September 16, 2024

Understanding and Configuring the SSHD Config File on Raspberry Pi

Ben

@benjislab

Secure Shell (SSH) is a powerful tool that allows you to remotely access and manage your Raspberry Pi. The SSH daemon (SSHD) on your Raspberry Pi is controlled by a configuration file that dictates how SSH operates. By understanding and tweaking the sshd_config file, you can enhance security, customize SSH behavior, and ensure that remote access to your Raspberry Pi meets your specific needs.

What is the SSHD Config File?

The sshd_config file is the main configuration file for the SSH daemon (sshd) on Linux systems, including Raspberry Pi OS. This file contains various directives that control the behavior of SSH, such as authentication methods, connection settings, and security options.

The sshd_config file is typically located at:

/etc/ssh/sshd_config

Accessing and Editing the SSHD Config File

To modify the sshd_config file, follow these steps:

1. Open a Terminal: You can access the terminal directly on your Raspberry Pi or via SSH if you're connected remotely.

2. Edit the sshd_config File: Use a text editor like nano to open and edit the file:

sudo nano /etc/ssh/sshd_config

3. Make Changes: Modify the necessary configuration options as described in the sections below.

4. Save and Exit: After making your changes, save the file and exit the editor. In nano, you can do this by pressing Ctrl+X, then Y, and hitting Enter.

5. Restart the SSH Service: For your changes to take effect, restart the SSH service:

sudo systemctl restart ssh

Key Configuration Options in sshd_config

Here are some important directives in the sshd_config file that you can configure to enhance security and customize your SSH setup:

1. PermitRootLogin

By default, SSH allows the root user to log in. For security reasons, it's recommended to disable root login.

PermitRootLogin no

Setting this to no ensures that the root user cannot log in via SSH, reducing the risk of unauthorized access.

2. PasswordAuthentication

To further secure your Raspberry Pi, you can disable password authentication and use SSH key-based authentication instead.

PasswordAuthentication no

This directive disables the ability to log in using a password, forcing users to authenticate using SSH keys.

3. Port

By default, SSH listens on port 22. Changing the SSH port to a non-standard port can help reduce the number of automated attacks on your Raspberry Pi.

Port 2222

Replace 2222 with your desired port number. Make sure to choose a port number that is not in use by another service.

4. AllowUsers

You can restrict SSH access to specific users by specifying them in the AllowUsers directive.

AllowUsers pi yourusername

This example allows only the pi user and yourusername to log in via SSH.

5. PubkeyAuthentication

Ensure that public key authentication is enabled to allow SSH key-based login.

PubkeyAuthentication yes

This directive is typically enabled by default, but it's good to double-check if you're using SSH keys for authentication.

6. MaxAuthTries

Limit the number of authentication attempts allowed per connection to protect against brute-force attacks.

MaxAuthTries 3

This setting limits the number of failed authentication attempts to three before the connection is closed.

7. ClientAliveInterval and ClientAliveCountMax

These directives help keep your SSH session alive or automatically disconnect inactive sessions.

• ClientAliveInterval: Sets the timeout interval in seconds. The server sends a message through the encrypted channel if no data has been received within the specified interval.

ClientAliveInterval 60

• ClientAliveCountMax: Specifies the number of client alive messages that can be sent without receiving any messages back from the client. After this limit is reached, the server disconnects the client.

ClientAliveCountMax 3

In this example, the server will disconnect the client if there is no activity for 180 seconds (60 seconds * 3).

8. AllowTcpForwarding and X11Forwarding

• AllowTcpForwarding: Controls whether TCP forwarding is permitted. Disabling it can enhance security, especially on a public-facing server.

AllowTcpForwarding no

• X11Forwarding: Controls whether X11 forwarding is permitted. If you're not using GUI applications over SSH, it's safer to disable this.

X11Forwarding no

Backing Up Your sshd_config File

Before making any changes, it's a good practice to back up the existing sshd_config file. This way, if anything goes wrong, you can easily restore the original settings.

1. Backup the File: Create a backup of the sshd_config file by copying it:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

2. Restore the Backup: If you need to revert to the original settings, restore the backup:

sudo mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config

3. Restart SSH: After restoring the backup, restart the SSH service to apply the original settings:

sudo systemctl restart ssh

Default ## sshd_config File Example

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf  
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY yes
# ForceCommand cvs server

Conclusion

The sshd_config file on your Raspberry Pi is a powerful tool for managing and securing SSH access. By understanding and customizing this file, you can enhance the security of your Raspberry Pi, limit access to authorized users, and tailor the SSH experience to your needs. Whether you're running your Raspberry Pi as a headless server, a remote development environment, or for any other purpose, proper SSH configuration is essential for protecting your system.