The most direct way to verify your SSH server configuration is to examine the configuration file itself:
# Check the main configuration file
sudo cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"
# Verify specific settings
sudo grep -E "AllowUsers|PasswordAuthentication|PermitRootLogin" /etc/ssh/sshd_config
OpenSSH provides a test mode that validates your configuration without restarting the service:
# Test configuration syntax
sudo sshd -t
# Check what settings would be applied (including defaults)
sudo sshd -T | grep -E "allowusers|passwordauthentication|permitrootlogin"
To see what settings are actually in effect (including defaults):
# Method 1: Using -T flag
sudo sshd -T | sort
# Method 2: Check running parameters
ps aux | grep sshd
For regular checks, consider creating a verification script:
#!/bin/bash
CONFIG_FILE="/etc/ssh/sshd_config"
REQUIRED_SETTINGS=(
"AllowUsers user1 user2"
"PasswordAuthentication no"
"PermitRootLogin no"
)
validate_config() {
local setting
for setting in "${REQUIRED_SETTINGS[@]}"; do
if ! grep -q "^${setting}" "${CONFIG_FILE}"; then
echo "Missing or incorrect setting: ${setting}"
return 1
fi
done
return 0
}
if validate_config; then
echo "SSHD configuration validated successfully"
exit 0
else
echo "SSHD configuration validation failed"
exit 1
fi
You can test how the server responds to connection attempts:
# Test connection as allowed user
ssh -v user1@localhost
# Test rejected connection (should fail)
ssh root@localhost
After verifying changes, apply them without full service restart:
sudo systemctl reload sshd
# OR on older systems
sudo service ssh reload
The most straightforward way to verify your SSH daemon configuration is by examining the sshd_config file. On most Linux systems, this file is located at /etc/ssh/sshd_config.
You can use grep to check specific settings:
grep -E "AllowUsers|PasswordAuthentication|PermitRootLogin" /etc/ssh/sshd_config
For a more comprehensive check, you might want to:
sudo cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"
SSHd provides a test mode that checks the configuration file syntax without applying changes:
sudo sshd -t
If there are no syntax errors, this command will return nothing. Any configuration errors will be displayed.
Sometimes the running SSH daemon might have different settings than the configuration file. To check the currently active configuration:
sudo sshd -T
This will output all the currently active configuration parameters. You can then grep for specific settings:
sudo sshd -T | grep -E "allowusers|passwordauthentication|permitrootlogin"
Note that parameter names in the output are lowercase, unlike in the configuration file.
For regular checks or compliance auditing, you might want to create a simple script:
#!/bin/bash
CONFIG_FILE="/etc/ssh/sshd_config"
REQUIRED_SETTINGS=(
"AllowUsers user1 user2"
"PasswordAuthentication no"
"PermitRootLogin no"
)
for setting in "${REQUIRED_SETTINGS[@]}"; do
if ! grep -q "^${setting}" "${CONFIG_FILE}"; then
echo "Configuration mismatch: ${setting}"
exit 1
fi
done
echo "All SSHd configurations verified successfully"
exit 0
You can also verify some settings by attempting to connect with different parameters:
# Test PasswordAuthentication
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
# Test Root login
ssh root@host
These should fail if your configuration is correct.
If you're using configuration management tools like Ansible, you can create verification tasks:
- name: Verify SSHd configuration
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "^{{ item.regex }}"
line: "{{ item.line }}"
loop:
- { regex: '^AllowUsers', line: 'AllowUsers user1 user2' }
- { regex: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regex: '^PermitRootLogin', line: 'PermitRootLogin no' }