sshd_config (SSH Server Configuration)
sshd_config is the configuration file for the SSH server daemon (sshd). It is located at /etc/ssh/sshd_config and controls settings such as the listening port, authentication methods, and which users are allowed to log in. The default configuration has security weaknesses, so it is strongly recommended to harden it by setting PasswordAuthentication no (disable password authentication), PermitRootLogin no (disallow direct root login), and changing the Port value. After making changes, restart sshd to apply them.
Syntax
# ----------------------------------------------- # Key settings in /etc/ssh/sshd_config # ----------------------------------------------- # Port # → Specifies the port number the SSH server listens on. # → Default is 22. Changing it can significantly reduce # automated attacks from port scanners. # Example: Port 22 # Example: Port 2222 # AddressFamily # → Specifies whether to accept IPv4, IPv6, or both. # → any (both) / inet (IPv4 only) / inet6 (IPv6 only) # Example: AddressFamily any # ListenAddress # → Specifies the network interface the server listens on. # → 0.0.0.0 listens on all IPv4 interfaces. # Example: ListenAddress 0.0.0.0 # PermitRootLogin # → Controls whether the root user can log in directly via SSH. # → Setting this to no significantly improves security. # → prohibit-password allows root login with public key authentication only. # Example: PermitRootLogin no # Example: PermitRootLogin prohibit-password # PasswordAuthentication # → Specifies whether password authentication is allowed. # → It is strongly recommended to set this to no and use public key authentication only. # Example: PasswordAuthentication no # PubkeyAuthentication # → Specifies whether public key authentication is allowed. # → Defaults to yes. Before disabling PasswordAuthentication, # make sure your public key is already set up. # Example: PubkeyAuthentication yes # AuthorizedKeysFile # → Specifies the path to the file that stores authorized public keys. # → %h expands to the user's home directory. # Example: AuthorizedKeysFile .ssh/authorized_keys # PermitEmptyPasswords # → Specifies whether login with an empty password is allowed. # → Always set this to no. # Example: PermitEmptyPasswords no # MaxAuthTries # → Specifies the maximum number of authentication attempts per connection. # → The connection is dropped when the limit is exceeded. A value of 3–6 is typical. # Example: MaxAuthTries 3 # MaxSessions # → Specifies the maximum number of multiplexed sessions per connection. # Example: MaxSessions 10 # AllowUsers # → Specifies space-separated usernames that are allowed to log in via SSH. # → Users not listed here will be denied access. # Example: AllowUsers webmaster deploy sysadmin # AllowGroups # → Specifies space-separated group names that are allowed to log in via SSH. # Example: AllowGroups sshusers # DenyUsers / DenyGroups # → Specifies users or groups that are denied SSH login. # Example: DenyUsers nobody # LoginGraceTime # → Specifies the time limit for completing authentication (in seconds or minutes). # → Default is 120 seconds. Reducing this value improves resistance to brute-force attacks. # Example: LoginGraceTime 30 # ClientAliveInterval / ClientAliveCountMax # → Specifies the interval for sending keepalive packets to the client # and the number of unanswered packets before the session is disconnected. # → Used to automatically disconnect idle sessions. # Example: ClientAliveInterval 300 # Example: ClientAliveCountMax 3 # X11Forwarding # → Specifies whether to allow forwarding of GUI applications over SSH. # → Set to no if you do not need this feature. # Example: X11Forwarding no # UseDNS # → Specifies whether to perform reverse DNS lookup for connecting clients. # → Setting this to no can improve login speed. # Example: UseDNS no # Banner # → Specifies the path to a file whose contents are displayed before login. # Example: Banner /etc/issue.net # Subsystem # → Defines subsystems such as SFTP. # Example: Subsystem sftp /usr/lib/openssh/sftp-server
Directives
| Directive | Description |
|---|---|
Port | Specifies the port number the SSH server listens on. Default is 22. Changing it reduces automated scan-based attacks. |
AddressFamily | Specifies which address family to listen on. Choose from any (both IPv4 and IPv6), inet (IPv4 only), or inet6 (IPv6 only). |
ListenAddress | Specifies the IP address of the network interface to listen on. Defaults to all interfaces. |
PermitRootLogin | Controls whether root can log in directly via SSH. Setting this to no is the most secure option. prohibit-password allows root login via public key authentication only. |
PasswordAuthentication | Specifies whether password authentication is allowed. It is strongly recommended to set this to no and rely on public key authentication only. |
PubkeyAuthentication | Specifies whether public key authentication is allowed. Defaults to yes. Make sure your public key is registered before disabling password authentication. |
AuthorizedKeysFile | Specifies the path to the file that stores authorized public keys. Defaults to ~/.ssh/authorized_keys. |
PermitEmptyPasswords | Specifies whether login with an empty password is allowed. Always set this to no. |
MaxAuthTries | Specifies the maximum number of authentication attempts per connection. The connection is dropped when the limit is exceeded. A value of 3–6 is recommended. |
MaxSessions | Specifies the maximum number of multiplexed sessions per connection. Default is 10. |
AllowUsers | Lists space-separated usernames that are allowed to log in via SSH. Users not listed here will be denied access. |
AllowGroups | Specifies space-separated group names that are allowed to log in via SSH. Can be used in combination with AllowUsers. |
DenyUsers | Specifies usernames that are denied SSH login. Takes precedence over AllowUsers. |
LoginGraceTime | Specifies the time limit for completing authentication. Default is 120 seconds. Reducing it improves resistance to brute-force attacks. |
ClientAliveInterval | Specifies the interval in seconds between keepalive packets sent to the client. Set to 0 to disable. |
ClientAliveCountMax | Specifies the number of unanswered keepalive packets before the session is disconnected. |
X11Forwarding | Specifies whether SSH X11 forwarding (for GUI applications) is allowed. Set to no if you do not need this feature. |
UseDNS | Specifies whether to perform reverse DNS lookup for connecting clients. Setting this to no can speed up login. |
Banner | Specifies the path to a file whose contents are displayed before login. Useful for showing unauthorized access warnings. |
Subsystem | Defines subsystems such as SFTP. Usually does not need to be changed. |
Examples
/etc/ssh/sshd_config (security-hardened configuration)
# ----------------------------------------------- # Change the port number (from the default 22 to reduce automated scanning) # ----------------------------------------------- Port 2222 # ----------------------------------------------- # Listen on IPv4 only # ----------------------------------------------- AddressFamily inet # ----------------------------------------------- # Disallow direct root login # ----------------------------------------------- PermitRootLogin no # ----------------------------------------------- # Disable password authentication and allow public key authentication only # (make sure to add your public key to ~/.ssh/authorized_keys beforehand) # ----------------------------------------------- PasswordAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # ----------------------------------------------- # Disallow login with an empty password # ----------------------------------------------- PermitEmptyPasswords no # ----------------------------------------------- # Limit authentication attempts (brute-force protection) # ----------------------------------------------- MaxAuthTries 3 LoginGraceTime 30 # ----------------------------------------------- # Explicitly specify which users are allowed to log in # ----------------------------------------------- AllowUsers webmaster deploy sysadmin # ----------------------------------------------- # Automatically disconnect idle sessions # Send a keepalive every 300 seconds (5 minutes); disconnect after 3 no-replies # ----------------------------------------------- ClientAliveInterval 300 ClientAliveCountMax 3 # ----------------------------------------------- # Disable unused features # ----------------------------------------------- X11Forwarding no UseDNS no # ----------------------------------------------- # Keep the SFTP subsystem enabled # ----------------------------------------------- Subsystem sftp /usr/lib/openssh/sftp-server
Run the following command:
$ sudo sshd -t
(No output means no errors. Use this to check the configuration file syntax.)
$ sudo systemctl restart sshd
$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2026-03-25 10:00:00 JST; 3s ago
Main PID: 12345 (sshd)
Tasks: 1 (limit: 4659)
Memory: 3.2M
CPU: 18ms
CGroup: /system.slice/ssh.service
└─12345 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Verify the configuration and restart sshd (RHEL / AlmaLinux)
# ----------------------------------------------- # Check the configuration file syntax (the -t option) # Always run a syntax check before restarting after making changes. # A syntax error will prevent sshd from starting, locking you out of SSH. # ----------------------------------------------- sudo sshd -t # ----------------------------------------------- # Restart sshd to apply the configuration # Use sshd.service on RHEL-based systems, ssh.service on Ubuntu-based systems. # ----------------------------------------------- sudo systemctl restart sshd # ----------------------------------------------- # Verify that sshd is running and confirm the listening port # ----------------------------------------------- sudo ss -tlnp | grep sshd
Run the following command:
$ sudo ss -tlnp | grep sshd
LISTEN 0 128 0.0.0.0:2222 0.0.0.0:* users:(("sshd",pid=12345,fd=3))
Verify that only users listed in AllowUsers can connect via SSH
# ----------------------------------------------- # Attempt to connect as a user not in AllowUsers (user1) # to confirm the connection is denied. # ----------------------------------------------- # Attempt to connect as user1 (assuming the port has been changed to 2222) ssh -p 2222 user1@192.168.1.100
Run the following command:
user1@192.168.1.100: Permission denied (publickey). (The connection is denied because user1 is not in AllowUsers.)
Overview
sshd_config is the most important configuration file for controlling the security and behavior of the SSH server. The three key settings to understand are PermitRootLogin no (disallow direct root login), PasswordAuthentication no (disable password authentication), and AllowUsers (explicitly specify which users can log in). Before disabling password authentication, make sure you have generated a key pair and added the public key to ~/.ssh/authorized_keys. For how to create a key pair, see the ssh-keygen page. After making changes, always run sshd -t to check the syntax before running systemctl restart sshd to apply them. If you restart sshd with a syntax error in the configuration, SSH access will be completely lost, so be careful. For user management, see also the useradd / userdel and passwd / shadow pages.
If you find any errors or copyright issues, please contact us.
シェアする