Recommended /etc/sshd_config parameters for OpenSSH

There are a few settings at /etc/ssh/sshd_config we can set to improve security, performance and user experience. Many of this information comes from SSH The Secure Shell, 2nd Edition from O’Reilly

1. Using SSH-2 Protocol and disable SSH-1 protocol altogether

Protocol 2

2. Ensure that the HostKey and PidFile are located on a machine’s local disk and not over the NFS mount. The default setting should be in the machine local file like those below

HostKey /etc/ssh/ssh_host_key
PidFile /var/run/

3. File and directory permissions

The StrictModes value requires users to protect their SSH-related files and directories or else they will not authenticate.The default values is yes

StrictModes yes

4. Enable KeepAlive messages

Keepalive messages are enabled so that the connections to clients that have crashed or unreachable will terminate rather than be an orphaned process which require manual intervention by sysadmin to eliminate it.

Port 22 
TcpKeepAlive yes

5. Disable Reverse DNS lookup

UseDNS no

6. Select a shorter grace login time

The default grace login is 2 minute which you might want to change. The value here is 30 seconds

LoginGraceTime 30

7. Authentication

The default setting are fine unless you wish to use Public-Key Authentication and wish to disabled Kerberos, Interactive and GSSAPIAuthentication

PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
RSAAuthentication yes
RhostsRSAAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
IgnoreRhosts yes

8. Access Control

If you wish to allow only selected users or groups to use ssh, you would like to use

AllowGroups users
AllowUsers me_only
DenyGroups black_list
DenyUsers hacker_id

For more information, see How do I permit specific users SSH access?
9. Securing TCP port forwarding and X forwarding

AllowTcpForwarding yes
X11Forwarding yes

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.