Files Used by the Server
The server uses system-wide files (in /etc/ssh2) for all connections. Files in user-specific directories (~/.ssh2 by default) apply to connections from individual client users.
System-wide server files
The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.
The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. This file must be limited to user-only read and write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.
The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.
Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.
User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5).
If this file is present, it sets environment variable settings to use for all Secure Shell client connections to this server. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment. If the same environment variable is configured in this global file and also in a user-specific environment file (~/.ssh2/environment), the user-specific value overrides the global value. The pound sign (#) marks comment lines. The syntax is:
Limits login to root. If this file exists, only root is allowed to login. The text of nologin is displayed to anyone else who attempts to log in.
Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword.
The message-of-the-day file. The text of this file is displayed when a user logs in. The PrintMotd keyword can be used to turn off this display.
A user-created file listing one or more RADIUS authentication servers. The file name suggested above is not required. After you create this file, use the RadiusFile keyword to specify your file name. For each RADIUS server, you need to enter the name, port, and shared secret. Recommended permissions = 600. The syntax is:
User-specific server files
The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700.
The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. This file must be limited to user-only write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.
The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:
Specifies keys the server will accept for this user. The format for key entries is "key" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory (~/.ssh2 by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.
Use this optional keyword to specify options that apply to the preceding key. All options for a given key must be configured on a single line. White space is allowed. Options must be configured on the line immediately following the line containing the key. The format is:
Options option_keyword="arg", [option_keyword="arg"],...
Three Options keywords are supported: command, allow-from, and deny-from
The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever mykey.pub is used for authentication.
options command="sh myscript"
The key is allowed only for connections from the specified IP address. For example, the following configuration allows the specified key to be used only for connections from IP addresses starting with "150." and "10.10.".
The key is not allowed for connections from the specified IP address.
Notes: To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).
If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check.
If this file is present, it sets environment variables to set for this user at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment, and also override settings configured in the global file (/etc/ssh2/environment). The pound sign (#) marks comment lines. The syntax is: