41

How I can verify the configuration of sshd?

For example, I want to make sure that these settings are set and applied:

AllowUsers user1 user2 
PasswordAuthentication no
PermitRootLogin no

Is the only way manually verifying the contents of the file sshd_config, or can I probe sshd to make sure?

Josip Rodin
  • 1,695
  • 13
  • 18
JuanPablo
  • 913
  • 3
  • 10
  • 21
  • 2
    What do you mean by verify? Are you asking how to be sure that a config change you made is valid? Are you asking if there is some tool like [lint](http://goo.gl/SveU) that will check for a valid config? – Zoredache May 18 '12 at 18:59
  • 3
    I don't think the question is unclear : there is just actualy no way to check what value is for a config option. If you see ```#UseLogin no``` in you ssd_config file, it means UseLogin is yes or UseLogin is no ? You have so to refer to the manual to find the default value, which can have been changed during the compilation. So far from an useless question... – Xorax Apr 15 '16 at 20:02

5 Answers5

46

There is an extended test mode, invoked with the command line option -T, which does this. For example:

% sudo sshd -T | egrep -i 'allowusers|passwordauth|permitroot'
permitrootlogin yes
passwordauthentication yes

The option has existed in Portable OpenSSH since 2008, cf. commit e7140f2. This was released with 5.1p1, made in July 2008, cf. release notes for 5.1, so it exists in pretty much all OpenSSH server installations supported today.

Josip Rodin
  • 1,695
  • 13
  • 18
  • 3
    Note however that this will show default settings + settings from the `/etc/ssh/sshd_config` file. The settings from the file might not actually be active yet, until `sshd` has reloaded them with something like `/etc/init.d/ssh reload` or the equivalent on your system. – mivk Oct 30 '16 at 18:01
  • 3
    @mivk good point, but that is pretty much par for the course, because it's typical that we use these kinds of commands exactly after making changes, but before actually applying them, because we want to verify what's going to happen. For example, `apache2ctl -S` behaves the same way. – Josip Rodin Oct 30 '16 at 18:24
  • 3
    You need to use `sshd -T -C user=user1` to show the effective config for user1, and repeat for `user2`, and repeat for something different too, e.g. `user=nobody` to test your configuration because of the `Match` rules. – artfulrobot Mar 13 '23 at 11:00
9

sshd's configuration is typically found in the following file: /etc/ssh/sshd_config.

To query the runtime configuration, you can use extended test mode sshd -T which also allows you to test client matching of settings.

chloesoe
  • 335
  • 2
  • 17
gparent
  • 3,601
  • 2
  • 24
  • 28
  • 1
    I don't think this answers the question he is asking, but his question isn't entirely clear. – Zoredache May 18 '12 at 18:59
  • 1
    Looks like he's asking how to verify the configuration. As far as I'm aware, there is no way to query sshd's configuration at runtime. Thus, the configuration can only be found in the file I mentioned. – gparent May 18 '12 at 19:18
  • Like you said, the question makes no sense so I figured maybe the OP didn't know where the file was or its exact name. – gparent May 18 '12 at 19:18
  • If you're going to downvote me for absolutely no valid reason after 4 years, use your common sense and check the question history, then suggest an edit. – gparent May 02 '16 at 18:26
  • @gparent the original question was somewhat vague, and had a typo in the config file path, so you should have used the edit function to fix that string in the question instead; and either way, the answer for the verification question is now shown above – Josip Rodin May 31 '16 at 14:59
  • The original question having a typo in the configuration is precisely why my answer is the way it is. It correctly answers the original question by providing the correct path. Four years later, someone edited the question and made it different (and sufficiently clear to be answered). Instead of downvoting outdated correct answers, people should pay attention and submit improvements that highlight and fix what is now wrong with them. Following your comment, I've edited my answer. – gparent May 31 '16 at 17:01
  • I thought it was clear enough, but I agree with you insofar as it is apparent that back then only 2 out of 4 people who responded figured out that intent. – Josip Rodin Jun 01 '16 at 08:47
4

While this won't dump all your server definitions, you can try connecting to the server with a verbose debug flag: ssh -v user@server. That will give you a lot of information that will reflect the options enabled in sshd configuration.

For example, take a look on the output of this connection with the -v switch (key signatures, domain and IP addresses purposely disguised):

OpenSSH_6.0p1, OpenSSL 0.9.8w 23 Apr 2012
debug1: Reading configuration data /home/claudio/.ssh/config
debug1: /home/claudio/.ssh/config line 13: Applying options for serv01
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to somedomain.com [185.113.29.221] port 22.
debug1: Connection established.
debug1: identity file /home/claudio/.ssh/id_dsa type 2
debug1: identity file /home/claudio/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9
debug1: match: OpenSSH_5.9 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 3a:0d:b8:18:ca:67:4c:54:0f:c8:b2:1e:48:53:69:28
debug1: Host '[somedomain.com]:22' is known and matches the ECDSA host key.
debug1: Found key in /home/claudio/.ssh/known_hosts:7
Warning: Permanently added the ECDSA host key for IP address '[185.113.29.221]:22' to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/claudio/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Authentication succeeded (publickey).
Authenticated to somedomain.com ([185.113.29.221]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.

From that you can see the allowed authentication methods are: publickey,password,keyboard-interactive. You can also see that roaming is not allowed by this server, and that user claudio could connect using his public key.

You can increase the level of information output specifying more "v" letters, but then you may get way more low level information than you probably want.

Claudio
  • 159
  • 6
4

The problem with looking at the /etc/ssh/sshd_config file as suggested by other answers is that it does not necessarily contain the whole configuration. This file contains the values of any configuration variables you want to set to over-ride the defaults, and as shipped contains as comments the defaults that are built in to sshd.

If a custom configuration file is installed in place of the shipped version, you lose sight of the defaults that are compiled in to sshd, and if it is a custom build, the defaults may not match the comments in the sshd_config that are visible.

Additionally, it is perfectly possible to run sshd with an alternate config file with the -f option, so the one stored in /etc/ssh/sshd_config may not reflect the current settings.

This makes the question quite valid, and as far as I know, unable to be answered with any certainty.

Peter Gathercole
  • 49
  • 2
  • All of that is true, but it doesn't apply to the 99% of servers that will run sshd installed from a package that has the default configuration compiled in. – Andrew Schulman Oct 03 '14 at 13:44
  • Your answer is useful, but the question is indeed possible to be answered with certainty, has been for quite a while now, please see my answer below. – Josip Rodin Apr 29 '16 at 14:14
3

there is no known way of querying the config of a running sshd instance, i think, if you are referring the openssh server. depending on what you want to do, you could use the -t flag to test a configuration file to make sure that it is valid before restarting the server, so that you don't get kicked out, esp. if you do not have any out-of-band access to the server.

johnshen64
  • 5,865
  • 24
  • 17