How to check SSH configuration before restarting sshd

Have you had the experience of changing your /etc/ssh/sshd_config settings, restart sshd and found that you are no longer able to connect to your remote host? This is especially frustrating when you have no remote console access to the machine.

Always check your sshd_config settings before restarting the ssh daemon!

Having experienced that before with a cloud VM where I was left with no choice but to terminate that instance, I wish to avoid that experience.

Test sshd_config

The sshd command has the -t flag that will check your configuration file for any errors. Here is an example:

$ sudo /usr/sbin/sshd -t
/etc/ssh/sshd_config line 89: unsupported option "yup".

The sshd helpfully tells us the problem is in line 89. When we take a look at line 89:

GatewayPorts yup

the mistake is obvious. Change yup to yes

GatewayPorts yes

Just to be sure, let's test the configuration again.

$ sudo /usr/sbin/sshd -t
$

Perfect! We can be assured that there isn't any mis-configuration that will prevent sshd from starting.

The example above might not be the best. There are integer values that could be mistaken for Boolean option or vice-version. For example, setting MaxSessions yes instead of MaxSessions 20. That will cause sshd to fail to start.

Restart sshd

Restart the SSH daemon

$ sudo systemctl restart ssh
$

There, the daemon is restarted with changes applied.

Existing SSH Connection

Note that re-starting ssh daemon will not disconnect existing ssh connections. Technically you can safely change the sshd_config file, restart sshd. If sshd fails to start up, use the existing SSH connection to revert changes to sshd_config.

Why take the risk when you can use the -t flag?