Loading...

VONDS ©

Lab 4: Using sed To Do SSH Config Hardening

Lab Index

Harden SSH configuration using precise sed substitutions against a test sshd_config file. You will disable root login, disable password authentication, and change the SSH port using CLI-only edits.

security services core

Scenario

Your task is to harden SSH settings using the sed command. You have a sample SSH daemon configuration at /tmp/sshd_config , and you must apply three changes: PermitRootLogin to no , PasswordAuthentication to no , and the SSH Port to 2222 .

Operator context

This lab reflects a standard production workflow: assess the current state, apply targeted configuration changes, and verify the results. In a live environment, you would also validate the syntax and restart sshd, but the focus here is on safe and controlled text manipulation.

Objective

  • View an SSH daemon configuration file with cat .
  • Use anchored sed substitutions to change specific directives.
  • Confirm the resulting configuration values are correct.

What You’ll Practice

  • Reading configuration state from /tmp/sshd_config .
  • Using sed -i for in-place edits.
  • Anchoring patterns with ^ to avoid accidental matches.
  • Editing SSH hardening directives without opening an editor.

Walkthrough

Step 1 : View the current SSH daemon configuration.
Command 
cat /tmp/sshd_config

Confirm the current directive values before modifying anything. This prevents you from “hardening” the wrong file or guessing the current state. 

# SSH Daemon Configuration
PermitRootLogin yes
PasswordAuthentication yes
Port 22
Step 2 : Disable root login by setting PermitRootLogin to no .
Command 
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /tmp/sshd_config

The pattern is anchored with ^ so only the directive line starting with PermitRootLogin is changed.

Step 3 : Disable password authentication by setting PasswordAuthentication to no .
Command 
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /tmp/sshd_config

This performs a targeted substitution for the PasswordAuthentication directive only.

Step 4 : Change the SSH port to 2222 .
Command 
sed -i 's/^Port 22/Port 2222/' /tmp/sshd_config

This updates the Port directive line from 22 to 2222 without touching other lines. 

PermitRootLogin no
PasswordAuthentication no
Port 2222

Reference

  • cat <file> : Prints file contents to standard output.
  • sed -i 's/pattern/replacement/' <file> : Replaces the first match of pattern on each line and writes changes back to the file.
    • -i : Edit the file in-place (modify the file directly).
    • ^ : Anchors the match to the start of the line.
    • s/old/new/ : Substitution operator (replace old with new ).
  • /tmp/sshd_config : A temporary test configuration file used in this lab.
  • PermitRootLogin : Controls whether the root user can log in over SSH.
  • PasswordAuthentication : Controls whether SSH allows password-based logins.
  • Port : Specifies the TCP port where sshd listens for incoming connections.