OpenSSH Hardening Generator

Generate a production-ready, hardened sshd_config with security explanations for every directive

Security profile

Operating System

OpenSSH Version

Authentication & access

Listen Port

AllowUsers (space-separated, blank = all)

AllowGroups (space-separated, blank = all)

MaxAuthTries

Disable root login (PermitRootLogin no)

Disable password authentication (key-only)

Enable keyboard-interactive for MFA (PAM-based)

Disable all forwarding (TCP, X11, agent, tunnel)

Show login warning banner (/etc/ssh/banner)

Add SFTP-only group (chroot jailed)

Excellent hardening

All critical security directives are configured properly.

Generated `sshd_config`

Pre-flight checklist — test before restarting sshd

Validate syntax: sudo sshd -t — must print no errors

Keep your current SSH session open while testing

Open a second terminal and test: ssh -v your-server

If using AllowUsers/AllowGroups, verify your user is listed

If disabling password auth, ensure your public key is in ~/.ssh/authorized_keys

Restart: sudo systemctl restart sshd (keep old session open!)

Only close old session after new connection succeeds

See how OnePAM automates this

Never expose SSH ports again — OnePAM's Zero Trust platform handles identity-based authentication, session recording, and hardening with zero server-side configuration.

Start Free Trial

OpenSSH Hardening Generator

Security profile

Modern

Intermediate

Legacy-compatible

Authentication & access

Excellent hardening

Generated `sshd_config`

Pre-flight checklist — test before restarting sshd

See how OnePAM automates this

OpenSSH Hardening Generator

Security profile

Modern

Intermediate

Legacy-compatible

Authentication & access

Excellent hardening

Generated sshd_config

Pre-flight checklist — test before restarting sshd

See how OnePAM automates this

Generated `sshd_config`