--- title: About the sshd_config Resource platform: linux --- # sshd_config Use the `sshd_config` Chef InSpec audit resource to test configuration data for the OpenSSH daemon located at `/etc/ssh/sshd_config` on Linux and Unix platforms. sshd---the OpenSSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.
## Availability ### Installation This resource is distributed along with Chef InSpec itself. You can use it automatically. ### Version This resource first became available in v1.0.0 of InSpec. ## Syntax An `sshd_config` resource block declares the client OpenSSH configuration data to be tested: describe sshd_config('path') do its('name') { should include('foo') } end where * `name` is a configuration setting in `sshd_config` * `('path')` is the non-default `/path/to/sshd_config` * `{ should include('foo') }` tests the value of `name` as read from `sshd_config` versus the value declared in the test
## Examples The following examples show how to use this Chef InSpec audit resource. ### Test which variables may be sent to the server describe sshd_config do its('AcceptEnv') { should include('CI_ENABLE_COVERAGE') } end ### Test for IPv6-only addresses describe sshd_config do its('AddressFamily') { should cmp 'inet6' } end ### Test the Protocol setting describe sshd_config do its('Protocol') { should cmp 2 } end ### Test for approved, strong ciphers describe sshd_config do its('Ciphers') { should cmp('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') } end ### Test SSH protocols describe sshd_config do its('Port') { should cmp 22 } its('UsePAM') { should eq 'yes' } its('ListenAddress') { should eq nil } its('HostKey') { should eq [ '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key', ] } end
## Matchers For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). ### name The `name` matcher tests the value of `name` as read from `sshd_config` versus the value declared in the test: its('name') { should cmp 'foo' } or: its('name') {should include('bar') }