SSH is the secure shell for remote login. SSH provides an encrypted and secure communication for accessing a remote machine. You can login to a machine on the network and execute commands on it as if it was present locally. SSH has replaced telnet and other insecure remote shell protocols. In telnet, all the data along with passwords was sent in plain text. But in SSH, only encrypted data is transferred over the network. This article provides some general options for configuring the SSH server.
The configuration file for ‘SSH’ daemon is “/etc/ssh/sshd_config”. Like most of the configuration files, this file is writable only by its root. It contains keyword-argument pairs that control the behavior of SSH daemon. An example of such pair is "port 2222" (explained later).
Here are some of the important options for SSH server.
Disable Direct Root Login
'PermitRootLogin' keyword decides whether root should be allowed to SSH to the machine or not. The root user is allowed by default, so default value is "yes". To disable root login, use 'PermitRootLogin no'.
Another option available for this keyword is "without-password" which disables password authentication for root.
With ListenAddress keyword, you can specify the address at which your SSH server listens for requests. The default is to listen to all the addresses available for your system. But you can limit by specifying specific addresses like:
The keyword "Port" is used to specify the port at which SSH connections are accepted. The default port for SSH service is 22. But you can specify your own port. For example:
PasswordAuthentication option specifies whether the authentication should be through passwords. The default is "yes".
PermitEmptyPasswords tells if the users can login to the accounts with null passwords or not. For this option, PasswordAuthentication must be set to yes.
But the default is "no".
When a user logs in to a Linux system interactively, a message is printed after successful login. This message comes from the "Message of The Day" file, “/etc/motd”. PermitMotd specifies whether “/etc/motd” should be printed by SSH or not. The default is "yes".
Along with /etc/motd, the details (like date and time) of last login of the user are also printed. The option PrintLastLog is used to switch this message. The default argument is "yes".
The list of users allowed to SSH is given by AllowUsers keyword. The usernames are separated with white space.
AllowUsers bob alice
By default, all users are allowed.
Those users who can't login through SSH are specified with DenyUsers.
If a username is present in both AllowUsers and DenyUsers, then the order in which these two are read is DenyUsers and AllowUsers, i.e. DenyUsers is read before AllowUsers.
To limit maximum number of login attempts per connection through SSH, MaxAuthTries is used.
It will set the maximum number of authentication attempts to 3. The default value is 6.