How to configure ssh


What is the current recommended way to configure sshd on ubuntu core? We have some settings that we need sshd to apply on startup and potentially change during runtime.

Is there anything on your backlog to set configuration through snapd system options perhaps?



The only options currently are to disable sshd completely or to set the port:

Thanks @ogra I am aware of these settings, but they are not what I want.

Let’s say you had to do some ssh configuration beyond these 2 settings, how would you do it? Is there a best practice? Or will snapcraft in future introduce a way to be able to configure ssh?



You could perhaps try to create an sshd snap (not sure there are sufficient interfaces to get this working though, you got to try) and completely disable the one on the system …

and alternatively you could open a PR to snapd to support actual options to be added to the system for setting sshd configs, but that will likely be a long winded process to get it past the architects …

Hi @rubilavp,

Could please explain what/why do you need to configure sshd, and perhaps even an small example of what you have in mind?

The end goal is to enable ssh certificates but any custom config would be ideal

Currently we think we need to use system-files and process-control to add extra config file to /etc/ssh/ssh_config.d.

even if the content was similar to

Include /snap/my-config-snap/current/ssh/sshd_config.d/*.conf

and then reload the ssh daemon on any file change

If configs need to change during runtime, then yes this might be the only way to go.

Hi, have the same issue after Need to configure the ciphers (and possibly other security settings) and then reload sshd on Core 16 and 20 devices. Manual configuration via root user is possible, but doesn’t scale to 1000s of devices. Not all devices have a gadget snap we control, so can’t use that to add the file to the writable partition.

Did anyone find a solution or manage to roll their own sshd snap?

Looks to me like this has been handled in the core(18|20|22) snaps already…

(Though not sure when exactly it will make it to the stable channel, probably not before Christmas)

Well we are still waiting on newer core version for the Dell Gateway 3002 for the past two months. As this is an exposed network service I want to be able to control it myself and adhere to security requirements and SLAs.

1 Like