I was updating my Ubuntu course from 18.04 to version 20.04 and found an intriguing new line in
Looking at the man page for sshd_config, the SSH daemon, on starting, will now look for configuration settings in
/etc/ssh/sshd_config.d/. The files should have any name ending in
.conf. A possible name would be
Why would I want to create a new, external file, instead of just editing the
sshd_config file as I’ve always done?
From doing a quick search on the Internet regarding securing SSH, it looks like that’s exactly what most people are doing.
This new system introduces an opportunity though.
It follows the format for systemd unit files. I can now put my settings in a file in
/etc/ssh/sshd_config.d/ and they’ll persist even if
/etc/ssh/sshd_config is overwritten as part of an upgrade to the OpenSSH version running on my server.
It will also supersede settings in the
/etc/ssh/sshd_config file. For environments where a lot of people may be managing systems, it’s nice to know that someone tweaking a file in the wrong way will not compromise critical security settings for your SSH service.
So, how does it work?
/etc/ssh/sshd_config.d/ directory, create a new file. I’m naming mine
10-my-sshd-stuff.conf. You’ll have to do this with
sudo vim /etc/ssh/sshd_config.d/10-my-sshd-stuff.conf
Inside that file, enter the keywords and arguments you want to change from default, or ensure are explicitly addressed. Note that keywords are case-insensitive and arguments are case-sensitive.
There are some configuration changes I pretty much always make for any publicly exposed server I’ll put inside the file.
- DebianBanner no
- DisableForwarding yes
- PermitRootLogin no
- IgnoreRhosts yes
- PasswordAuthentication no
- PermitEmptyPasswords no
Caution! Be sure you have key based authentication set up and working before you set
Be sure you understand the implications of the settings before applying them. Most are fairly innocuous, but setting
no will lock you out of a remote system if you restart SSH and log out before testing. You’ll have to get back in through a console, then set up key based authentication.
You can find my tutorial on setting up key based authentication here.
Once you’re sure key based authentication is working, and your configuration file is the way you want it, restart SSH to make the settings take effect. There are a few ways you could accomplish this, but here’s one:
sudo service ssh reload
Reloading should not kill your active setting in case you’re in remotely and want to test with another connection before logging off.
Thats it! Now you can manage all your SSH settings in one file and they won’t be clobbered when OpenSSH is updated.