# sshd
**sshd** is the OpenSSH implementation of an SSH server.

Debian: openssh-server 

# Configuration
Done through `/etc/ssh/sshd_config` or drop-ins at `/etc/ssh/sshd_config.d/`:

Test your config with `sshd -t`


# Restrict allowed users
Use `AllowUsers user1 user2` to restrict SSH access to certain users. This works like a whitelist.
Match groups with `AllowGroups group1`


# Enforce publickey auth
Add this to your sshd_config or a drop-in config file in `/etc/ssh/sshd_config.d/`:
`PasswordAuthentication no`
`AuthenticationMethods publickey`


# 2FA authentication with TOTP
This is useful to have a second layer to your ssh login besides keypair auth.

First, install `libpam-google-authenticator` to enable TOTP support for PAM.
Edit `/etc/ssh/sshd_config` and add/modify the following lines:
`UsePAM yes`
`ChallengeResponseAuthentication yes`
`KbdInteractiveAuthentication yes`
`AuthenticationMethods publickey,keyboard-interactive:pam`

## Debian
In your `/etc/pam.d/sshd`, comment out `@include common-auth` and add a line below it:
`auth required pam_google_authenticator.so`
This will disable regular password auth (keypair auth is already required) and enable TOTP authentication.


See also https://wiki.archlinux.org/title/OpenSSH#Authentication_providers


# Rate limiting
You can rate limit IPs with failed authentication attempts using the PerSourcePenalties option.
Example config: ``persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:20 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive``

See https://man.openbsd.org/sshd_config.5#PerSourcePenalties for the full config.