OpenSSH Hardening Generator

Generate a production-ready, hardened sshd_config with security explanations for every directive

Security profile

Operating System

OpenSSH Version

Authentication & access

Listen Port

AllowUsers (space-separated, blank = all)

AllowGroups (space-separated, blank = all)

MaxAuthTries

Disable root login (PermitRootLogin no)

Disable password authentication (key-only)

Enable keyboard-interactive for MFA (PAM-based)

Disable all forwarding (TCP, X11, agent, tunnel)

Show login warning banner (/etc/ssh/banner)

Add SFTP-only group (chroot jailed)

Excellent hardening

All critical security directives are configured properly.

Generated `sshd_config`

Pre-flight checklist — test before restarting sshd

Validate syntax: sudo sshd -t — must print no errors

Keep your current SSH session open while testing

Open a second terminal and test: ssh -v your-server

If using AllowUsers/AllowGroups, verify your user is listed

If disabling password auth, ensure your public key is in ~/.ssh/authorized_keys

Restart: sudo systemctl restart sshd (keep old session open!)

Only close old session after new connection succeeds

Never expose SSH ports again

With OnePAM, your servers don't need inbound SSH ports at all. Access flows through OnePAM's Zero Trust platform with identity-based authentication and session recording.

Start Free Trial

OpenSSH Hardening Generator

Security profile

Modern

Intermediate

Legacy-compatible

Authentication & access

Excellent hardening

Generated `sshd_config`

Pre-flight checklist — test before restarting sshd

Never expose SSH ports again

OpenSSH Hardening Generator

Security profile

Modern

Intermediate

Legacy-compatible

Authentication & access

Excellent hardening

Generated sshd_config

Pre-flight checklist — test before restarting sshd

Never expose SSH ports again

Generated `sshd_config`