SSH or Secure Shell protocol is used for remotely logging into a machine and running commands on the remote machine. The data which is transferred using the SSH protocol is encrypted with special algorithms which makes SSH more secure than Telnet. Basically, OpenSSH is a tool that implements this protocol.
What Will We Cover?
In this guide, we will explore the different aspects of the OpenSSH server configuration file. Let’s get started now.
OpenSSH Configuration Files
There are some core files for both the OpenSSH client and server. It has two types of configuration files:
1. Files related to the client side: One of the files is ssh_config. It is a system-wide configuration file. This file is located at /etc/ssh/ssh_config.
The other file is config which is a user-specific configuration file located at $HOME/.ssh/config.
The SSH program on a host takes the configuration either from these files or via the command line interface. In the case of the previously mentioned files, the system-wide configuration file, which is ssh_config, is given the priority over the user-specific “config” file.
2. sshd_config: It is related to the server side. The OpenSSH server reads this file when it starts.
Exploring the sshd Configuration File
The sshd config file contains many directives which can also be customized. Let’s look at the default layout of this file:
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
ListenAddress 0.0.0.0
ListenAddress ::
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
CheckMail no
Any line that begins with “#” is taken as a comment. Let’s explore some of the given parameters:
1. The Port directive specifies a port number. This is the port number on which the sshd listens for connections. The default value for this port is 22 which is the standard one. However, in our case, we changed it to 222.
Also, we can specify more than one Port directive. This way, we can use multiple ports for listening on the sshd connections.
2. The ListenAddress contains the IP address for listening on. The default action is to listen on all the IP address that are bound to the server. Also note that the Port directive must succeed the ListenAddress directive.
3. The private RSA host key file’s fully qualified path is specified by the HostKey directive. In the previous case, the path is /etc/ssh/ssh_host_key.
4. The PermitRootLogin directive allows the root login for sshd when it’s set to yes. This should be set to no unless the hosts.allow and hosts.deny files are used to restrict the sshd access.
5. The X11Forwarding directive permits X Window System forwarding when set to yes.
6. Which Syslog facility that the sshd should use is specified using the SyslogFacility directive. Keep the default value as is.
7. The logging level for Syslog is specified using the LogLevel directive.
Changing the sshd Port
By default, the sshd or OpenSSH server daemon uses the port 22 of the TCP protocol. It is recommended to change this port number to some other value in a testing environment. This assures us that the server connectivity is available all the time.
Also, it is a good practice to check the syntax of the configuration of a new sshd_config file before using it, irrespective on which port it runs. To check the syntax, we can use the following command:
It is also important to note that only the root user should be able to read and write to this file. This means that if an sshd_config configuration file is properly secured, running the previous command needs root authority.
If no output appears when running the previous syntax verifying command, it means that the file is okay.
Modifying the Default Configuration File and Port
In some cases, we want to run a new instance of sshd on a different port. This may be because port 22 is already in use or there may be some risk areas in changing this port in a production environment. In such types of situations, we can create an alternative configuration file for our server.
Let’s create a new sshd_config file as sshd_config_new. This file may be used for some different server parameters. Now, let’s specify this file to be considered as the new server configuration file on port number 100:
The sshd daemon now listens on port 100. We can use any port value but not the one which is already in use.
Now, let’s check if our new port is working as desired. For this, we have to use an ssh client program and run the following command:
The “-p” option specifies the port 100 to be used on the remote server. In case we are testing locally, we can use the server IP to be the localhost IP:
Troubleshooting OpenSSH Configuration
Sometimes, our server is not working as desired. In such cases, we can use the “-d” flag to troubleshoot the OpenSSH server configuration. Using the “-d” flag, the server enters the debug mode and handles only a single connection.
The output which is produced in the debug mode is verbose. We can use more “-d” flags to raise the debugging level. Let’s run the debug command on our server using the new configuration file:
The output from the previous command logs to stderr instead of using the AUTH facility of syslogd.
Conclusion
OpenSSH daemon or sshd is a crucial part of many administration infrastructures. As such, it requires expertise to manage it for optimal operation. In this article, we learned about the OpenSSH server configuration file like sshd_config.