Cheat Sheet logoCheat Sheet Today

OpenSSH Server Admin Cheat Sheet

SSHPermalink

sshd administration, config validation, systemd control, logging, hardening, authorized keys, and certificates.

Sign in to save
View
StandardDetailedCompact
Export
Copy the compact sheet, download it, or print it.
Download
`D` dense toggle · `C` copy all

sshd Basics

Test, inspect, and manage the OpenSSH server.

Test sshd configuration

Validate sshd_config syntax before restart.

bashANYsshsshdconfig-test
#
bash
sshd -t
Notes

Validate sshd_config syntax before restart.

Print effective sshd config

Dump effective server configuration values.

bashANYsshsshdinspect
#
bash
sshd -T
Notes

Dump effective server configuration values.

Test config for specific user/addr

Evaluate Match blocks for a chosen user and source address.

bashANYsshsshdmatch
#
bash
sshd -T -C user=deploy,host=server.example.com,addr=203.0.113.10
Notes

Evaluate Match blocks for a chosen user and source address.

Restart sshd with systemd

Restart the SSH daemon on systemd-based Linux hosts.

bashANYsshsshdsystemd
#
bash
sudo systemctl restart sshd
Notes

Restart the SSH daemon on systemd-based Linux hosts.

Show sshd status

Inspect the daemon status on systemd-based hosts.

bashANYsshsshdsystemd
#
bash
sudo systemctl status sshd
Notes

Inspect the daemon status on systemd-based hosts.

View sshd logs

Follow SSH daemon logs via journald.

bashANYsshsshdlogs
#
bash
sudo journalctl -u sshd -f
Notes

Follow SSH daemon logs via journald.

Run sshd in debug foreground mode

Start a test daemon without detaching, useful for troubleshooting.

bashANYsshsshddebug
#
bash
sudo /usr/sbin/sshd -D -d -p 2222
Notes

Start a test daemon without detaching, useful for troubleshooting.

sshd_config Patterns

Common server hardening and auth settings.

Disable password authentication

Require key-based authentication on the server.

sshdconfigANYsshsshdhardening
#
sshdconfig
PasswordAuthentication no
Notes

Require key-based authentication on the server.

Disable direct root login

Prevent direct root SSH sessions.

sshdconfigANYsshsshdhardening
#
sshdconfig
PermitRootLogin no
Notes

Prevent direct root SSH sessions.

Allow only specific users

Restrict which user accounts may log in.

sshdconfigANYsshsshdaccess-control
#
sshdconfig
AllowUsers deploy ops
Notes

Restrict which user accounts may log in.

Allow only specific groups

Restrict logins to group members.

sshdconfigANYsshsshdaccess-control
#
sshdconfig
AllowGroups sshusers admins
Notes

Restrict logins to group members.

Enable public key auth explicitly

Ensure public key authentication is on.

sshdconfigANYsshsshdauthentication
#
sshdconfig
PubkeyAuthentication yes
Notes

Ensure public key authentication is on.

Customize AuthorizedKeysFile

Point to one or more authorized_keys paths.

sshdconfigANYsshsshdauthorized-keys
#
sshdconfig
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
Notes

Point to one or more authorized_keys paths.

Disable keyboard-interactive auth

Turn off interactive password-style auth methods.

sshdconfigANYsshsshdauthentication
#
sshdconfig
KbdInteractiveAuthentication no
Notes

Turn off interactive password-style auth methods.

Configure client alive probes

Drop dead sessions after missed keepalive responses.

sshdconfigANYsshsshdkeepalive
#
sshdconfig
ClientAliveInterval 60
ClientAliveCountMax 3
Notes

Drop dead sessions after missed keepalive responses.

Match block by group

Apply options only to members of a specific group.

sshdconfigANYsshsshdmatchsftp
#
sshdconfig
Match Group sftpusers
  ChrootDirectory /srv/sftp/%u
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no
Notes

Apply options only to members of a specific group.

Server Keys and Certificates

Host keys, CAs, and host certificates.

Generate a host Ed25519 key

Create an Ed25519 host key for sshd.

bashANYsshsshdhostkey
#
bash
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
Notes

Create an Ed25519 host key for sshd.

Generate a user CA key

Create a key pair for signing user certificates.

bashANYsshcertificateca
#
bash
ssh-keygen -t ed25519 -f ~/.ssh/ca_user -C 'user CA'
Notes

Create a key pair for signing user certificates.

Sign a user public key

Create a short-lived user certificate from a CA.

bashANYsshcertificateuser
#
bash
ssh-keygen -s ~/.ssh/ca_user -I alice@example.com -n alice -V +52w ~/.ssh/id_ed25519.pub
Notes

Create a short-lived user certificate from a CA.

Trust a user CA in sshd_config

Allow user certificates signed by a trusted CA.

sshdconfigANYsshcertificatesshd
#
sshdconfig
TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys.pub
Notes

Allow user certificates signed by a trusted CA.

Trust a host CA in known_hosts

Trust host certificates signed by a CA.

textANYsshcertificateknown-hosts
#
text
@cert-authority *.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...
Notes

Trust host certificates signed by a CA.

More in SSH

SSH Tunnels and Forwarding Cheat Sheet
Local, remote, and dynamic SSH forwarding with practical database, web, and bastion tunnel recipes.
SCP and SFTP Cheat Sheet
SSH-based file transfer with scp and sftp, including recursive copies, jump hosts, interactive commands, and batch mode.
SSH Keys and Agent Cheat Sheet
SSH key generation, authorized_keys management, ssh-keyscan, host keys, ssh-agent, ssh-add, and certificate basics.
SSH Config Cheat Sheet
Client-side SSH configuration examples for aliases, defaults, patterns, includes, ProxyJump, multiplexing, and effective config inspection.
SSH Cheat Sheet
Comprehensive SSH client commands for login, remote execution, auth, multiplexing, jump hosts, and practical options.

Recommended next

No recommendations yet.
Browse all sheets →