How to view SSH server configuration

Viewing the live SSH server configuration shows which addresses the daemon listens on, which authentication methods are enabled, and which access restrictions will apply to new sessions. That makes it easier to confirm why a host still accepts password logins, refuses root access, or listens on an unexpected port.

The OpenSSH server reads directives from /etc/ssh/sshd_config and may load additional files through the Include directive. On current OpenSSH builds, sshd -G prints the parsed server configuration after defaults and included files are applied, while sshd -T -C shows the final result for a specific connection pattern when Match blocks are involved.

Use sudo on typical Linux servers because the live configuration tree and host keys are root-owned. Keep sshd -G for the baseline server view, and switch to sshd -T -C when access rules change by user, source address, or another Match condition.

Related: How to test SSH server configuration
Related: How to configure the log level for an SSH server
Related: How to start, restart, and stop the SSH server service

Steps to view SSH server configuration:

  1. Open a terminal on the server with access to sudo. 
    $ whoami
user
  2. Inspect the main SSH daemon configuration file and note any Include lines that load extra fragments. 
    $ sudo less /etc/ssh/sshd_config
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
##### snipped #####
Include /etc/ssh/sshd_config.d/*.conf

    The main file sets the baseline policy, while files under /etc/ssh/sshd_config.d can add or override directives.

  3. Print the parsed SSH server configuration after the main file, included files, and built-in defaults are applied. 
    $ sudo sshd -G
port 22
listenaddress [::]:22
listenaddress 0.0.0.0:22
usepam yes
permitrootlogin without-password
pubkeyauthentication yes
passwordauthentication yes
kbdinteractiveauthentication no
##### snipped #####

    sshd -G is the quickest way to inspect the baseline settings that sshd will use for new connections.

  4. Check one directive by name when auditing a specific setting. 
    $ sudo sshd -G | grep '^permitrootlogin '
permitrootlogin without-password

    Replace permitrootlogin with another directive such as passwordauthentication, listenaddress, or pubkeyauthentication to inspect that value directly.

  5. Evaluate the final settings for one connection pattern when the server uses Match blocks. 
    $ sudo sshd -T -C user=deploy,addr=192.0.2.50
port 22
addressfamily any
##### snipped #####
pubkeyauthentication yes
passwordauthentication yes
permittty no

    sshd -T -C resolves Match directives for the supplied connection details and also performs the extra validation from sshd -t.

    Add host=, laddr=, or lport= when the server uses those conditions in a Match block.

    Related: How to apply conditional SSH settings