NAME

sshd2_config - Server configuration file used by sshd.

SYNOPSIS

/etc/ssh2/sshd2_config - Default server configuration file.

DESCRIPTION

Reflection for Secure IT server configuration files contain configuration settings for the sshd server. The default global configuration file is /etc/ssh2/sshd2_config. You can specify an alternate file using the -f option on the sshd command line. You can also create and use optional subconfiguration files for specific client hosts or users.

A sample configuration file is installed to /etc/ssh2/sshd2_config. This file includes commented lines that show all available settings and their default values. A duplicate copy of this file is installed to /etc/ssh2/sshd2_config.example.

Changes you make to the main server configuration file affect new connections immediately; you do not need to restart the server. Existing connections remain active using their original settings; subsequent connections use the new settings.

Note: Changes to Port, ListenAddress, and MaxStartups require a restart.

The server processes settings cumulatively in the following order. If a setting is configured in more than one place, the last value processed overrides any previous value of the same setting.

  1. The global configuration file, or an alternate file specified on the sshd command line using -f.
  2. Any host-specific subconfiguration file(s) that you have created and identified using the HostSpecificConfig keyword.
  3. Any user-specific subconfiguration file(s) that you have created and identified using the UserSpecificConfig keyword.
  4. Command line options used with sshd.

FILE FORMAT

All server configuration files (the default global file, any alternate file specified on the sshd command line, and optional user-specific and host-specific files) consist of keywords followed by values. Any line starting with a pound sign (#) is a comment. Any empty line is ignored.

Keyword syntax

Every keyword requires a value. The value can be separated from the keyword by spaces, or optional spaces and exactly one "=". Enclose the value in quotation marks (single or double) if it includes spaces. For example:

key value

key=value

key="value with spaces"

key=value1, value2

Keywords are not case sensitive.

REGULAR EXPRESSIONS

Regular expressions are evaluated using POSIX-Extended syntax. For details about regular expression rules, see:

http://www.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap09.html

Specific information about configuring expressions for users, groups, and hosts follows.

Configuring User Access

The following keywords configure user access: AllowUsers, DenyUsers, AllowTcpForwardingForUsers, DenyTcpForwardingForUsers, ForwardACL, ChrootSftpUsers, UserSpecificConfig. You can specify user names alone, or use the following syntax to include group and/or host information:

user[%group][@host]

Where user is a regular expression for a user (numerical UIDs are not supported), group is a regular expression for a group, (numerical GIDs are not supported), and host is a regular expression for host (which can be a domain name, IP address, or subnet mask). For example, the following denies access to all members of the interns group at myhost.com:

DenyUsers=.*%interns@myhost.com

Configuring Group Access

The following keywords configure group access: AllowGroups, DenyGroups, AllowTcpForwardingForGroups, DenyTcpForwardingForGroups, ChrootSftpGroups These keywords support any valid regular expression. Numerical GIDs are not supported. For example:

DenyGroups=interns

Configuring Client Host Access

The following keywords configure settings for client host computers: AllowHosts, DenyHosts, HostSpecificConfig. You can specify hosts using either IP addresses or domain names. The server first tries to match using the IP address of the client. If that fails, it tries to match using a domain name.

Note: When ResolveClientHostname is `yes', the resolved name is always the fully qualified domain name. This means that you must use a fully qualified domain name with any keywords in which you specify a host name, or use a regular expression to ensure that host names are handled correctly.

To force matching to a specific IP address, start the host expression using a backslash followed by i (\i). For example:

DenyHosts = \i123.45.78.9

To match a range of IP addresses using a CIDR (Classless Inter-Domain Routing) subnet, start the host expression using a backslash followed by m (\m). For example:

DenyHosts = \m123.123.0.0/16

Note: If you use either \i or \m regular expressions are not supported within the IP address.

ACCESS CONTROL KEYWORDS

The following keywords are available for controlling access to users, groups, and/or client host computers:

AllowUsers, DenyUsers, AllowGroups, DenyGroups, AllowHosts, DenyHosts, AllowTcpForwardingForUsers, DenyTcpForwardingForUsers, AllowTcpForwardingForGroups, DenyTcpForwardingForGroups, ForwardACL

You can specify users, groups, or hosts for any of these keywords by using a single instance of the keyword with a comma-separated list of values, or by including multiple instances of the keyword, in which case the final assigned value is cumulative over all instances.

Note: When you use regular expressions that require a comma (for example, [1,2]) in any of the access-control keywords, you must escape the comma with a backslash (for example, [1\,2]).

SUBCONFIGURATION FILES

You can create and use optional subconfiguration files to configure settings that you want to apply to a subset of users or client hosts. Subconfiguration files are read by the process forked for each new connection. These files are read at runtime; any changes you make affect all subsequent connections.

User subconfiguration files

Use the UserSpecificConfig keyword to configure user-specific subconfiguration files. The syntax for this keyword is:

UserSpecificConfig user_expression subconfig_file

If the user expression matches the user attempting a connection, the server uses the specified subconfiguration file. An example file is installed to:

/etc/ssh2/subconfig/user.example

The user.example file includes a list of keywords that are supported in user-specific subconfiguration files.

Security Note: If you configure a user-specific list for RequiredAuthentications that is different from the global allowed or required list, a malicious user attempting to authenticate can compare the client/server authentication negotiations of various accounts and use differences in the list of allowed authentications to determine that an account is valid on this system and different from other accounts on the system.

Host subconfiguration files

Use the HostSpecificConfig keyword to configure settings to apply to a subset of client hosts. The syntax for this keyword is:

HostSpecificConfig host_expression subconfig_file

If the host expression matches the client host, the server uses the specified subconfiguration file. An example file is installed to:

/etc/ssh2/subconfig/host.example

The host.example file includes a list of keywords that are supported in host-specific subconfiguration files.

KEYWORDS

AccountManagement

Configures the account management system that sshd uses to validate a user account. Account management services determine if an account is active, and whether or not a password is still valid. The allowed values are `password', `pam', and `none'. The default is `password'.

pam - Use PAM for account management. PAM account management applies to all sessions, regardless of the authentication method (or methods) used. If an account is locked, the connection is refused.

password - Use the password database to validate the account.

none - Use no account validation. Use this only for troubleshooting.

AllowAgentForwarding

Specifies whether agent forwarding is allowed. The allowed values are `yes' and `no'. The default is `yes'.

AllowedAuthentications

Specifies which authentication methods the server supports. The client and server agree on one or more authentication methods during the initial connection process, based on both client and server configuration. (Use RequiredAuthentications to require one or more authentication methods. RequiredAuthentications overrides AllowedAuthentications.)

The supported authentication methods are `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'. The default is `gssapi-with-mic, publickey, keyboard-interactive, password'.

AllowGroups

Use this keyword to allow login only for users who are members of a specified group. Regular expressions are supported. For details, see Configuring Group Access. If this keyword is not configured, all groups are allowed to log in.

AllowHosts

Use this keyword to allow login only for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not configured, all client hosts are allowed.

Notes:

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

When ResolveClientHostName is `yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is `yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.

AllowTCPForwarding

Use this keyword to allow or deny port forwarding to all client users. The allowed values are `yes' and `no'. The default is `yes'. This keyword controls both local (client to server) and remote (server to client forwarding). Use ForwardAcl for more fine-grained control.

AllowTCPForwardingForGroups

Use this keyword to allow port forwarding only for users who are members of a specified group. Regular expressions are supported.

AllowTCPForwardingForUsers

Use this keyword to allow port forwarding only for specified users. Regular expressions are supported.

AllowUsers

Use this keyword to allow login only for specified users. Regular expressions are supported. For details, see Configuring User Access.

AllowX11Forwarding

Specifies whether X11 forwarding is allowed. The allowed values are `yes' and `no'. The default is `yes'.

AuthKbdInt.Required

Specifies which authentication method to use for keyboard-interactive authentication. The specified authentication method must succeed for the user to be successfully authenticated. The allowed values are `pam' and `password'. The default is `password', which handles the user response as a standard login password. When `pam' is specified, PAM modules are used for authentication, password management, and session management.

AuthKbdInt.Retries

Sets the maximum number of attempts allowed for keyboard interactive authentication. The default is 3.

AuthKbdInt.Verbose

Specifies whether the server uses verbose keyboard interactive prompts. The allowed values are `yes' and `no'. The default is `no'.

AuthorizationFile

Specifies the name of the file used for configuring user keys for public key authentication. The file is assumed to be relative to $HOME/.ssh2 (or whatever location is set for UserConfigDirectory) unless you specify an absolute path. For public key authentication to succeed, a key presented by a client user for authentication must be correctly identified in this file. For file syntax, see the FILES section below.

The default file is $HOME/.ssh2/authorization.

AuthPublicKey.MaxSize

Sets the largest public key size allowed for user authentication. The default is 32768, and values larger than this are not allowed. The range of accepted values is 512-32769. Using zero (0) is equivalent to using the default.

AuthPublicKey.MinSize

Sets the smallest public key size allowed for user authentication. The default is 512, and values smaller than this are not allowed. Using zero (0) is equivalent to using the default.

AuthPublicKey.Retries

Specifies the maximum number of attempts the server accepts for public key authentication. Once this number is reached, further attempts to authenticate using a public key are rejected, but the connection is not broken. This allows the client to attempt authentication using the next allowed method. The default is 100.

BannerMessageFile

Identifies a file that contains text for a banner message. The server sends this text to the client before the client authenticates. Note: Some clients do not support banner display. If you configure a banner, you should ensure that your Secure Shell client supports this feature. The default is /etc/ssh2/ssh_banner_message.

ChrootSftpGroups

Specifies groups whose users are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against group names, not GID's.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. Terminal sessions and OpenSSH scp connections will not work for a client user who matches a specified expression. (Reflection for Secure IT scp connections use the sftp subsystem. OpenSSH scp connections do not use this subsystem.)

ChrootSftpUsers

Specifies users who are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against user names, not UID's.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. Terminal sessions and OpenSSH scp connections will not work for a client user who matches a specified expression. (Reflection for Secure IT scp connections use the sftp subsystem. OpenSSH scp connections do not use this subsystem.)

Ciphers

Specifies one or more (comma separated) encryption algorithms the server supports. The client and server agree on a cipher during the key exchange portion of the connection process. The client presents a list of supported ciphers in order of preference. The cipher used for a given session is the first item in this list that is also supported by the server. Allowed values are `aes128-cbc', `blowfish-cbc', `arcfour', `arcfour128', `arcfour256', `aes192-cbc', `aes256-cbc', `cast128-cbc', and `3des-cbc'.

You can also set this value to `none'. When `none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.

The following values are provided for convenience: `aes' (which combines `aes128-cbc', `aes192-cbc', and `aes256-cbc'), `blowfish' (equivalent to `blowfish-cbc'), `cast' (equivalent to `cast128-cbc'), `3des' (equivalent to `3des-cbc'), `Any' or `AnyStd' (all available ciphers plus `none'), and `AnyCipher' or `AnyStdCipher' (all available ciphers). The default is anystdcipher.

ClientAliveCountMax

The client alive mechanism enables the server to determine when the client has become inactive. ClientAliveCountMax sets the maximum number of client alive messages the server sends through the encrypted channel to request a response from the client. If this number is reached with no response from the client, the server ends the session and disconnects the client. Specify the message interval using ClientAliveInterval. The default is 3.

Note: These settings affect the SSH connection and messages are sent through the SSH tunnel.

ClientAliveInterval

Sets the interval, in seconds, for sending client alive messages to the client. If the client is unresponsive for this interval, the server sends a message through the encrypted channel to request a response from the client. Use ClientAliveCountMax to specify how many messages the server sends without response before it ends the session and disconnects the client. The default is 0 (disabled).

Compression

Specifies whether compression is enabled. Compression is desirable on modem lines and other slow connections, but will slow down response rates on fast networks. Compression also adds extra randomness to the packet, making it harder for a malicious person to decrypt the packet. The allowed values are `yes' and `no'. The default is `yes'.

DenyGroups

Use this keyword to deny login for specified user groups. Regular expressions are supported. For details, see Configuring Group Access. If this keyword is not configured, all groups are allowed to log in.

DenyHosts

Use this keyword to deny login for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not used, all client hosts are allowed.

Notes:

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'. You should also set RequireReverseMapping to `yes' to prevent access from hosts whose domain name could not be resolved.

When ResolveClientHostName is `yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is `yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.

DenyTCPForwardingForGroups

Use this keyword to deny port forwarding for specified user groups. Regular expressions are supported. For details, see Configuring Group Access.

DenyTCPForwardingForUsers

Use this keyword to deny login for specified users. Regular expressions are supported. For details, see Configuring User Access.

DenyUsers

Use this keyword to deny login for specified users. Regular expressions are supported. For details, see Configuring User Access. If this keyword is not configured, all users are allowed to log in.

ForwardACL

Use this keyword for detailed control over client access to port forwarding. Regular expressions are supported. The syntax is:

ForwardACL allow|deny local|remote user_ex forward_ex [origin_ex]

user_ex is a regular expression that determines which users are allowed or denied access to port forwarding. For details, see Configuring User Access."

forward_ex is a regular expression in the form host%port. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the target host and port. If you are configuring remote forwarding control, the host is the server computer and the port is the port that server is forwarding to the client.

origin_ex is a regular expression that identifies an IP address. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the client machine making the forward request. If you are configuring remote forwarding control, it specifies the computer that is connecting to the forwarded port on the server.

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The allowed values are `yes' and `no'. The default is `no'.

HostKeyFile

Specifies the file name and location of the private key used to authenticate the server. The default is /etc/ssh2/hostkey.

HostSpecificConfig

Specifies a host-specific subconfiguration file. The syntax is:

HostSpecificConfig host_expression subconfig_file

If the host expression matches the client host, the server uses the specified subconfiguration file.

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

IdleTimeout

Specifies how long a connection can remain inactive before the server terminates the connection. To set the time in seconds use an s or nothing after the number. You can also specify a time in minutes (m), hours (h), days (d), or weeks (w). Use zero (0) to set no limit. The default is 0.

KeepAlive

Specifies whether the system should send TCP keep alive messages to the other side. The server uses the system-wide value for how often the message is sent. The allowed values are `yes' and `no'. The default is `yes'. Note: ClientAliveCountMax and ClientAliveInterval affect the SSH connection and messages are sent through the SSH tunnel. The KeepAlive setting affects the TCP connection, and is more vulnerable to spoofing because TCP messages are not sent in the secure tunnel.

LibGssKrb5

Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libgssapi_krb5.so

LibKrb5

Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libkrb5.so.

Note: The server requires a library named libkrb5.so (or .sl on HP-UX PARISC). If a library of this name is not present, you need to create a symbolic link named libkrb5.so pointing to the actual library.

ListenAddress

Specifies the IP address of the interface to which the sshd server socket is bound. You can specify an IP address or use `any' (the default). The value `any' is equivalent to 0.0.0.0, and configures the server to listen to any available IP address. You can specify an IP address plus port by using a space or colon between the IP address and port. For example:

ListenAddress=123.45.67.89:1234

LoginGraceTime

Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit. The default is 120.

LogLevel

Sets the verbosity level used for sshd messages logged to syslog. Allowed values are `fatal', `error',`quiet', `info', `verbose', `debug1' (equivalent to `debug'), `debug2', `debug3', and `trace' (equivalent to `debug99'). The default is `error'.

MACs

Specifies which MACs (hashed message authentication codes) the server allows for verifying data integrity. Allowed values are `hmac-sha1', `hmac-sha1-96', `hmac-md5', `hmac-md5-96'; and `hmac-ripemd160'. Use `AnyMac' to support all of these. Use `AnyStdMac' to support `hmac-sha1', `hmac-sha1-96', `hmac-md5', and `hmac-md5-96'. Additional options are `none', `any' (equivalent to AnyMac plus `none'), and `AnyStd' (equivalent to `AnyStdMac' plus `none'). Multiple MACs can also be specified as a comma-separated list. When `none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include `none' are not recommended. The default is `AnyStdMac'.

MaxConnections

Sets the maximum number of client connections allowed. Use zero (0) to set no limit. The default is 50.

PamServiceName

Specifies the name of the PAM (Pluggable Authentication Modules) service used for authentication and sessions. The default is `ssh'.

PasswordGuesses

Sets the maximum number of attemps the user is allowed for password authentication. The default is 3.

PermitEmptyPasswords

Specifies whether the server allows password authentication by users with empty (null) passwords. The allowed values are `yes' and `no'. The default is `yes'.

PermitRootLogin

Specifies whether client users with root privileges can log in. The allowed values are `yes' and `no'. The default is `yes'.

PidFile

Specifies the file that contains the process ID of the sshd daemon. Use a fully qualified path. If the file name contains the string %s, the string will be replaced by the server port number.

Port

Specifies the port on which the server listens. The default is 22, which is the standard port for Secure Shell connections.

QuietMode

This keyword is deprecated. Use LogLevel.

RekeyIntervalSeconds

Specify the interval (in seconds) after which the server initiates a new key exchange. Setting this value too low can make communication between the client and server impossible. To avoid this problem, it is recommended that you avoid specifying an interval of less than 200 seconds. Use 0 (zero) to turn off rekey requests initiated by the server. Using 0 does not prevent the client from requesting a rekey. The default is 3600.

RequiredAuthentications

Use this keyword to require one or more client authentication methods. All specified authentication methods must succeed before a user is considered authenticated. The supported authentication methods are `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'.

Note: RequiredAuthentications overrides AllowedAuthentications.

RequireReverseMapping

Specifies whether DNS lookup must succeed when checking whether connections from client hosts are allowed. To enable this feature you also need to set ResolveClientHostName to `yes'. The allowed values are `yes' and `no'. The default is `no'.

ResolveClientHostname

Specifies whether the server attempts to resolve the client IP address to a domain name. Setting this to `yes' may slow down the connection time, but is required if you configure any keywords to match host names based on domain name, rather than IP address. (See AllowHosts, DenyHosts, UserSpecificConfig, and HostSpecificConfig.) Setting this keyword to `yes' also means that DNS names appear in the log rather than IP addresses. The allowed values are `yes' and `no'. The default is `yes'.

Note: When ResolveClientHostname is `yes', the resolved name is always the fully qualified domain name. This means that you must use a fully qualified domain name with any keywords in which you specify a host name, or use a regular expression to ensure that host names are handled correctly.

SessionRestricted

Specifies what session types the server allows. The possible values are `shell' (which allows terminal shell sessions), `exec' (which allows the client to execute commands on the server), and `subsystem' (which is required to support sftp and scp transfers). The default is `shell, exec, subsystem'.

SettableEnvironmentVars

Specifies which environment variables can be set by the ssh client or by the user's $HOME/.ssh2/environment file. This keyword is enabled in the default configuration file and set to the following value: 'LANG,LC_ALL,LC_COLLATE,LC_CTYPE,LC_MONETARY,LC_NUMERIC,LC_TIME,

PATH,TERM,TZ'

SftpSysLogFacility

Specifies the facility code used for logging messages from the sftp-server subsystem. This value is empty by default, which means no logging. Valid values are platform-dependent. See syslog(3).

StrictModes

Specifies how the server checks file modes and ownership during public key authentication. When set to `yes', the user's .ssh2 folder must be world and group read-only (no less protected than permissions=744), and the authorization file and key files must have a mode no less protected than 644. Ownership must be by root or the current user. If these conditions aren't met, public key authentication fails. The allowed values are `yes' and `no'. The default is `yes'.

Subsystem

Specifies a subsystem to export to the client. The argument specifies the command to execute when the client requests the subsystem. The separator character following the keyword can be a dash, an equals sign, or a space.

To support sftp and scp transfers, the sftp-server subsystem must be specified. The default configuration shown below executes the sftp service internally in the child process.

Subsystem-sftp internal://sftp-server

SyslogFacility

Specifies the facility code used for logging messages from the server. The default is `AUTH'. Valid values are platform-dependent. See syslog(3).

UsePAM

This keyword is deprecated. Setting it to `yes' is equivalent to setting AuthKbdInt.Required=pam and AccountManagement=pam.

UsePAMAcctMgt

This keyword is deprecated. Setting it to `yes' is equivalent to setting AccountManagement=pam.

UsePrivilegeSeparation

Specifies whether the server separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, a new process is created that has the privileges of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The allowed values are `yes' and `no'. The default is `yes'.

UserConfigDirectory

Specifies the directory used for user-specific information. This directory contains the authentication file (required for key authentication) and other user-specific files listed in the FILES section below. The following macros are recognized: %U = user log-in name, %D = user's home directory, %IU = UID for user, %IG = GID for user. The default is `%D/.ssh2'.

UserSpecificConfig

Specifies a user-specific configuration file. The syntax is:

UserSpecificConfig user_expression subconfig_file

If the user expression matches the user attempting a connection, the server uses the specified subconfiguration file.

Note: If you configure the host portion of this expression to match based on host domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

VerboseMode

This keyword is deprecated. Use LogLevel.

X11DisplayOffset

Sets the first display number available for X11 forwarding by the server. The default is 10.

X11UseLocalHost

Specifies whether the server should bind X11 forwarding to the loopback address or to the wildcard address. The allowed values are `yes' and `no'. The default is `yes'.

XAuthPath

Specifies the location of the xauth(1) program. The default (for example /usr/X11R6/bin/xauth) is system-dependent.

FILES

The server uses system-wide files (in /etc/ssh2) for all connections. Files in user-specific directories ($HOME/.ssh2 by default) apply to connections from individual client users.

System-wide server files

/etc/ssh2/sshd2_config

The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.

/etc/ssh2/hostkey

The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. Recommended permissions = 600.

/etc/ssh2/hostkey.pub

The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.

/etc/ssh2/subconfig

Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.

/etc/ssh2/subconfig/<subconfig_file>

User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5). Recommended permissions = 600.

/etc/nologin

Limits login to root. If this file exists, only root is allowed to login. The text of nologin is displayed to anyone else who attempts to log in.

User-specific server files

$HOME/.ssh2

The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700.

$HOME/.ssh2/authorization

The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. Recommended permissions = 600.

The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:

key

Specifies keys the server will accept for this user. The format for key entries is "key" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory ($HOME/.ssh2 by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.

key mykey.pub

key id_rsa_2048_a.pub

options

Use this optional keyword to specify options that apply to the preceding key. Options must be configured on the line immediately following the line containing the key. The format is:

Options option_keyword="arg"

One option keyword is supported:

command command

The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever mykey.pub is used for authentication.

key mykey.pub

options command="sh myscript"

$HOME/.hushlogin

If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check.

$HOME/.ssh2/environment

If this file is present, it sets environment variables at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 600. The pound sign (#) marks comment lines.The syntax is:

environment_variable=value

/etc/motd

The message-of-the-day file. The text of this file is displayed when a user logs in.

<piddir>/sshd2_22.pid

Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword.

SEE ALSO

ssh(1), ssh2_config(5), ssh-keygen(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), sshd2_config(5)

Additional Reflection for Secure IT documentation is available online from the Attachmate documentation web page:

http://support.attachmate.com/manuals/

And from the technical note library:

http://support.attachmate.com/techdocs/