How to Restart SSHD on AIX: Complete Guide (6.1, 7.1, 7.2, 7.3)
Restarting the SSH daemon (sshd) on IBM AIX is a common administrative task, whether you're applying configuration changes, troubleshooting connection issues, or performing routine maintenance. Unlike Linux systems that use systemctl or service commands, AIX uses the System Resource Controller (SRC) to manage services. This guide covers every method to restart SSH on AIX, version-specific notes for AIX 6.1 through 7.3, how to restart without dropping active sessions, and thorough troubleshooting steps.
Quick Reference: AIX SSH Restart Commands
For those who just need the commands:
# Method 1: Stop and start (recommended for a full restart)
stopsrc -s sshd && startsrc -s sshd
# Method 2: Refresh (reload config without full restart - keeps active sessions)
refresh -s sshd
# Check status at any time
lssrc -s sshd
AIX Version-Specific Notes
AIX 6.1
AIX 6.1 ships with OpenSSH and registers it with SRC by default. The standard stopsrc/startsrc workflow applies. On some minimal installations the sshd subsystem may not be registered — see the "SSH Service Not Found" troubleshooting section below.
# Verify the SSH package is installed
lslpp -l openssh.base.server
# Register sshd with SRC if needed (AIX 6.1)
mkssys -p /usr/sbin/sshd \
-s sshd \
-u 0 \
-a "-D -f /etc/ssh/sshd_config" \
-e /dev/console \
-i /dev/console \
-o /dev/console \
-R -Q -S \
-f 9 \
-n 15 \
-E 20 \
-G ssh \
-d \
-w 20
AIX 7.1
AIX 7.1 introduced improvements to the SRC and the default sshd is compiled with stronger cipher support. The restart procedure is identical to 6.1. Confirm the sshd binary path before registering:
# Confirm sshd binary location on AIX 7.1
ls -l /usr/sbin/sshd
# Full restart
stopsrc -s sshd && startsrc -s sshd
AIX 7.2
AIX 7.2 includes OpenSSH 7.x and supports newer key exchange algorithms. You can validate the configuration file before restarting (see the section below). The refresh -s sshd command is fully supported.
# Validate config before restart (AIX 7.2)
/usr/sbin/sshd -t
# Restart
stopsrc -s sshd && startsrc -s sshd
AIX 7.3
AIX 7.3 is the current release and ships with OpenSSH 9.x. It fully supports all methods described in this guide. Note that AIX 7.3 may enforce stricter default cipher policies; always validate the config after editing sshd_config.
# Check OpenSSH version on AIX 7.3
ssh -V
# Test configuration validity
/usr/sbin/sshd -t && echo "Config OK"
# Full restart
stopsrc -s sshd && startsrc -s sshd
Check SSH Status: lssrc -s sshd
Before and after any restart, check the service status with lssrc:
lssrc -s sshd
Sample output when running:
Subsystem Group PID Status
sshd ssh 12345678 active
Sample output when stopped:
Subsystem Group PID Status
sshd ssh inoperative
To see detailed subsystem information:
lssrc -S -s sshd
Method 1: Using stopsrc and startsrc (Recommended)
The System Resource Controller (SRC) is AIX's native service management system. This is the most reliable method for a full SSH restart.
Step 1: Check Current SSH Status
lssrc -s sshd
Step 2: Stop the SSH Service
stopsrc -s sshd
Verify it stopped:
lssrc -s sshd
# Status should show "inoperative"
Step 3: Start the SSH Service
startsrc -s sshd
Verify it is running:
lssrc -s sshd
# Status should show "active" with a new PID
Combined One-Liner
stopsrc -s sshd && startsrc -s sshd
Using a semicolon runs the second command even if the first fails (useful in scripts):
stopsrc -s sshd; startsrc -s sshd
Method 2: Using refresh -s sshd (Reload Without Full Restart)
The refresh command signals the running sshd to reload its configuration file without terminating existing connections. Use this when you cannot afford to drop active sessions.
refresh -s sshd
What refresh does:
- Sends a SIGHUP signal to sshd via the SRC framework
- The daemon re-reads
/etc/ssh/sshd_config - All active SSH sessions remain connected
- New connections use the updated configuration immediately
When to use refresh instead of a full restart:
- After editing
sshd_configon a live server with active users - When you only need to rotate host keys without downtime
- During scheduled maintenance windows where disconnecting users is not acceptable
Method 3: Using kill -HUP (Direct Signal)
If you need to reload the SSH configuration without using the SRC framework:
Step 1: Find the SSHD Process ID
lssrc -s sshd
Or using ps:
ps -ef | grep sshd | grep -v grep
Step 2: Send HUP Signal
kill -HUP <sshd_pid>
For example:
kill -HUP 12345678
This method is equivalent to refresh -s sshd but bypasses the SRC. Prefer refresh -s sshd on AIX so that the SRC tracks the daemon state correctly.
How to Restart SSH Without Dropping Active Sessions
The safest way to apply configuration changes without disconnecting users is refresh -s sshd:
# 1. Edit your configuration
vi /etc/ssh/sshd_config
# 2. Test the new configuration for syntax errors BEFORE applying
/usr/sbin/sshd -t
# No output means the config is valid
# 3. Reload the configuration without dropping connections
refresh -s sshd
# 4. Confirm the daemon is still running
lssrc -s sshd
Active sessions are not affected. New connections immediately use the updated settings.
Important: A reload via refresh does not restart child processes handling existing connections. If you change settings such as MaxSessions or AllowUsers, those changes only apply to new connections. Settings that affect authentication or ciphers take effect for new connections as well, while the handshake for existing sessions is already complete.
Check SSH Config Validity Before Restart
Always validate your sshd_config before restarting to avoid being locked out of the server:
/usr/sbin/sshd -t
- Exit code 0: configuration is valid.
- Non-zero exit / error output: fix the reported issue before restarting.
Extended test with verbose output:
/usr/sbin/sshd -T 2>&1 | head -40
This prints the full effective configuration, which is useful to confirm that your edits were parsed correctly.
View SSH Logs in AIX
Using errpt (AIX Error Log)
AIX uses the Error Notification facility. To view SSH-related entries:
# View all recent error log entries
errpt -a | head -100
# Filter for SSH entries
errpt -a | grep -i ssh
# Show entries from the last 24 hours
errpt -a -s $(perl -e 'use POSIX; print strftime("%m%d%H%M%y", localtime(time-86400));')
Using the syslog / sshd.log File
Depending on your AIX syslog configuration, SSH messages may go to /var/log/sshd.log or the system syslog:
# Check sshd log (if configured)
tail -100 /var/log/sshd.log
# Check syslog for SSH messages
grep -i sshd /var/adm/syslog/syslog.log | tail -50
# Or /var/log/syslog on newer AIX releases
tail -f /var/log/syslog | grep sshd
Increase SSH Log Verbosity
To capture more detail for troubleshooting, set LogLevel in /etc/ssh/sshd_config:
SyslogFacility AUTH
LogLevel VERBOSE
Then reload:
refresh -s sshd
Troubleshooting SSH on AIX
Problem: SSH Service Not Found
If you get the 0513-085 The sshd Subsystem is not on file error:
lssrc -s sshd
# 0513-085 The sshd Subsystem is not on file.
The SSH subsystem is not registered with SRC. Register it:
mkssys -p /usr/sbin/sshd \
-s sshd \
-u 0 \
-a "-D -f /etc/ssh/sshd_config" \
-e /dev/console \
-i /dev/console \
-o /dev/console \
-R -Q -S \
-f 9 \
-n 15 \
-E 20 \
-G ssh \
-d \
-w 20
# Verify registration
lssrc -S -s sshd
# Start the service
startsrc -s sshd
Problem: SSH Fails to Restart — Check /var/log/syslog
When startsrc -s sshd fails or sshd exits immediately, always check the system log first:
# Check syslog
tail -50 /var/log/syslog | grep -i sshd
# Check the AIX error log
errpt -a | head -80
# Attempt a manual start in debug mode to see errors immediately
/usr/sbin/sshd -d -f /etc/ssh/sshd_config
Common reasons sshd fails to restart:
| Symptom in logs | Likely cause | Fix |
|---|---|---|
Missing privilege separation directory: /var/empty |
/var/empty was deleted |
mkdir -p /var/empty && chmod 711 /var/empty |
Bad configuration option |
Syntax error in sshd_config | Run /usr/sbin/sshd -t and fix the reported line |
Could not load host key |
Host key file missing or wrong permissions | Run ssh-keygen -A to regenerate host keys |
Address already in use |
Another process is using port 22 | netstat -an \| grep 22 to identify the process |
Permissions too open |
sshd_config or host key has wrong permissions | chmod 600 /etc/ssh/ssh_host_*_key |
Problem: SSH Won't Start After Configuration Change
# Test configuration file without starting the daemon
/usr/sbin/sshd -t
Fix any errors reported, then restart.
Problem: Cannot Connect After Restart
- Check if sshd is listening on port 22:
netstat -an | grep 22
- Check the SSH log for rejected connections:
tail -100 /var/log/sshd.log
errpt -a | head -60
- Verify firewall rules:
lsfilt
- Test from the server itself:
ssh -v localhost
Problem: SSH Connections Timeout
Add or adjust the following in /etc/ssh/sshd_config:
ClientAliveInterval 60
ClientAliveCountMax 3
TCPKeepAlive yes
Then reload:
refresh -s sshd
Creating the SSH Service in AIX
If your AIX system does not have sshd registered as a service:
Step 1: Register SSHD with SRC
mkssys -p /usr/sbin/sshd \
-s sshd \
-u 0 \
-a "-D -f /etc/ssh/sshd_config" \
-e /dev/console \
-i /dev/console \
-o /dev/console \
-R -Q -S \
-f 9 \
-n 15 \
-E 20 \
-G ssh \
-d \
-w 20
Step 2: Verify Registration
lssrc -S -s sshd
Or check the ODM directly:
odmget -q subsysname=sshd SRCsubsys
Step 3: Start the Service
startsrc -s sshd
Configuring SSH to Start at Boot
Create /etc/rc.d/rc2.d/S70sshd:
#!/bin/ksh
#######################################################
# name: S70sshd
# purpose: Start or stop SSH daemon at boot/shutdown
#######################################################
case "$1" in
start)
echo "Starting SSH daemon..."
startsrc -s sshd
;;
stop)
echo "Stopping SSH daemon..."
stopsrc -s sshd
;;
restart)
echo "Restarting SSH daemon..."
stopsrc -s sshd
sleep 2
startsrc -s sshd
;;
status)
lssrc -s sshd
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
Set permissions:
chmod 755 /etc/rc.d/rc2.d/S70sshd
SSH Configuration File Locations on AIX
| File | Purpose |
|---|---|
/etc/ssh/sshd_config |
Server configuration |
/etc/ssh/ssh_config |
Client configuration |
/etc/ssh/ssh_host_* |
Host keys |
~/.ssh/authorized_keys |
User authorized keys |
Common sshd_config Settings for AIX
# Allow root login (set to 'no' for security)
PermitRootLogin yes
# Authentication methods
PubkeyAuthentication yes
PasswordAuthentication yes
# Logging
SyslogFacility AUTH
LogLevel INFO
# Connection settings
MaxAuthTries 3
MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 3
After modifying, validate and restart:
/usr/sbin/sshd -t && stopsrc -s sshd && startsrc -s sshd
Related AIX Guides
- AIX SSH Configuration: Complete Guide - Full SSH setup, key authentication, and hardening
- SCP and SFTP on AIX - Secure file transfer on AIX
- SSH Tunneling on AIX - Port forwarding and tunnel setup
- How to Extract a zip File in AIX - Related AIX file operations
- DB2STOP FORCE: How to Force Stop DB2 - Another common AIX administration task
Summary
| Goal | Command |
|---|---|
| Full SSH restart | stopsrc -s sshd && startsrc -s sshd |
| Reload config (keep sessions) | refresh -s sshd |
| Check service status | lssrc -s sshd |
| Validate config before restart | /usr/sbin/sshd -t |
| View SSH error log | errpt -a \| grep -i ssh |
| View syslog for SSH | tail -f /var/log/syslog \| grep sshd |
Restarting SSH on AIX is straightforward once you understand the System Resource Controller. Use stopsrc -s sshd && startsrc -s sshd for a full restart, or refresh -s sshd when you need to apply configuration changes without disconnecting active users. Always validate your sshd_config with /usr/sbin/sshd -t before restarting, and consult errpt -a and /var/log/syslog if the daemon fails to start.