Cloud

sshd_config - SSH Configuration File for Server

The OpenSSH server (or daemon) is configured with a configuration file sshd_config.

Correct configuration of the sshd_config file is very important to security as well as to usability of the host server.

sshd_config file is an ASCII text based file where the different configuration options of the SSH server are indicated and configured with keyword/argument pairs. Arguments that contain spaces are to be enclosed in double quotes (").

In the sshd_config file the keywords are case-insensitive while arguments are case-sensitive.

Each line that starts with '#' is interpreted as a comment.

By default the sshd process reads its configuration from /etc/ssh/sshd_config. A different file can also be indicated with option -f on the command line.

The following is a list of some of the most commonly used sshd_config keywords.

AcceptEnv

Specifies which environment variables sent by the client will be copied to the session's user environment.

AddressFamily

Specifies which IP address family sshd should use. Valid arguments are: any, inet (IPv4 only), inet6 (IPv6 only).

AllowAgentForwarding

Specifies whether ssh-agent forwarding is permitted. The default is yes.

AllowStreamLocalForwarding

Specifies whether forwarding Unix domain sockets is permitted. The default is yes.

AllowTcpForwarding

Specifies whether TCP forwarding is permitted. The default is yes.

AllowUsers

Specifies that login is allowed only for those user names that match a pattern listed with this keyword. By default, login is allowed for all user names.

AuthenticationMethods

Specifies the authentication methods that must be successfully completed in order to grant access to a user.

AuthorizedKeysFile

Specifies the file containing the public keys that can be used for user authentication. For more information, see Configuring Authorized Keys for OpenSSH.

ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed. The default is yes.

ChrootDirectory

Specifies the pathname of a directory to chroot (change root directory) to after authentication.

Ciphers

Specified the ciphers allowed. The ciphers supported in OpenSSH 7.3 are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, arcfour, arcfour128, arcfour256, blowfish-cbc, cast128-cbc, chacha20-poly1305@openssh.com.

Compression

Specifies whether compression is allowed (yes), denied (no) or delayed until the user has authenticated successfully (delayed - default).

DenyUsers

Specifies that login is denied for those user names that match a pattern listed with this keyword. By default, login is allowed for all user names.

ForceCommand

Forces the execution of the command specified by this keyword, ignoring any command supplied by the client and ~/.ssh/rc if present.

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The default is no.

GSSAPIAuthentication

Specifies whether user authentication based on GSSAPI is allowed. The default is no.

HostbasedAuthentication

Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication (i.e. using the public key of the client machine to authenticate a user to the remote server, providing a non-interactive form of authentication) is allowed. The default is no.

HostbasedUsesNameFromPacketOnly

Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during host-based authentication.

HostKey

Specifies a file containing a private host key used by SSH. It is possible to have multiple host key files. The default is /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for SSH protocol version 2.

HostKeyAlgorithms

Specifies the host key algorithms offered by the server. The defaults (OpenSSH 7.3) are: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ssh-dss-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,ssh-ed25519, ssh-rsa,ssh-dss.

IgnoreRhosts

Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.

KbdInteractiveAuthentication

Specified whether keyboard-interactive authentication is allowed. By default, the value of ChallengeResponseAuthenticationis used.

KexAlgorithms

Specifies the available Key Exchange algorithms. The KEX algorithms supported in OpenSSH 7.3 are: curve25519-sha256@libssh.org, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521.

ListenAddress

Specifies the local addresses sshd should listen on. The following forms are allowed:

ListenAddress host|IPv4_addr|IPv6_addr

ListenAddress host|IPv4_addr:port

ListenAddress [host|IPv6_addr]:port

LoginGraceTime

The time after which the server disconnects if the user has not successfully logged in.

LogLevel

Specifies the level of verbosity for logging messages from sshd.

MACs

Specifies the available message authentication code algorithms that are used for protecting data integrity. The MACs supported in OpenSSH 7.3 are: hmac-md5, hmac-md5-96, hmac-ripemd160, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, umac-64@openssh.com, umac-128@openssh.com, hmac-md5-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com.

In the algorithm names, -etm means encrypt-then-mac, i.e. the message authentication code is calculated after encryption. It is recommended to use these algorithms because they are considered safer.

Match

PasswordAuthentication

PermitEmptyPasswords

PermitOpen

PermitRootLogin

PermitTTY

PermitTunnel

PermitUserEnvironment

PermitUserRC

Port

PubkeyAuthentication

Subsystem

UseDNS

UsePrivilegeSeparation

X11Forwarding

X11UseLocalhost