Learning SSH: SSHD Config File Options and Parameters
in the previous (fourth) installment of this series of posts on Learning SSH we address the options specified in OpenSSH configuration file that are handled on the side of the SSH client, that is, the file "SSHConfig" (ssh_config).
For this reason, today we will continue in this penultimate and fifth delivery, with the options specified in the OpenSSH configuration file that are handled on the side of the ssh-server, that is, the file "SSHD Config" (sshd_config).
Learning SSH: SSH Config File Options and Parameters
And, before starting today's topic, about the manageable content of the file OpenSSH "SSHD Config" (sshd_config), we will leave some links of related posts:
SSHD Config File Options and Parameters (sshd_config)
What is the SSHD Config (sshd_config) file for OpenSSH?
As we expressed in the previous tutorial, OpenSSH has 2 configuration files. one called ssh_config for the configuration of SSH client side and another call sshd_config for side configuration ssh-server. Both, located in the following path or directory: /etc/ssh.
Therefore, this is usually more important or relevant, since it allows us to secure SSH connections that we are going to allow in our Servers. Which is usually part of something known as Server Hardening.
For this reason, today we will show what many of the options and parameters within said file are for, in our last and sixth installment of this series offer more practical and real recommendations how to make such adjustments or changes through such options and parameters.
List of existing options and parameters
as in the file "SSH Config" (ssh_config), the "SSHD Config" file (sshd_config) has many options and parameters, but one of the best known, used or important
AllowUsers / Denussers
This option or parameter is usually not included by default in said file, but inserted in it, generally at the end of it, it offers the possibility of indicate who or who (users) can log in to the server via SSH connection.
Therefore, this option or parameter is used accompanied by a list of username patterns, separated by spaces. So that, if specified, the login, then the same will only be allowed for usernames that match one of the patterns.
Note that by default, login is allowed for all users on any host. However, if the pattern is set up like this "USER@HOST", so USER and HOST they are verified separately, which restricts logins to particular users from particular hosts.
Y for HOST, addresses in the format of IP address/CIDR mask. Finally, AllowUsers can be replaced by Denussers to deny the same user patterns.
ListenAddress
Allows you to specify the local IP addresses (local network interfaces of the server machine) on which the sshd program should listen. And for this, the following forms of configuration can be used:
- ListenAddress hostname | IPv4/IPv6 address [domain ]
- ListenAddress hostname : port [domain ]
- ListenAddress IPv4/IPv6 address : port [domain ]
- ListenAddress [hostname | IPv4/IPv6 address] : port [domain]
LoginGraceTime
Allows you to specify a time (of grace), after which, the server disconnects, if the user who is attempting to make an SSH connection is unsuccessful. If the value is zero (0), it is set that there is no time limit, while Default is set to 120 seconds.
LogLevel
Allows you to specify the verbosity level for sshd log messages. and heManageable values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. While, andThe default value is INFO.
MaxAuthTries
Specifies the maximum number of authentication attempts allowed per connection. By default, its value is set to 6.
MaxSessions
Allows you to specify the maximum number of open Shell sessions per network connection established, either by logins or by subsystem used, for example via sftp. Eset its value to 1 will cause session multiplexing to be disabled, while setting it to 0 will block all types of connections and sessions. By default, its value is set to 10.
MaxStartups
Allows you to specify the maximum number of simultaneous unauthenticated connections to the SSH daemon, i.e. the number of SSH connections that can be opened per IP/Host. Its default value is usually 10, 30, or 100, which is often considered high, so a lower value is recommended.
Password Authentication
Specifies whether password authentication will be required. By default, its value is set to "Yes".
AllowEmptyPasswords
Specifies whether the server will approve (authorize) logging in to user accounts with empty password strings. By default, its value is set to "No".
PermitRootLogin
Allows you to specify whether the server will approve (authorize) starting login sessions on root user accounts. Although, dBy default, its value is set to "prohibit-password", ideally set to "No", which fully sets that a root user is not allowed to start an SSH session.
Port (The Harbour District)
Allows you to specify the port number through which the sshd program will be listening for all SSH connection requests. By default, its value is set to "22".
StrictModes
Specifies whether the SSH program should verify the file modes and ownership of the user's home directory and files before accepting the login. By default, its value is set to "Yes".
SyslogFacility
Allows the installation code to be provided that is used when logging messages from the SSH program. By default, its value is set to "Authorization" (AUTH).
Note: Depending on the Sysadmin and the security requirements of each technological platform, many other options can be very useful or necessary. As we will see in our next and last post in this series, where we will focus on good practices (advice and recommendations) on SSH, to apply using everything shown so far.
More information
And in this fourth installment, to expand this information and study each and every one of the options and parameters available within the configuration file "SSHD Config" (sshd_config)We recommend exploring the following links: SSH configuration file for OpenSSH Server y Official OpenSSH Manuals, in English. And just as in the previous three installments, explore the following official content and trustworthy online about SSH and OpenSSH:
- Debian Wiki
- Debian Administrator's Manual: Remote Login / SSH
- Debian Security Manual: Chapter 5. Securing Services
Summary
In short, with this new installment on "Learning SSH" we are almost finishing the explanatory content on everything related to OpenSSH, by offering essential knowledge about configuration files "SSHD Config" (sshd_config) y "SSH Config" (ssh_config). Therefore, we hope that it is being useful to many, both personally and professionally.
If you liked this post, be sure to comment on it and share it with others. And remember, visit our «homepage» to explore more news, as well as join our official channel of Telegram from DesdeLinux, West group for more information on today's topic.