16.4. Configure the /etc/ssh2/sshd2_config file

The configuration file for sshd2 /etc/ssh2/sshd2_config allows you to set options that modify the operation of the daemon. The files contain keyword-value pairs, one per line, with keywords being case insensitive. Here are the more important keywords; a complete listing is available in the man page for sshd2(8).

Edit the sshd2_config file (vi /etc/ssh2/sshs2_config and add or change, if necessary:

         # sshd2_config
         # SSH 2.0 Server Configuration File

         *:Port	                                22
         Ciphers	                        blowfish
         IdentityFile	                        identification
         AuthorizationFile	                authorization
         HostKeyFile                     	hostkey
         PublicHostKeyFile	                hostkey.pub
         RandomSeedFile	                        random_seed
         ForwardAgent	                        no
         ForwardX11	                        no
         PasswordGuesses	                3
         MaxConnections	                        5 
         PermitRootLogin	                no
         AllowedAuthentications	                publickey,password
         RequiredAuthentications	        publickey,password
         VerboseMode	                        no
         PrintMotd	                        yes
         CheckMail	                        yes
         UserConfigDirectory	                "%D/.ssh2"
         SyslogFacility                  	DAEMON
         Ssh1Compatibility               	no
         NoDelay                         	yes
         KeepAlive                       	yes
         UserKnownHosts	                        yes
         DenyHosts	                        *
         QuietMode                       	no

         # subsystem definitions

         subsystem-sftp                  	sftp-server
This tells sshd2_config file to set itself up for this particular configuration setup with:

Port 22

The option Port specifies which port number the ssh2 daemon listens to for ssh incoming connection. The default port is 22.


The option ListenAddress specifies the IP address of the interface network on which the ssh2 daemon server socket is bound. The default is; to improve security you may specify only the required ones to limit possible addresses.

Ciphers blowfish

The option Ciphers specifies what cipher should be used for encrypting sessions. The blowfish uses 64-bit blocks and keys of up to 448 bits.

IdentityFile identification

The option IdentityFile specifies an alternate name for the user's identification file.

AuthorizationFile authorization

The option AuthorizationFile specifies an alternate name for the user's authorization file.

HostKeyFile hostkey

The option HostKeyFile specifies an alternate file containing the private host key. The default is /etc/ssh2/hostkey.

PublicHostKeyFile hostkey.pub

The option PublicHostKeyFile specifies an alternate file containing the public host key. The default is /etc/ssh2/hostkey.pub.

RandomSeedFile random_seed

The option RandomSeedFile specifies an alternate name for the user's random seed file.

ForwardAgent no

The option ForwardAgent specifies which connection authentication agent if any should be forwarded to the remote machine.

ForwardX11 no

The option ForwardX11 is for people that use the Xwindow GUI and want to automatically redirect X11 sessions to the remote machine. Since we set up a server and don't have a GUI installed on it, we can safely turn this option off.

PasswordGuesses 3

The option PasswordGuesses specifies how many tries the user has when using password authentication.

MaxConnections 5

The option MaxConnections specifies what the maximum number of connections that ssh2 daemon will handle simultaneously is.

PermitRootLogin no

The option PermitRootLogin specifies whether root can log in using ssh. Never say, yes to this option.

AllowedAuthentications publickey,password

The option AllowedAuthentications specifies which authentication methods are allowed to be used. With this option the administrator can force users to complete several authentications before they are considered authenticated.

RequiredAuthentications publickey,password

The option RequiredAuthentications related to AllowedAuthentications, specifies which authentication methods the users must complete before continuing. This parameter must be the same as for the AllowedAuthentications option or the server will denies connection every time.

VerboseMode no

The option VerboseMode instructs the ssh2 daemon to print debugging messages about its progress. This option is helpful in debugging connection, authentication, and configuration problems.

PrintMotd yes

The option PrintMotd specifies whether the ssh2 daemon should print the content of the /etc/motd file when a user logs in interactively. The /etc/motd file is also know as the message of the day.

CheckMail yes

The option CheckMail specifies whether the ssh2 daemon should print information about new mail you may have.

UserConfigDirectory "%D/.ssh2"

The option UserConfigDirectory specifies the default location for user-specific configuration data.

SyslogFacility DAEMON

The option SyslogFacility specifies the facility code used when logging messages from the ssh2 daemon. The facility specifies the subsystem that produced the message, in our case DAEMON.

Ssh1Compatibility no

The option Ssh1Compatibility specifies whether or not to use SSH1 compatibility code with SSH2 for ssh1 users.

NoDelay yes

The option NoDelay specifies if the socket option TCP_NODELAY should be enabled. It is recommended that you set this option to yes to improve network performance.

KeepAlive yes

The option KeepAlive specifies whether the system should send keep alive messages to the remote server. If set to yes then the death of the connection or crash of remote machines will be properly noticed.

UserKnownHosts yes

The option UserKnownHosts specifies whether the default user's home directory $HOME/.ssh2/knownhosts/ can be used to get hosts public keys when using hostbased-authentication.


The option AllowHosts specifies and control which hosts can access ssh2 services. Multiple hosts can be specified separated by spaces.

DenyHosts *

The option DenyHosts specifies and controls which hosts cannot access ssh2 services. Multiple hosts can be specified separated by spaces. The default pattern * mean all hosts.

QuietMode no

The option QuietMode specifies whether the system runs in quiet mode. This option must be set to no, because in quiet mode nothing is logged in the system log except for fatal errors. Since we want to have information about user sessions it is preferable to disable this option.