NAME

sshd2_config - Server configuration file used by sshd.

SYNOPSIS

/etc/ssh2/sshd2_config - Default server configuration file.

DESCRIPTION

Reflection for Secure IT server configuration files contain configuration settings for the sshd server. The default global configuration file is /etc/ssh2/sshd2_config. You can specify an alternate file using the -f option on the sshd command line. You can also create and use optional subconfiguration files for specific client hosts or users.

A sample configuration file is installed to /etc/ssh2/sshd2_config. This file includes commented lines that show all available settings and their default values. A duplicate copy of this file is installed to /etc/ssh2/sshd2_config.example.

Changes you make to the main server configuration file affect new connections immediately; you do not need to restart the server. Existing connections remain active using their original settings; subsequent connections use the new settings.

Note: Changes to Port, ListenAddress, and FipsMode require a restart.

The server processes settings cumulatively in the following order. If a setting is configured in more than one place, the last value processed overrides any previous value of the same setting.

  1. The global configuration file, or an alternate file specified on the sshd command line using -f.

  2. Any host-specific subconfiguration file(s) that you have created and identified using the HostSpecificConfig keyword.

  3. Any user-specific subconfiguration file(s) that you have created and identified using the UserSpecificConfig keyword.

  4. Command line options used with sshd.

FILE FORMAT

All server configuration files (the default global file, any alternate file specified on the sshd command line, and optional user-specific and host-specific files) consist of keywords followed by values. Any line starting with a pound sign (#) is a comment. Any empty line is ignored.

Keyword syntax

Every keyword requires a value. The value can be separated from the keyword by spaces, or optional spaces and exactly one "=". Enclose the value in quotation marks (single or double) if it includes spaces. For example:

key value

key=value

key="value with spaces"

key=value1, value2

Keywords are not case sensitive.

REGULAR EXPRESSIONS

Regular expressions are evaluated using POSIX-Extended syntax. For details about regular expression rules, see:

http://www.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap09.html

Specific information about configuring expressions for users, groups, and hosts follows.

Configuring User Access

The following keywords configure user access: AllowUsers, DenyUsers, AllowTcpForwardingForUsers, DenyTcpForwardingForUsers, ForwardACL, ChrootSftpUsers, UserSpecificConfig. You can specify user names alone, or use the following syntax to include group and/or host information:

user[%group][@host]

Where user is a regular expression for a user (numerical UIDs are not supported), group is a regular expression for a group, (numerical GIDs are not supported), and host is a regular expression for host (which can be a domain name, IP address, or subnet mask). For example, the following denies access to all members of the interns group at myhost.com:

DenyUsers=.*%interns@myhost.com

Configuring Group Access

The following keywords configure group access: AllowGroups, DenyGroups, AllowTcpForwardingForGroups, DenyTcpForwardingForGroups, ChrootSftpGroups These keywords support any valid regular expression. Numerical GIDs are not supported. For example:

DenyGroups=interns

Configuring Client Host Access

The following keywords configure settings for client host computers: AllowHosts, DenyHosts, HostSpecificConfig. You can specify hosts using either IP addresses or domain names. The server first tries to match using the IP address of the client. If that fails, it tries to match using a domain name.

Note: When ResolveClientHostname is `yes', the resolved name is always the fully qualified domain name. This means that you must use a fully qualified domain name with any keywords in which you specify a host name, or use a regular expression to ensure that host names are handled correctly.

To force matching to a specific IP address, start the host expression using a backslash followed by i (\i). For example:

DenyHosts = \i123.45.78.9

To match a range of IP addresses using a CIDR (Classless Inter-Domain Routing) subnet, start the host expression using a backslash followed by m (\m). For example:

DenyHosts = \m123.123.0.0/16

Note: If you use either \i or \m regular expressions are not supported within the IP address.

ACCESS CONTROL KEYWORDS

The following keywords are available for controlling access to users, groups, and/or client host computers:

AllowUsers, DenyUsers, AllowGroups, DenyGroups, AllowHosts, DenyHosts, AllowTcpForwardingForUsers, DenyTcpForwardingForUsers, AllowTcpForwardingForGroups, DenyTcpForwardingForGroups, ForwardACL

You can specify users, groups, or hosts for any of these keywords by using a single instance of the keyword with a comma-separated list of values, or by including multiple instances of the keyword, in which case the final assigned value is cumulative over all instances.

Note: When you use regular expressions that require a comma (for example, [1,2]) in any of the access-control keywords, you must escape the comma with a backslash (for example, [1\,2]).

SUBCONFIGURATION FILES

You can create and use optional subconfiguration files to configure settings that you want to apply to a subset of users or client hosts. Subconfiguration files are read by the process forked for each new connection. These files are read at runtime; any changes you make affect all subsequent connections.

User subconfiguration files

Use the UserSpecificConfig keyword to configure user-specific subconfiguration files. The syntax for this keyword is:

UserSpecificConfig user_expression subconfig_file

If the user expression matches the user attempting a connection, the server uses the specified subconfiguration file. An example file is installed to:

/etc/ssh2/subconfig/user.example

The user.example file includes a list of keywords that are supported in user-specific subconfiguration files.

Security Note: If you configure a user-specific list for RequiredAuthentications that is different from the global allowed or required list, a malicious user attempting to authenticate can compare the client/server authentication negotiations of various accounts and use differences in the list of allowed authentications to determine that an account is valid on this system and different from other accounts on the system.

Host subconfiguration files

Use the HostSpecificConfig keyword to configure settings to apply to a subset of client hosts. The syntax for this keyword is:

HostSpecificConfig host_expression subconfig_file

If the host expression matches the client host, the server uses the specified subconfiguration file. An example file is installed to:

/etc/ssh2/subconfig/host.example

The host.example file includes a list of keywords that are supported in host-specific subconfiguration files.

KEYWORDS

AccountManagement

Configures the account management system that sshd uses to validate a user account. Account management services determine if an account is active, and whether or not a password is still valid. The allowed values are `password', `pam', and `none'. The default is `pam'.

pam - Use PAM for account management. PAM account management applies to all sessions, regardless of the authentication method (or methods) used. If an account is locked, the connection is refused.

password - Use the password database to validate the account.

none - Use no account validation. Use this only for troubleshooting.

AddressFamily

This setting is used by the server when it creates a listening, session, or forwarding TCP socket. The allowed values are `any' (allow the system to decide which address family to use), `inet' (accept only IPv4), and `inet6' (accept only IPv6). The default is 'inet'. Note: The current value of ListenAddress may also affect whether or not the server accepts connections using IPv4 or IPv6 addresses.

AllowAgentForwarding

Specifies whether agent forwarding is allowed. The allowed values are `yes' and `no'. The default is `yes'.

AllowedAuthentications

Specifies which authentication methods the server supports. The client and server agree on one or more authentication methods during the initial connection process, based on both client and server configuration. (Use RequiredAuthentications to require one or more authentication methods. RequiredAuthentications overrides AllowedAuthentications.)

The supported authentication methods are `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'. The default is `gssapi-with-mic, publickey, keyboard-interactive, password'.

AllowedPasswordAuthentications

This keyword is no longer supported. If you used it in previous versions, you need to manually migrate your setting. Refer to the following keywords: AllowedAuthentications, RequiredAuthentications, and AuthKbdInt.Required.

AllowGroups

Use this keyword to allow login only for users who are members of a specified group. Regular expressions are supported. For details, see Configuring Group Access. If this keyword is not configured, all groups are allowed to log in.

AllowHosts

Use this keyword to allow login only for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not configured, all client hosts are allowed.

Notes:

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

When ResolveClientHostName is `yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is `yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.

AllowSftpCommands

Controls what kinds of operations users can perform using sftp and scp. This keyword supports a comma-separated list of one or more of the following: `all', `none', `browse', `download', `upload', `delete',`rename'. The upload option enables users to modify files, create files, create directories, or modify file attributes on the server. The download option enables users to read file contents. The default is `all'.

AllowTCPForwarding

Use this keyword to allow or deny port forwarding to all client users. The allowed values are `yes' and `no'. The default is `yes'. This keyword controls both local (client to server) and remote (server to client forwarding). Use ForwardAcl for more fine-grained control.

AllowTCPForwardingForGroups

Use this keyword to allow port forwarding only for users who are members of a specified group. Regular expressions are supported.

AllowTCPForwardingForUsers

Use this keyword to allow port forwarding only for specified users. Regular expressions are supported.

AllowUsers

Use this keyword to allow login only for specified users. Regular expressions are supported. For details, see Configuring User Access.

AllowX11Forwarding

Specifies whether X11 forwarding is allowed. The allowed values are `yes' and `no'. The default is `yes'.

AuthFailureErrorMessages

When set to `no', no information about authentication failures is sent to the client. This complies with SSH convention. When set to `yes', the client receives information about the reason for the failure. Warning: This increases your security risk by providing this information to potential attackers. The allowed values are `yes' and `no'. The default is `no'.

AuthImmediateDisconnect

When set to `no', the server responds identically to all failed authentication attempts. This complies with SSH convention. When set to `yes', blocked accounts disconnect immediately. Warning: This increases your security risk by providing clients with information about valid account names. The allowed values are `yes' and `no'. The default is `no'.

AuthKbdInt.Required

Specifies which authentication method to use for keyboard-interactive authentication. The specified authentication method must succeed for the user to be successfully authenticated. The allowed values are `pam', `password', and `radius'. The default is `password', which handles the user response as a standard login password. When `pam' is specified, PAM modules are used for authentication and password management. When `radius' is specified, one or more RADIUS authentication servers are used for authentication.

AuthKbdInt.Retries

Sets the maximum number of attempts allowed for keyboard interactive authentication. The default is 3.

AuthKbdInt.Verbose

Specifies whether the server uses verbose keyboard interactive prompts. The allowed values are `yes' and `no'. The default is `no'.

AuthorizationFile

Specifies the name of the file used for configuring user keys for public key authentication. The file is assumed to be relative to $HOME/.ssh2 (or whatever location is set for UserConfigDirectory) unless you specify an absolute path. For public key authentication to succeed, a key presented by a client user for authentication must be correctly identified in this file. For file syntax, see the FILES section.

The default file is $HOME/.ssh2/authorization.

AuthPublicKey.MaxSize

Sets the largest public key size allowed for user authentication. The default is 32768, and values larger than this are not allowed. The range of accepted values is 512-32769. Using zero (0) is equivalent to using the default.

AuthPublicKey.MinSize

Sets the smallest public key size allowed for user authentication. The default is 512, and values smaller than this are not allowed. Using zero (0) is equivalent to using the default.

AuthPublicKey.Retries

Specifies the maximum number of attempts the server accepts for public key authentication. Once this number is reached, further attempts to authenticate using a public key are rejected, but the connection is not broken. This allows the client to attempt authentication using the next allowed method. The default is 100.

BannerMessageFile

Identifies a file that contains text for a banner message. The server sends this text to the client before the client authenticates. Note: Some clients do not support banner display. If you configure a banner, you should ensure that your Secure Shell client supports this feature. The default is /etc/ssh2/ssh_banner_message.

ChrootSftpGroups

Specifies groups whose users are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against group names, not GID's.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. Terminal sessions and OpenSSH scp connections will not work for a client user who matches a specified expression. (Reflection for Secure IT scp connections use the sftp subsystem. OpenSSH scp connections do not use this subsystem.)

ChrootSftpUsers

Specifies users who are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against user names, not UID's.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. Terminal sessions and OpenSSH scp connections will not work for a client user who matches a specified expression. (Reflection for Secure IT scp connections use the sftp subsystem. OpenSSH scp connections do not use this subsystem.)

Ciphers

Specifies one or more (comma separated) encryption algorithms the server supports. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. Allowed values are `aes128-ctr', `aes128-cbc', `aes192-ctr', `aes192-cbc', `aes256-ctr', `aes256-cbc', `blowfish-cbc', `arcfour', `arcfour128', `arcfour256', `cast128-cbc', and `3des-cbc'.

You can also set this value to `none'. When `none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.

The following values are provided for convenience: `aes' (all supported aes ciphers), `blowfish' (equivalent to `blowfish-cbc'), `cast' (equivalent to `cast128-cbc'), `3des' (equivalent to `3des-cbc'), `Any' or `AnyStd' (all available ciphers plus `none'), and `AnyCipher' or `AnyStdCipher' (all available ciphers). The default is AnyStdCipher.

ClientAliveCountMax

The client alive mechanism enables the server to determine when the client has become inactive. ClientAliveCountMax sets the maximum number of client alive messages the server sends through the encrypted channel to request a response from the client. If this number is reached with no response from the client, the server ends the session and disconnects the client. Specify the message interval using ClientAliveInterval. The default is 3.

Note: These settings affect the SSH connection and messages are sent through the SSH tunnel.

ClientAliveInterval

Sets the interval, in seconds, for sending client alive messages to the client. If the client is unresponsive for this interval, the server sends a message through the encrypted channel to request a response from the client. Use ClientAliveCountMax to specify how many messages the server sends without response before it ends the session and disconnects the client. The default is 0 (disabled).

Compat.RSA.HashScheme

Specifies whether the MD5 hash algorithm is supported for verifying the digital signature for RSA keys used in public key or X.509 certificate authentication. The allowed values are `yes' and `no'. When this keyword is set to `no' (the default), only signatures with SHA-1 hashes are accepted. When it is set to `yes' signatures with either SHA-1 or MD5 hashes are accepted.

Compression

Specifies whether compression is enabled. Compression is desirable on modem lines and other slow connections, but will slow down response rates on fast networks. Compression also adds extra randomness to the packet, making it harder for a malicious person to decrypt the packet. The allowed values are `yes' and `no'. The default is `yes'.

DenyGroups

Use this keyword to deny login for specified user groups. Regular expressions are supported. For details, see Configuring Group Access. If this keyword is not configured, all groups are allowed to log in.

DenyHosts

Use this keyword to deny login for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not used, all client hosts are allowed.

Notes:

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'. You should also set RequireReverseMapping to `yes' to prevent access from hosts whose domain name could not be resolved.

When ResolveClientHostName is `yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is `yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.

DenyTCPForwardingForGroups

Use this keyword to deny port forwarding for specified user groups. Regular expressions are supported. For details, see Configuring Group Access.

DenyTCPForwardingForUsers

Use this keyword to deny port forwarding for specified users. Regular expressions are supported. For details, see Configuring User Access.

DenyUsers

Use this keyword to deny login for specified users. Regular expressions are supported. For details, see Configuring User Access. If this keyword is not configured, all users are allowed to log in.

FipsMode

Specifies whether all connections will be made using security protocols and algorithms that meet FIPS 140-2 standards. The allowed values are `yes' and `no'. The default is `no'.

ForwardACL

Use this keyword for detailed control over client access to port forwarding. Regular expressions are supported. The syntax is:

ForwardACL allow|deny local|remote user_ex forward_ex [origin_ex]

user_ex is a regular expression that determines which users are allowed or denied access to port forwarding. For details, see Configuring User Access."

forward_ex is a regular expression in the form host%port. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the target host and port. If you are configuring remote forwarding control, the host is the server computer and the port is the port that server is forwarding to the client.

origin_ex is a regular expression that identifies an IP address. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the client machine making the forward request. If you are configuring remote forwarding control, it specifies the computer that is connecting to the forwarded port on the server.

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The allowed values are `yes' and `no'. The default is `no'.

HostCertificateFile

Specifies an X.509 certificate to be used for server authentication. Specify the associated private key using HostKeyFile.

HostKeyFile

Specifies the filename and location of the private key used to authenticate the server. The default is /etc/ssh2/hostkey.

HostSpecificConfig

Specifies a host-specific subconfiguration file. The syntax is:

HostSpecificConfig host_expression subconfig_file

If the host expression matches the client host, the server uses the specified subconfiguration file.

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

IdleTimeout

Specifies how long a connection can remain inactive before the server terminates the connection. To set the time in seconds use an s or nothing after the number. You can also specify a time in minutes (m), hours (h), days (d), or weeks (w). Use zero (0) to set no limit. The default is 0.

IgnoreRlogin

Specifies whether the 'rlogin' attribute in /etc/security/user should be ignored or applied. The allowed values are `yes' and `no'. The default is `no'. This keyword applies only to AIX systems.

KeepAlive

Specifies whether the system should send TCP keep alive messages to the other side. The server uses the system-wide value for how often the message is sent. The allowed values are `yes' and `no'. The default is `yes'. Note: ClientAliveCountMax and ClientAliveInterval affect the SSH connection and messages are sent through the SSH tunnel. The KeepAlive setting affects the TCP connection, and is more vulnerable to spoofing because TCP messages are not sent in the secure tunnel.

KEXs

Specifies which key exchange algorithms the server supports. Supported values are `diffie-hellman-group1-sha1' and `diffie-hellman-group14-sha1'. Multiple algorithms can be specified as a comma-separated list. The default value is `diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'.

LibGssKrb5

Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libgssapi_krb5.so

LibKrb5

Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libkrb5.so.

Note: The server requires a library named libkrb5.so (or .sl on HP-UX PARISC). If a library of this name is not present, you need to create a symbolic link named libkrb5.so pointing to the actual library.

LibWrap

This keyword provides dynamic support for TCP Wrappers. To enable TCP Wrapper support, specify the fully qualified path to the libwrap shared library (for example, LibWrap=/usr/lib/libwrap.so). The libwrap file must be a shared library and not a static one. By default, this keyword is empty and the TCP Wrappers feature is disabled.

Note: Before using this keyword, you should confirm that the specified file is a valid libwrap library. This is important to ensure that only allowed users can connect. If the specified file doesn't exist, the sshd server won't start. However, if the file exists, sshd starts, but does not confirm that the file is a valid library. For each connection, the sshd process tries to load the specified file, and, if the file is not a valid library, the server logs an error message and allows the user to connect.

ListenAddress

Specifies the address of the interface to which the sshdserver socket is bound. You can specify one or more comma-separated values using either IPv4 or IPv6 format, or use `any' (the default). The value `any' configures the server to listen to any available IPv4 or IPv6 address (equivalent to `[::],0.0.0.0'). If you specify only IPv4 addresses, the client must connect using an IPv4 address. If you specify only IPv6 format, most operating systems will still allow IPv4 clients to connect; this is controlled by the operating system, not the Secure Shell server. You can optionally include a port in the address by adding a colon or space followed by the port number. This port value overrides the Port keyword setting. If you are specifying an IPv6 address, you need to surround the address with square brackets. For example:

IPv4 syntax: ListenAddress=209.85.171.99:6666

IPv6 syntax: ListenAddress=[::D155:AB63]:6666

ListenAddress interacts with the AddressFamily setting. When AddressFamily=inet, the ListenAddress value `any' is equivalent to `0.0.0.0'. When AddressFamily=inet6, the ListenAddress value `any' is equivalent to `[::]'. If AddressFamily is set to either 'inet' or 'inet6' and ListenAddress specifies an address of a different family, sshd will fail to start because of a configuration file error. If you specify a host name for ListenAddress rather than an IP address, the AddressFamily restrictions require that the host name be associated with an address of the appropriate family; and the server will bind to that address.

LogCertificateSubject

Specifies whether the Serial Number and Subject of certificates used for authentication are logged to the system log. Messages are logged for both successful and failed attempts. The allowed values are `yes' and `no'. The default is `yes'.

LoginGraceTime

Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit. The default is 120.

LogLevel

Sets the verbosity level used for sshd messages logged to syslog. Allowed values are `fatal', `error', `quiet', `info', `verbose', `debug1' (`debug' and 1 are equivalent), `debug2' (2 is equivalent), `debug3' (3 is equivalent), and `trace' (`debug99' and 99 are equivalent). The syslog level associated with these values is CRIT for fatal, ERROR for error and quiet, INFO for info and verbose, and DEBUG for debug1, debug2, debug3, and trace. The default is `error'.

LogPublicKeyFingerPrint

Specifies whether public key fingerprints used for authentication are logged to the system log. Messages are logged for both successful and failed attempts. The allowed values are `yes' and `no'. The default is `yes'.

MACs

Specifies which MACs (hashed message authentication codes) the server allows for verifying data integrity. Allowed values are `hmac-sha1', `hmac-sha1-96', `hmac-md5', `hmac-md5-96', `hmac-ripemd160', `hmac-sha256', and `hmac-sha512'. Use `AnyMac' to support all of these. Use `AnyStdMac' to support `hmac-sha1', `hmac-sha1-96', `hmac-md5', and `hmac-md5-96'. Additional options are `none', `any' (equivalent to AnyMac plus `none'), and `AnyStd' (equivalent to `AnyStdMac' plus `none'). Multiple MACs can also be specified as a comma-separated list. When `none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include `none' are not recommended. The default is `AnyStdMac'.

MaxConnections

Sets the maximum number of client connections allowed. Use zero (0) to set no limit. The default is 50.

MaxStartups

Specifies the maximum number of concurrent unauthenticated connection attempts allowed. After this limit is reached additional connections are dropped until authentication succeeds or the LoginGraceTime limit is reached for a connection attempt. The default is 10.

PamServiceName

Specifies the name of the PAM (Pluggable Authentication Modules) service used for authentication and sessions. The default is `ssh'.

PasswordGuesses

Sets the maximum number of attempts the user is allowed for password authentication. The default is 3.

PermitEmptyPasswords

Specifies whether the server allows password authentication by users with empty (null) passwords. The allowed values are `yes' and `no'. The default is `yes'.

PermitRootLogin

Specifies whether client users with root privileges can log in. The allowed values are `yes', `no', and `without-password'. If you specify `without-password', a user can log in with root privileges only if `public key' or `GSSAPI' authentication methods are used to authenticate the user. The default is `yes', which allows root login for all authentication methods.

PidFile

Specifies the file that contains the process ID of the sshd daemon. Use a fully qualified path. If the file name contains the string %s, the string will be replaced by the server port number.

PkidAddress

Specifies the port used to connect to PKI Services Manager. The default is localhost:18081.

PkidPublicKey

Specifies the name and location of the public key used by to confirm the identity of Reflection PKI Services Manager. The default is /opt/attachmate/pkid/config/pki_key.pub.

Port

Specifies the port on which the server listens. The default is 22, which is the standard port for Secure Shell connections.

PrintMotd

Specifies whether the server prints the message-of-the-day text from the file /etc/motd when a user logs into a terminal session. (This setting does not override the display of /etc/issue.) The allowed values are `yes' and `no'. The default is `yes'.

ProtocolVersionString

Specifies the software version portion of the string that the server sends to clients during the initial connection protocol. (The first part of the string is always "SSH-2.0-", which indicates the SSH version supported by the server. This is required by the protocol RFC and cannot be edited.) Use double quotation marks if the string includes spaces. When ProtocolVersionString is an empty string (the default), the software version portion of the string is generated automatically, and includes the server's version and build number. This number will be updated automatically when you upgrade your server software.

Note: Many clients use the protocol string to identify the server type and enable compatible features. Changing the default value may cause public key authentication to fail, and may also affect the functionality of other features that vary between servers.

QuietMode

This keyword is deprecated. Use LogLevel.

RadiusFile

Specifies the name of the file used for configuring RADIUS authentication. The file is assumed to be relative to /etc/ssh2 unless you specify an absolute path. For file syntax, see /etc/ssh2/radius_config in the FILES section. There is no default; this keyword can have no value.

RekeyIntervalSeconds

Specify the interval (in seconds) after which the server initiates a new key exchange. Setting this value too low can make communication between the client and server impossible. To avoid this problem, it is recommended that you avoid specifying an interval of less than 200 seconds. Use 0 (zero) to turn off rekey requests initiated by the server. Using 0 does not prevent the client from requesting a rekey. The default is 3600.

RequiredAuthentications

Use this keyword to require one or more client authentication methods. All specified authentication methods must succeed before a user is considered authenticated. The supported authentication methods are `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'.

Note: RequiredAuthentications overrides AllowedAuthentications.

RequireReverseMapping

Specifies whether DNS lookup must succeed when checking whether connections from client hosts are allowed. To enable this feature you also need to set ResolveClientHostName to `yes'. The allowed values are `yes' and `no'. The default is `no'.

ResolveClientHostname

Specifies whether the server attempts to resolve the client IP address to a domain name. Setting this to `yes' may slow down the connection time, but is required if you configure any keywords to match host names based on domain name, rather than IP address. (See AllowHosts, DenyHosts, UserSpecificConfig, and HostSpecificConfig.) Setting this keyword to `yes' also means that DNS names appear in the log rather than IP addresses. The allowed values are `yes' and `no'. The default is `yes'.

Note: When ResolveClientHostname is `yes', the resolved name is always the fully qualified domain name. This means that you must use a fully qualified domain name with any keywords in which you specify a host name, or use a regular expression to ensure that host names are handled correctly.

SessionRestricted

Specifies what session types the server allows. The possible values are `shell' (which allows terminal shell sessions), `exec' (which allows the client to execute commands on the server), and `subsystem' (which is required to support sftp and scp transfers). The default is `shell, exec, subsystem'.

SettableEnvironmentVars

Specifies which environment variables can be configured for client sessions. This value limits the scope of the client SetRemoteEnv keyword on the client; and also the user-specific environment file ($HOME/.ssh2/environment), and the global environment file (/etc/ssh2/environment) on the server. This keyword is enabled in the default configuration file and set to the following value: 'LANG,LC_ALL,LC_COLLATE,LC_CTYPE,LC_MONETARY,LC_NUMERIC,LC_TIME,PATH,TERM,TZ,UMASK'

SftpLogCategory

Determines which categories of sftp server messages are sent to the facility specified by SftpSysLogFacility. Use a comma-separated list. The default is `loginlogout,directorylistings,downloads,modifications,uploads', which configures logging of all categories. You can specify any of those options, plus `all', or `none'.

SftpSysLogFacility

Specifies the facility code used for logging messages from the sftp-server subsystem. This value is empty by default, which means no logging. Valid values are platform-dependent. See syslog(3). Setting this to "auth" puts the log messages in the same facility as the default for sshd.

StrictModes

Specifies the directory permissions required for public key authentication. The allowed values are `yes' and `no'. The default is `yes'. When set to `yes', The user's directory ($HOME/.ssh2) and all parent directories must be writable and executable only by the user (mode 744 is accepted). Recommended permissions for the user directory = 700. If these conditions aren't met, public key authentication fails.

Note: Additional file permission requirements are enforced for each user's authorization file ($HOME/.ssh2/authorization) regardless of the current StrictModes setting. This file must be configured to prevent group and public write access (600 is recommended, 644 is accepted). If the authorization file is not sufficiently restricted, public key authentication will always fail.

Subsystem

Specifies a subsystem to export to the client. The argument specifies the command to execute when the client requests the subsystem. The separator character following the keyword can be a dash, an equals sign, or a space.

To support sftp and scp transfers, the sftp-server subsystem must be specified. The default configuration shown below executes the sftp service internally in the child process.

Subsystem-sftp internal://sftp-server

SyslogFacility

Specifies the facility code used for logging messages from the server. The default is `AUTH'. Valid values are platform-dependent. See syslog(3).

TrustAnchor

This keyword is optional and is relevant only if you use certificates for user authentication. By default, Reflection PKI Services Manager validates certificates presented for authentication using all of the trust anchors you have configured. Use this keyword to limit which of the Reflection PKI Services Manager trust anchors can be used for certificate validation. You can specify either Subject DN (Distinguished Name) from a certificate available in the PKI Services Manager store, or use the file name of a certificate. Note that the specified trust anchors must be also be configured for Reflection PKI Services Manager (using the PKI Services Manager TrustAnchor keyword).

UseLogin

Specifies whether login(1) is used for interactive login sessions. The allowed values are `yes' and `no'. The default is `no'.

Notes:

login(1) is never used for remote command execution.

Enabling this setting disables X11Forwarding because login(1) does not know how to handle xauth(1) cookies.

Using login(1) disables privilege separation. By default, sshd creates a new process that has the privilege of the authenticated user after a successful authentication. This is done to prevent privilege escalation by containing any corruption within the unprivileged processes. Enabling UseLogin disables this functionality.

UsePAM

This setting provides an alternate way to configure the server to use PAM. The allowed values are `yes' and `no'. If UsePam is not configured, the server uses the current values of AuthKbdInt.Required, AccountManagement, and UsePamSessions. Setting this keyword to `yes' is equivalent to setting AuthKbdInt.Required=pam, AccountManagement=pam, and UsePamSessions=yes. Setting this keyword to `no' is equivalent to setting AuthKbdInt.Required=password, AccountManagement=password, and UsePamSessions=no.

UsePAMAcctMgmt

This keyword is deprecated. Setting it to `yes' is equivalent to setting AccountManagement=pam.

UsePamSessions

Specifies whether or not PAM is used for session management. The allowed values are `yes' and `no'. The default is `no'.

UserConfigDirectory

Specifies the directory used for user-specific information. This directory contains the authentication file (required for key authentication) and other user-specific files listed in the FILES section. The following macros are recognized: %U = user log-in name, %D = user's home directory, %IU = UID for user, %IG = GID for user. The default is `%D/.ssh2'.

UserSpecificConfig

Specifies a user-specific configuration file. The syntax is:

UserSpecificConfig user_expression subconfig_file

If the user expression matches the user attempting a connection, the server uses the specified subconfiguration file.

Note: If you configure the host portion of this expression to match based on host domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

VerboseMode

This keyword is deprecated. Use LogLevel.

X11DisplayOffset

Sets the first display number available for X11 forwarding by the server. The default is 10.

X11UseLocalHost

Specifies whether the server should bind X11 forwarding to the loopback address or to the wildcard address. The allowed values are `yes' and `no'. The default is `yes'.

XAuthPath

Specifies the location of the xauth(1) program. The default (for example /usr/X11R6/bin/xauth) is system-dependent.

FILES

The server uses system-wide files (in /etc/ssh2) for all connections. Files in user-specific directories ($HOME/.ssh2 by default) apply to connections from individual client users.

System-wide server files

/etc/ssh2/sshd2_config

The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.

/etc/ssh2/hostkey

The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. This file must be limited to user-only read and write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.

/etc/ssh2/hostkey.pub

The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.

/etc/ssh2/subconfig

Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.

/etc/ssh2/subconfig/<subconfig_file>

User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5).

/etc/ssh2/environment

If this file is present, it sets environment variable settings to use for all Secure Shell client connections to this server. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment. Settings configured in a user-specific environment file ($HOME/.ssh2/environment) override settings configured in this global file. The pound sign (#) marks comment lines. The syntax is:

environment_variable=value

/etc/nologin

Limits login to root. If this file exists, only root is allowed to login. The text of nologin is displayed to anyone else who attempts to log in.

<piddir>/sshd2_22.pid

Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword.

/etc/motd

The message-of-the-day file. The text of this file is displayed when a user logs in. The PrintMotd keyword can be used to turn off this display.

/etc/ssh2/radius_config

A user-created file listing one or more RADIUS authentication servers. The file name suggested above is not required. After you create this file, use the RadiusFile keyword to specify your file name. For each RADIUS server, you need to enter the name, port, and shared secret. Recommended permissions = 600. The syntax is:

server1:port1:shared_secret1

server2:port2:shared_secret2

User-specific server files

$HOME/.ssh2

The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700.

$HOME/.ssh2/authorization

The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. This file must be limited to user-only write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.

The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:

key

Specifies keys the server will accept for this user. The format for key entries is "key" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory ($HOME/.ssh2 by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.

key mykey.pub

key id_rsa_2048_a.pub

options

Use this optional keyword to specify options that apply to the preceding key. All options for a given key must be configured on a single line. White space is allowed. Options must be configured on the line immediately following the line containing the key. The format is:

Options option_keyword="arg", [option_keyword="arg"],...

Three Options keywords are supported: command, allow-from, and deny-from

command command

The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever mykey.pub is used for authentication.

key mykey.pub

options command="sh myscript"

allow-from IP-address

The key is allowed only for connections from the specified IP address.

deny-from IP-address

The key is not allowed for connections from the specified IP address.

$HOME/.hushlogin

If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check.

$HOME/.ssh2/environment

If this file is present, it sets environment variables to set for this user at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment, and also override settings configured in the global file (/etc/ssh2/environment). The pound sign (#) marks comment lines. The syntax is:

environment_variable=value

SEE ALSO

ssh(1), ssh2_config(5), ssh-keygen(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), sshd2_config(5), ssh-certview(1),ssh-certtool(1), pkid(8), pki_config(5), pki_mapfile(5), pki-val(1)

Additional Reflection for Secure IT documentation is available online from the Attachmate documentation web page:

http://support.attachmate.com/manuals/

And from the technical note library:

http://support.attachmate.com/techdocs/