Skip to content 
A well thought out SSH configuration combines strong authentication, clear server rules, and convenient client workflows to create a secure, fast everyday environment for developers. I'll show you how I combine keys, sshd_config, MFA, monitoring, and convenience features to keep remote access secure and deployments running smoothly.
Key points
The following key aspects combine safety and comfort and form the central theme of this guide.
- key Instead of passwords and sensible agent use
- sshd_config Targeted hardening and activation of protocols
- MFA and IP blocking as a second layer of protection
- Client configuration for short commands and multiple keys
- tunneling, SFTP/SCP, and CI/CD integration
SSH keys instead of passwords: quick changeover with impact
I consistently replace passwords with key pairs, because it effectively defends against brute force attempts and dictionary attacks. The private key remains on my device, the public key is stored on the server in authorized_keys, and the login cryptographically proves ownership without transmitting the secret. For new pairs, I use ssh-keygen and rely on Ed25519 or sufficiently strong RSA lengths to ensure adequate key strength. I protect the private key with a passphrase and load it into an SSH agent so that I don't have to type it in every time I connect. This allows interactive logins, automations, and CI jobs to run securely and without unnecessary friction.
Hardening SSH servers: the crucial parameters in sshd_config
I put the sshd_config so that unnecessary vulnerabilities disappear and strong procedures are enforced. I deactivate PasswordAuthentication and PermitRootLogin, assign a clear access list via AllowUsers, and move the port to reduce trivial scans. I explicitly set modern cipher and MAC suites so that clients do not negotiate weaker algorithms. In addition, I limit authentication attempts and login time windows and keep sessions under control with ClientAlive parameters. For more in-depth information Linux hardening tips I supplement firewall rules, rate limiting, and clean packet maintenance.
MFA and additional protective layers
For administrative access, I add a second factor in addition, so that a compromised key alone is not sufficient. TOTP via a smartphone or security token supplements the proof of ownership and blocks unauthorized attempts. In OpenSSH, I combine publickey with keyboard-interactive, control this via the PAM module, and document the login neatly. In addition, I rely on Fail2ban or similar tools that count failed attempts and automatically block addresses for a period of time. This allows me to reduce the risk of successful attacks without slowing down my legitimate processes.
Logging and monitoring with a sense of proportion
I raise the LogLevel Set to VERBOSE so that login events are recorded with context and audits receive reliable traces. I forward the logs centrally to Syslog, Log Server, or SIEM so that I can recognize patterns and not just see individual cases. Alerts are triggered in the event of multiple failed attempts, unusual regions, or deviating times so that I can act promptly. Teams with multiple SSH users in particular benefit from clear logging because responsibilities and actions remain traceable. This keeps the environment transparent and allows me to respond more quickly to real incidents.
Convenience on the client: Make good use of ~/.ssh/config
I store recurring connection data in the SSH configuration fixed so that I can work with short host aliases and avoid errors caused by long commands. I assign user, port, host name, and identity file per alias so that staging or production can be accessed with a single word. I maintain separate keys for separate projects and integrate them via the appropriate host line. The agent loads the keys after the first passphrase entry, and the config automatically decides which key belongs where. This saves time, reduces errors, and allows me to stay focused in the console.
Port forwarding and tunneling in everyday life
With LocalForward, With RemoteForward and dynamic SOCKS tunnels, I can securely access internal services without opening ports publicly. This allows me to access databases, dashboards, or internal APIs in an encrypted, testable, and temporary manner. For debugging, a short tunnel is often sufficient for me, instead of building an additional VPN structure. I pay attention to clear time windows and log when tunnels touch productive systems. This way, I keep the attack surface small and still enable myself to perform quick analyses.
File transfer, Git, and CI/CD via SSH
For artifacts, logs, and backups, I use SFTP Interactive and SCP in scripts when speed is of the essence. In CI/CD pipelines, the runner connects to target systems via SSH, pulls repositories, implements migrations, and triggers rollouts. Tools such as Ansible or Fabric use SSH to execute commands remotely and securely and to synchronize files. For bot keys, I set restricted rights, limit commands, and block pseudo-TTY so that access is only suitable for the intended purpose. This guide provides me with a practical overview of the interlocking mechanisms. SSH, Git, and CI/CD, which I use as a checklist.
Fine-grained rights with authorized_keys
I check what a key I can do this directly in authorized_keys using options such as command=, from=, no-port-forwarding, no-agent-forwarding, or no-pty. This allows me to link automations to a predefined start command, restrict source IP spaces, or prohibit tunnels when they are not needed. This minimizes the consequences of key compromise because the key cannot be used freely interactively. I strictly separate project-related keys so that I can remove them specifically during offboarding. This approach creates clarity and reduces lateral movement in the event of an incident.
SSH and hosting selection: what I look for
When it comes to hosting offers, I first check the SSH access, support for multiple keys per project, and the availability of important CLI tools. Staging environments, cron, Git integration, and tunneled database access facilitate reliable workflows. For long-term projects, I need daily backups, scaling, and clear logging to ensure successful audits. An up-to-date overview of Providers with SSH access helps me compare suitable platforms and avoid blind spots. This ensures that I have an environment that doesn't get in the way of my working style.
Host keys, trust building, and known_hosts
Protection begins with remote stationI consistently check and pin host keys. With StrictHostKeyChecking=ask/yes, I prevent silent man-in-the-middle risks. UpdateHostKeys helps with automatically updating new host keys without flying blind. For teams, I maintain central known host files (GlobalKnownHostsFile) and let the personal UserKnownHostsFile act as a supplement. DNS-supported SSHFP entries can make checking easier, but I only use VerifyHostKeyDNS if I trust DNSSEC. It is also important to me to actively rotate and delete old or compromised host keys so that I am not stuck with historical trust data forever. I use HashKnownHosts to anonymize server names in known_hosts and thus reduce metadata.
SSH certificates and central CAs
Where many systems and accounts come together, I like to rely on SSH certificates. Instead of distributing each public key individually, an internal CA signs user or host keys with a short lifetime. I store TrustedUserCAKeys on servers; this ensures that sshd only accepts keys that have been freshly signed and fulfill the roles/principals stored in the certificate. For the host side, I use HostCertificate/HostKey so that clients only accept hosts that are certified by the internal CA. This reduces administrative overhead, simplifies offboarding (certificates expire), and prevents key sprawl. Short validity periods (hours to a few days) force natural rotation without burdening users.
Agent forwarding, jump hosts, and bastion concepts
ForwardAgent stays with me by default, because a compromised hop could abuse the agent. Instead, I use ProxyJump via a bastion host and also set strict policies there. If agent forwarding is unavoidable, I restrict it using authorized_keys options (e.g., restrict, no-port-forwarding) and keep the bastion hardened and well monitored. In addition, I use from= for IP scopes so that a key only works from known networks. For bastions, I also set clear AllowUsers/AllowGroups rules, separate admin and deploy paths, and only allow the necessary port forwarding (permitopen=) per key. This keeps the access path short, traceable, and tightly restricted.
Multiplexing and performance in everyday life
For fast workflows, plays Multiplexing plays a major role. With ControlMaster=auto and ControlPersist=5m, I open one control socket per host and save myself new handshakes for each command. This noticeably speeds up SCP/SFTP, deployments, and ad hoc admin. I use compression depending on the link: it offers advantages over slow or high-latency connections, and I save CPU overhead in local networks. I balance ServerAliveInterval (client side) and ClientAliveInterval (server side) so that connections remain stable without getting stuck. For KEX, I choose modern methods (e.g., curve25519), set a reasonable RekeyLimit (e.g., data or time), and thus ensure stability for long transfers and port forwards. Since scp often uses the SFTP protocol today, I primarily optimize SFTP parameters and tool chains.
Life cycle management for keys
A good key is only as good as its Life cycle. I assign clear names and comments (project, owner, contact), record the key origin in the documentation, and plan rotations (e.g., semi-annually or at project milestones). I choose long, user-friendly passphrases, and the agent takes care of the repetition for me. For particularly sensitive access, I use FIDO2/hardware keys (e.g., [email protected]), which are phishing-resistant and make the private component non-exportable. If a device is lost, I revoke access by removing it from authorized_keys or by revoking certificates. Strict separation per project and environment enables targeted offboarding without side effects. Last but not least, I make sure file permissions are clean: ~/.ssh with 700, private keys 600, authorized_keys 600 – and owners set correctly.
SFTP-only, chroot, and match blocks
For service or partner access, I often choose a SFTP onlyprofile. In sshd_config, I activate internal-sftp as a subsystem and use Match User/Group to enforce a ChrootDirectory, ForceCommand internal-sftp, and disable port forwarding, agent forwarding, and pseudo-TTY. This gives these accounts exactly the data exchange they need—and nothing more. Match blocks are also helpful for deploy users: I assign them narrowly defined rights, specify a dedicated path, and prevent interactive shells. This allows functional requirements to be met without opening a full-access shell.
Secure CI/CD and non-interactive access cleanly
In pipelines, I use Deployment keys per environment and project, never personal keys. I restrict them via authorized_keys (from= for runner IP ranges, command= for wrapper scripts, no-pty and no-agent-forwarding), pin host keys in the pipeline (known_hosts as part of the repo/secrets), and leave StrictHostKeyChecking set to secure. I manage secrets in the CI system, not in the code. Short-lived certificates or time-limited keys further reduce the attack surface. I also separate read and write access: pull/fetch, artifact upload, and server deployment each get their own identities. This keeps the blast radius small if a token leaks.
Operation, monitoring, and emergency path
In operation, they include Routines In addition: I keep OpenSSH up to date, check logrotate, set reasonable retention periods, and test alarm chains. A short banner points out the terms of use and deters curious tests. I document how I reconnect when keys are blocked (break-glass procedure with MFA) without establishing backdoors. For compliance, I separate admin and application accounts, use sudo policies with logging, and regularly check whether AllowUsers/Groups, firewall, and Fail2ban rules still match the current inventory. I don't forget IPv6: I set ListenAddress explicitly so that only desired interfaces listen. Scheduled reviews (e.g., quarterly) ensure that configurations do not become outdated and that new team members are integrated smoothly.
Practical table: useful sshd_config settings
The following overview helps me to identify key Parameters Quickly check and ensure consistency.
| Setting | Recommended value | Effect |
|---|---|---|
| Password Authentication | no | Disables password logins and prevents trivial brute force attacks. |
| PermitRootLogin | no | Prohibit direct root logins; administrators should use sudo via normal accounts. |
| AllowUsers | deploy adminuser … | Whitelisting restricts access to defined accounts. |
| Port | e.g., 2222 | Reduces trivial scans, but does not replace hardening. |
| Ciphers | e.g., aes256-ctr, aes192-ctr, aes128-ctr | Enforces modern ciphers and blocks outdated methods. |
| MACs | hmac-sha2-256, hmac-sha2-512 | Ensures up-to-date integrity checks. |
| MaxAuthTries | 3–4 | Limited noticeable failed attempts per connection. |
| LoginGraceTime | 30–60 | Close semi-open logins faster. |
| ClientAliveInterval | 30–60 | Keeps sessions active in a controlled manner, disconnects inactive ones early on. |
| LogLevel | VERBOSE | Logs key fingerprints and authentication details. |
Practical workflow: balancing security and convenience
I start with Keys, I harden the server, activate logs, and add MFA where necessary. On the client, I create clean aliases, separate keys per project, and use tunnels in a targeted manner. For automation, I assign dedicated, restricted keys so that each machine only does its job. When hosting, I check SSH capabilities early on to ensure that the platform supports my workflow. This creates a setup that mitigates attacks and makes my workday faster at the same time.
