sshd_config - SSH Configuration File for Server
The OpenSSH server (or daemon) is configured with a configuration file
Correct configuration of the
sshd_config file is very important to security as well as to usability of the host server.
sshd_config file is an ASCII text based file where the different configuration options of the SSH server are indicated and configured with keyword/argument pairs. Arguments that contain spaces are to be enclosed in double quotes (").
sshd_config file the keywords are case-insensitive while arguments are case-sensitive.
Each line that starts with '#' is interpreted as a comment.
By default the sshd process reads its configuration from
/etc/ssh/sshd_config. A different file can also be indicated with option
-f on the command line.
The following is a list of some of the most commonly used
Specifies which environment variables sent by the client will be copied to the session's user environment.
Specifies which IP address family sshd should use. Valid arguments are:
inet (IPv4 only),
inet6 (IPv6 only).
Specifies whether ssh-agent forwarding is permitted. The default is
Specifies whether forwarding Unix domain sockets is permitted. The default is
Specifies whether TCP forwarding is permitted. The default is
Specifies that login is allowed only for those user names that match a pattern listed with this keyword. By default, login is allowed for all user names.
Specifies the authentication methods that must be successfully completed in order to grant access to a user.
Specifies the file containing the public keys that can be used for user authentication. For more information, see Configuring Authorized Keys for OpenSSH.
ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed. The default is
Specifies the pathname of a directory to chroot (change root directory) to after authentication.
Specified the ciphers allowed. The ciphers supported in OpenSSH 7.3 are:
3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, email@example.com, firstname.lastname@example.org, arcfour, arcfour128, arcfour256, blowfish-cbc, cast128-cbc, email@example.com.
Specifies whether compression is allowed (
yes), denied (
no) or delayed until the user has authenticated successfully (
delayed - default).
Specifies that login is denied for those user names that match a pattern listed with this keyword. By default, login is allowed for all user names.
Forces the execution of the command specified by this keyword, ignoring any command supplied by the client and
~/.ssh/rc if present.
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The default is
Specifies whether user authentication based on GSSAPI is allowed. The default is
Specifies whether rhosts or
/etc/hosts.equiv authentication together with successful public key client host authentication (i.e. using the public key of the client machine to authenticate a user to the remote server, providing a non-interactive form of authentication) is allowed. The default is
Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the
/etc/hosts.equiv files during host-based authentication.
Specifies a file containing a private host key used by SSH. It is possible to have multiple host key files. The default is
/etc/ssh/ssh_host_rsa_key for SSH protocol version 2.
Specifies the host key algorithms offered by the server. The defaults (OpenSSH 7.3) are:
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,ssh-ed25519, ssh-rsa,ssh-dss.
.shosts files will not be used in
Specified whether keyboard-interactive authentication is allowed. By default, the value of
Specifies the available Key Exchange algorithms. The KEX algorithms supported in OpenSSH 7.3 are:
firstname.lastname@example.org, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521.
Specifies the local addresses sshd should listen on. The following forms are allowed:
The time after which the server disconnects if the user has not successfully logged in.
Specifies the level of verbosity for logging messages from sshd.
Specifies the available message authentication code algorithms that are used for protecting data integrity. The MACs supported in OpenSSH 7.3 are:
hmac-md5, hmac-md5-96, hmac-ripemd160, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com.
In the algorithm names,
encrypt-then-mac, i.e. the message authentication code is calculated after encryption. It is recommended to use these algorithms because they are considered safer.