Harden SSH configuration using precise sed substitutions against a test
sshd_config file. You will disable root login, disable password
authentication, and change the SSH port using CLI-only edits.
Your task is to harden SSH settings using the sed command. You have
a sample SSH daemon configuration at /tmp/sshd_config, and you must
apply three changes: set PermitRootLogin to no, set
PasswordAuthentication to no, and change the SSH
Port to 2222.
This lab reflects a standard production workflow: assess the current state,
apply targeted configuration changes, and verify the results. In a live
environment, you would also validate the syntax and restart sshd,
but the focus here is safe and controlled text manipulation.
cat.sed substitutions to change specific directives.^ reduces collateral edits by matching only directive
lines that start with the setting name.
cat /tmp/sshd_configConfirm the current directive values before modifying anything. This prevents you from hardening the wrong file or guessing the current state.
# SSH Daemon Configuration
PermitRootLogin yes
PasswordAuthentication yes
Port 22PermitRootLogin to no.
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /tmp/sshd_config
The match is anchored with ^ so only the directive line starting with
PermitRootLogin is changed.
PasswordAuthentication to no.
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /tmp/sshd_config
This performs a targeted substitution for the
PasswordAuthentication directive only.
2222.
sed -i 's/^Port 22/Port 2222/' /tmp/sshd_config
This updates the Port directive line from 22 to
2222 without touching other lines.
PermitRootLogin no
PasswordAuthentication no
Port 2222
The file may not match the expected values (for example, the directives are
commented out, already set to no, or use extra whitespace). Inspect
with grep -nE '^(PermitRootLogin|PasswordAuthentication|Port)\\b' /tmp/sshd_config
and adjust the match pattern.
In real sshd_config files, duplicates can exist, and the last match
usually wins. Your substitution might change only one line while another later
line overrides it. Use grep -n to find duplicates and resolve them.
If this were a real /etc/ssh/sshd_config edit, you would need
elevated privileges. Practice the same workflow with sudo when
appropriate.
Disabling password auth and changing the port can lock you out if keys or firewall rules are not in place. Always keep an active session open and validate connectivity before you disconnect.
This lab modifies a temporary test file. Cleanup is resetting the file so you can repeat the workflow.
# Reset /tmp/sshd_config back to the starting values for another repetition
sed -i 's/^PermitRootLogin no/PermitRootLogin yes/' /tmp/sshd_config
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /tmp/sshd_config
sed -i 's/^Port 2222/Port 22/' /tmp/sshd_config
# Verify
cat /tmp/sshd_configYou can make narrow, audit-friendly configuration changes using anchored matches, then validate results immediately.
cat <file>: Prints file contents to standard output.
sed -i 's/pattern/replacement/' <file>: Replaces the first match of
pattern on each line and writes changes back to the file.
-i: Edit the file in place.^: Anchor the match to the start of the line.s/old/new/: Substitution operator./tmp/sshd_config: Temporary test configuration file used in this lab.PermitRootLogin: Controls whether the root user can log in over SSH.PasswordAuthentication: Controls whether SSH allows password-based logins.Port: Specifies the TCP port where sshd listens for incoming connections.