OpenSSH Server Admin Cheat Sheet

SSH•Permalink

sshd administration, config validation, systemd control, logging, hardening, authorized keys, and certificates.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

## sshd Basics

Test sshd configuration

↗#

sshd -t

# Validate sshd_config syntax before restart.

Print effective sshd config

↗#

sshd -T

# Dump effective server configuration values.

Test config for specific user/addr

↗#

sshd -T -C user=deploy,host=server.example.com,addr=203.0.113.10

# Evaluate Match blocks for a chosen user and source address.

Restart sshd with systemd

↗#

sudo systemctl restart sshd

# Restart the SSH daemon on systemd-based Linux hosts.

Show sshd status

↗#

sudo systemctl status sshd

# Inspect the daemon status on systemd-based hosts.

View sshd logs

↗#

sudo journalctl -u sshd -f

# Follow SSH daemon logs via journald.

Run sshd in debug foreground mode

↗#

sudo /usr/sbin/sshd -D -d -p 2222

# Start a test daemon without detaching, useful for troubleshooting.

## sshd_config Patterns

Disable password authentication

↗#

PasswordAuthentication no

# Require key-based authentication on the server.

Allow only specific users

↗#

AllowUsers deploy ops

# Restrict which user accounts may log in.

Allow only specific groups

↗#

AllowGroups sshusers admins

# Restrict logins to group members.

Enable public key auth explicitly

↗#

PubkeyAuthentication yes

# Ensure public key authentication is on.

Customize AuthorizedKeysFile

↗#

AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

# Point to one or more authorized_keys paths.

Disable keyboard-interactive auth

↗#

KbdInteractiveAuthentication no

# Turn off interactive password-style auth methods.

Configure client alive probes

↗#

ClientAliveInterval 60
ClientAliveCountMax 3

# Drop dead sessions after missed keepalive responses.

Match block by group

↗#

Match Group sftpusers
  ChrootDirectory /srv/sftp/%u
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no

# Apply options only to members of a specific group.

## Server Keys and Certificates

Generate a host Ed25519 key

↗#

sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''

# Create an Ed25519 host key for sshd.

Generate a user CA key

↗#

ssh-keygen -t ed25519 -f ~/.ssh/ca_user -C 'user CA'

# Create a key pair for signing user certificates.

Sign a user public key

↗#

ssh-keygen -s ~/.ssh/ca_user -I alice@example.com -n alice -V +52w ~/.ssh/id_ed25519.pub

# Create a short-lived user certificate from a CA.

Trust a user CA in sshd_config

↗#

TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys.pub

# Allow user certificates signed by a trusted CA.

Trust a host CA in known_hosts

↗#

@cert-authority *.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...

# Trust host certificates signed by a CA.

More in SSH

SSH Tunnels and Forwarding Cheat Sheet

Local, remote, and dynamic SSH forwarding with practical database, web, and bastion tunnel recipes.

SCP and SFTP Cheat Sheet

SSH-based file transfer with scp and sftp, including recursive copies, jump hosts, interactive commands, and batch mode.

SSH Keys and Agent Cheat Sheet

SSH key generation, authorized_keys management, ssh-keyscan, host keys, ssh-agent, ssh-add, and certificate basics.

SSH Config Cheat Sheet

Client-side SSH configuration examples for aliases, defaults, patterns, includes, ProxyJump, multiplexing, and effective config inspection.

SSH Cheat Sheet

Comprehensive SSH client commands for login, remote execution, auth, multiplexing, jump hosts, and practical options.

Recommended next

No recommendations yet.

Browse all sheets →