switch to the root user if necessary. Setting this to no enhances security by preventing direct root logins.

  • PasswordAuthentication: The PasswordAuthentication directive specifies whether password-based authentication is allowed. Using SSH keys for authentication is more secure than passwords. It is recommended to disable password authentication if SSH keys are set up for all users. Set this to no to disallow password authentication.

  • AllowUsers and AllowGroups: These directives allow you to specify the users or groups that are allowed to connect via SSH. By configuring the AllowUsers directive, you can limit SSH access to specific users. Similarly, the AllowGroups directive allows you to restrict SSH access to specific groups. Limiting SSH access to authorized users or groups enhances security by reducing the attack surface.

  • PermitEmptyPasswords: The PermitEmptyPasswords directive controls whether empty passwords are allowed for SSH authentication. Allowing empty passwords is highly discouraged, as it poses a severe security risk. It is recommended to set this to no to prevent empty passwords.

  • ClientAliveInterval and ClientAliveCountMax: These directives manage the keep-alive mechanism for SSH connections. The ClientAliveInterval specifies the time interval in seconds after which the SSH server sends a null packet to the client to keep the connection alive. The ClientAliveCountMax sets the maximum number of unresponsive keep-alive packets that can be sent before the server terminates the connection. Adjusting these settings can help maintain stable connections.

Example Configuration

Here's an example of a configuration for the /etc/ssh/sshd_config file:

# SSH Configuration

# Set the port to a non-standard value
Port 2222

# Disable direct root login
PermitRootLogin no

# Disable password-based authentication
PasswordAuthentication no

# Allow only specific users and groups to connect
AllowUsers alice bob
AllowGroups sshusers

# Disable empty passwords
PermitEmptyPasswords no

# Configure keep-alive mechanism
ClientAliveInterval 120
ClientAliveCountMax 3

# Specify allowed SSH key exchange algorithms
KexAlgorithms curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384

# Disable X11 forwarding
X11Forwarding no

# Disable SSH session termination on client disconnect
ClientDisconnectScript no

# Set a banner message to be displayed on SSH login
Banner /etc/ssh/banner

# Enable protocol version 2 only
Protocol 2

# Configure allowed ciphers and MACs
Ciphers chacha20-poly1305@openssh.com, aes256-gcm@openssh.com
MACs hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com

# Set a specific host key algorithm
HostKey /etc/ssh/ssh_host_ed25519_key

# Disable TCP forwarding
AllowTcpForwarding no

# Disable SSH agent forwarding
AllowAgentForwarding no

# Disable SSH login via public key authentication
PubkeyAuthentication no

This example includes various security measures such as:

  • Using a non-standard port
  • Disabling root login and password authentication
  • Allowing only specific users and groups to connect
  • Disabling empty passwords
  • Configuring keep-alive settings
  • Specifying allowed key exchange algorithms
  • Disabling X11 forwarding and SSH session termination on client disconnect
  • Setting a banner message
  • Enabling protocol version 2 only
  • Configuring allowed ciphers and MACs
  • Setting a specific host key algorithm
  • Disabling TCP forwarding and SSH agent forwarding
  • Disabling SSH login via public key authentication.

Feel free to adjust these settings based on your specific requirements and security guidelines. Remember to restart the SSH service after making any changes to the configuration file.

Conclusion

Understanding the SSH configuration file, /etc/ssh/sshd_config, and its key settings is crucial for securing remote access to Linux systems. By customizing these settings according to your security requirements, you can enhance the security and functionality of your SSH server. Remember to restart the SSH service after making any changes to the configuration file. Regularly review and update your SSH configuration to align with best practices and security guidelines.

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.