A tool for manipulating an sshd_config
file
golang 1.11+
make build
Usage: sshd-config <command> [<key>] [<value>] [--filename=<filename>]
sshd-config -h | --help
sshd-config --version
Options:
-h --help Show this screen.
--version Show version.
--filename=<filename> The sshd-config to modify [default: /etc/ssh/sshd_config]
Commands:
add Add a value to a key
get Get a key's values
lint Lint a config against best practices
set Set a value on a key
unset Unset all instances of a key
Linting runs against the following rules:
AcceptEnv
HostKey
ListenAddress
Port
AuthenticationMethods
: publickey
HostbasedAuthentication
: no
IgnoreRhosts
: yes
PasswordAuthentication
: no
PermitEmptyPasswords
: no
PermitRootLogin
: no
Protocol
: 2
PubkeyAuthentication
: yes
StrictModes
: yes
UsePrivilegeSeparation
: yes
HostKey
: /etc/ssh/ssh_host_ed25519_key
, /etc/ssh/ssh_host_rsa_key
KexAlgorithms
: [email protected]
, diffie-hellman-group-exchange-sha256
Ciphers
: [email protected]
, [email protected]
, [email protected]
, aes256-ctr
, aes192-ctr
, aes128-ctr
MACs
: [email protected]
, [email protected]
, [email protected]
, hmac-sha2-512
, hmac-sha2-256
, [email protected]
AuthorizedKeysCommand
AuthorizedKeysCommandRunAs
AddressFamily
: any
, inet
, inet6
Compression
: yes
, no
, delayed
GatewayPorts
: yes
, no
, clientspecified
LogLevel
: QUIET
, FATAL
, ERROR
, INFO
, VERBOSE
, DEBUG
, DEBUG1
, DEBUG2
, DEBUG3
PermitRootLogin
: yes
, no
, forced-commands-only
, without-password
PermitTunnel
: yes
, no
, ethernet
, point-to-point
Protocol
: 1
, 2
, 1,2
, 2,1
SyslogFacility
: DAEMON
, USER
, AUTH
, AUTHPRIV
, LOCAL0
, LOCAL1
, LOCAL2
, LOCAL3
, LOCAL4
, LOCAL5
, LOCAL6
, LOCAL7
Ciphers
: 3des-cbc
, aes128-cbc
, aes192-cbc
, aes256-cbc
, aes128-ctr
, aes192-ctr
, aes256-ctr
, arcfour128
, arcfour256
, arcfour
, blowfish-cbc
, cast128-cbc
ClientAliveCountMax
ClientAliveInterval
KeyRegenerationInterval
LoginGraceTime
MaxAuthTries
MaxSessions
MaxStartups
Port
ServerKeyBits
X11DisplayOffset
yes
or no
:
AllowAgentForwarding
AllowTcpForwarding
ChallengeResponseAuthentication
GSSAPICleanupCredentials
GSSAPIKeyExchange
GSSAPIStrictAcceptorCheck
HostbasedAuthentication
HostbasedUsesNameFromPacketOnly
IgnoreRhosts
IgnoreUserKnownHosts
KerberosAuthentication
KerberosGetAFSToken
KerberosOrLocalPasswd
KerberosTicketCleanup
KerberosUseKuserok
PasswordAuthentication
PermitEmptyPasswords
PermitUserEnvironment
PrintLastLog
PrintMotd
PubkeyAuthentication
RhostsRSAAuthentication
RSAAuthentication
ShowPatchLevel
StrictModes
TCPKeepAlive
UseDNS
UseLogin
UsePAM
UsePrivilegeSeparation
X11Forwarding
X11UseLocalhost
Any violation of the above rules will result in the error being printed to stderr and non-zero exit code.