NAME

sshd2_config - Server configuration file used by sshd.

SYNOPSIS

/etc/ssh2/sshd2_config - Default server configuration file.

DESCRIPTION

Reflection for Secure IT server configuration files contain configuration settings for the sshd server. The default global configuration file is /etc/ssh2/sshd2_config. You can specify an alternate file using the -f option on the sshd command line. You can also create and use optional subconfiguration files for specific client hosts or users.

A sample configuration file is installed to /etc/ssh2/sshd2_config. This file includes commented lines that show all available settings and their default values. A duplicate copy of this file is installed to /etc/ssh2/sshd2_config.example.

Changes you make to the main server configuration file affect new connections immediately; you do not need to restart the server. Existing connections remain active using their original settings; subsequent connections use the new settings.

Note: Changes to Port, ListenAddress and FipsMode require a restart.

The server processes settings cumulatively in the following order. If a setting is configured in more than one place, the last value processed overrides any previous value of the same setting.

  1. The global configuration file, or an alternate file specified on the sshd command line using -f.

  2. Any host-specific subconfiguration file(s) that you have created and identified using the HostSpecificConfig keyword.

  3. Any user-specific subconfiguration file(s) that you have created and identified using the UserSpecificConfig keyword.

  4. Command line options used with sshd.

FILE FORMAT

All server configuration files (the default global file, any alternate file specified on the sshd command line, and optional user-specific and host-specific files) consist of keywords followed by values. Any line starting with a pound sign (#) is a comment. Any empty line is ignored.

Keyword syntax

Every keyword requires a value. The value can be separated from the keyword by spaces, or optional spaces and exactly one "=". Enclose the value in quotation marks (single or double) if it includes spaces. For example:

key value

key=value

key="value with spaces"

key=value1, value2

Keywords are not case sensitive.

REGULAR EXPRESSIONS

Regular expressions are evaluated using POSIX-Extended syntax. For details about regular expression rules, see:

http://www.opengroup.org/onlinepubs/7990989775/xbd/re.html

Specific information about configuring expressions for users, groups, and hosts follows.

Configuring User Access

The following keywords configure user access: AllowUsers, DenyUsers, AllowTcpForwardingForUsers, DenyTcpForwardingForUsers, ForwardACL, ChrootSftpUsers, UserSpecificConfig. You can specify user names alone, or use the following syntax to include group and/or host information:

user[%group][@host]

Where user is a regular expression for a user (numerical UIDs are not supported), group is a regular expression for a group, (numerical GIDs are not supported), and host is a regular expression for host (which can be a domain name, IP address, or subnet mask). For example, the following denies access to all members of the interns group at myhost.com:

DenyUsers=.*%interns@myhost.com

Configuring Group Access

The following keywords configure group access: AllowGroups, DenyGroups, AllowTcpForwardingForGroups, DenyTcpForwardingForGroups, ChrootSftpGroups These keywords support any valid regular expression. Numerical GIDs are not supported. For example:

DenyGroups=interns

Configuring Client Host Access

The following keywords configure settings for client host computers: AllowHosts, DenyHosts, HostSpecificConfig. You can specify hosts using either IP addresses or domain names. The server first tries to match using the IP address of the client. If that fails, it tries to match using a domain name.

Note: When ResolveClientHostname is `yes', the resolved name is always the fully qualified domain name. This means that you must use a fully qualified domain name with any keywords in which you specify a host name, or use a regular expression to ensure that host names are handled correctly.

To force matching to a specific IP address, start the host expression using a backslash followed by i (\i). For example:

DenyHosts = \i123.45.78.9

To match a range of IP addresses using a CIDR (Classless Inter-Domain Routing) subnet, start the host expression using a backslash followed by m (\m). For example:

DenyHosts = \m123.123.0.0/16

Note: If you use either \i or \m regular expressions are not supported within the IP address.

ACCESS CONTROL KEYWORDS

The following keywords are available for controlling access to users, groups, and/or client host computers:

AllowUsers, DenyUsers, AllowGroups, DenyGroups, AllowHosts, DenyHosts, AllowTcpForwardingForUsers, DenyTcpForwardingForUsers, AllowTcpForwardingForGroups, DenyTcpForwardingForGroups, ForwardACL

You can specify users, groups, or hosts for any of these keywords by using a single instance of the keyword with a comma-separated list of values, or by including multiple instances of the keyword, in which case the final assigned value is cumulative over all instances.

Note: When you use regular expressions that require a comma (for example, [1,2]) in any of the access-control keywords, you must escape the comma with a backslash (for example, [1\,2]).

SUBCONFIGURATION FILES

You can create and use optional subconfiguration files to configure settings that you want to apply to a subset of users or client hosts. Subconfiguration files are read by the process forked for each new connection. These files are read at runtime; any changes you make affect all subsequent connections.

User subconfiguration files

Use the UserSpecificConfig keyword to configure user-specific subconfiguration files. The syntax for this keyword is:

UserSpecificConfig user_expression subconfig_file

If the user expression matches the user attempting a connection, the server uses the specified subconfiguration file. An example file is installed to:

/etc/ssh2/subconfig/user.example

The user.example file includes a list of keywords that are supported in user-specific subconfiguration files.

Security Note: If you configure a user-specific list for RequiredAuthentications that is different from the global allowed or required list, a malicious user attempting to authenticate can compare the client/server authentication negotiations of various accounts and use differences in the list of allowed authentications to determine that an account is valid on this system and different from other accounts on the system.

Host subconfiguration files

Use the HostSpecificConfig keyword to configure settings to apply to a subset of client hosts. The syntax for this keyword is:

HostSpecificConfig host_expression subconfig_file

If the host expression matches the client host, the server uses the specified subconfiguration file. An example file is installed to:

/etc/ssh2/subconfig/host.example

The host.example file includes a list of keywords that are supported in host-specific subconfiguration files.

KEYWORDS

AccountManagement

Configures the account management system that sshd uses to validate a user account. Account management services determine if an account is active, and whether or not a password is still valid. The allowed values are `password', `pam', `aix', and `none'. The default is `pam,password', which requires the user account to pass validation by both systems.

pam - Use PAM for account management. PAM account management applies to all sessions, regardless of the authentication method (or methods) used. If an account is locked, the connection is refused.

password - Use the password database to validate the account.

aix - For use on AIX systems. If a user authenticates successfully using public key authentication, the server ignores password accounting restrictions such as the requirement to update an expired password. If the account is locked using the AIX account_locked flag, the user will not be allowed to log in even if public key authentication is successful. Note: On non AIX systems, this value is equivalent to `none'.

none - Use no account validation. Use this only for troubleshooting.

AddressFamily

This setting is used by the server when it creates a listening, session, or forwarding TCP socket. The allowed values are `any' (allow the system to decide which address family to use), `inet' (accept only IPv4), and `inet6' (accept only IPv6). The default is 'inet'. Note: The current value of ListenAddress may also affect whether or not the server accepts connections using IPv4 or IPv6 addresses.

AllowAgentForwarding

Specifies whether agent forwarding is allowed. The allowed values are `yes' and `no'. The default is `yes'.

AllowedAuthentications

Specifies which authentication methods the server supports. The client and server agree on one or more authentication methods during the initial connection process, based on both client and server configuration. (Use RequiredAuthentications to require one or more authentication methods. RequiredAuthentications overrides AllowedAuthentications.)

The supported authentication methods are `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'. The default is `gssapi-with-mic, publickey, keyboard-interactive, password'.

AllowedPasswordAuthentications

This keyword is no longer supported. If you used it in previous versions, you need to manually migrate your setting. Refer to the following keywords: AllowedAuthentications, RequiredAuthentications, and AuthKbdInt.Required.

AllowGroups

Use this keyword to allow login only for users who are members of a specified group. Regular expressions are supported. For details, see Configuring Group Access. If this keyword is not configured, all groups are allowed to log in.

AllowHosts

Use this keyword to allow login only for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not configured, all client hosts are allowed.

Notes:

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'. When ResolveClientHostName is `yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is `yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.

To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).

AllowSftpCommands

Controls what kinds of operations users can perform using sftp and scp commands from Reflection for Secure IT clients. This keyword supports a comma-separated list of one or more of the following: `all', `none', `browse', `download', `upload', `delete',`rename'. The upload option enables users to modify files, create files, create directories, or modify file attributes on the server. The download option enables users to read file contents. The default is `all'.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. The SessionRestricted keyword also affects access to file transfers. The default value for SessionRestricted is `shell, exec, subsystem'. For Reflection for Secure IT clients, the `subsystem' session type is required for both sftp and scp transfers. For OpenSSH-style clients `subsystem' is required for sftp transfers; `exec' is required for scp transfers.

AllowTCPForwarding

Use this keyword to allow or deny port forwarding to all client users. The allowed values are `yes' and `no'. The default is `yes'. This keyword controls both local (client to server) and remote (server to client forwarding). Use ForwardAcl for more fine-grained control.

AllowTCPForwardingForGroups

Use this keyword to allow port forwarding only for users who are members of a specified group. Regular expressions are supported.

AllowTCPForwardingForUsers

Use this keyword to allow port forwarding only for specified users. Regular expressions are supported.

AllowUsers

Use this keyword to allow login only for specified users. Regular expressions are supported. For details, see Configuring User Access.

AllowX11Forwarding

Specifies whether X11 forwarding is allowed. The allowed values are `yes' and `no'. The default is `yes'.

AuditLog

Specifies whether or not an audit log is created. When `sftp' is specified, a comma-delimited log file containing a detailed record of file transfer activity is created in the location specified by AuditLog.Directory. The first line of the audit log file, shown here, identifies the logged content: UserID, ClientIP, Action, ServerFilename, StartTime, EndTime, ServerFileModificationTime, ServerFileSize, BytesTransferred, Result, Reason, ServerFileHash. The default is `none'.

AuditLog.Directory

The output location for audit logs. A new log is created each day using this name format: sshd2-audit-YYYYMMDD.log, where YYYYMMDD indicates the date. When AuditLog = sftp, this file is created the first time a client user transfers a file, or when you restart the server. The default is /etc/ssh2/logs.

Note: If users have been limited to a home directory for sftp protocol connections (using ChrootSftpUsers or ChrootSftpGroups), the audit log directory must be located in the home directory. Because of this limitation, audit logging only works for chrooted users if they share the same home directory.

AuditLog.Sftp.WithHash

Specifies whether or not sftp log entries include a file hash. The hash value can be used to identify multiple records identifying transfer of the same file. Each time an unchanged file is transferred, the hash value in the log is identical. If a file is changed, the hash value is different. The allowed values are `yes' and `no'. The default is `yes'.

AuthFailureErrorMessages

The allowed values are `yes' and `no'. The default is `no'. When set to `no', no information about authentication failures is sent to the client. This complies with SSH convention. To enable this setting, you must also enable AuthImmediateDisconnect. When both AuthFailureErrorMessages and AuthImmediateDisconnect are set to `yes' the client user receives information about the reason for the failure. Note: Messages sent to the client report failures that occur regardless of which authentication method is used. For example, information is sent to the client if the user account is disabled or unknown on the server host, or if a user is on the denied user list. No information is provided about failures that are specific to the authentication method used (such as an incorrect password, missing public key, or invalid certificate).

Caution: Enabling this setting increases your security risk by providing clients with information about valid account names.

AuthImmediateDisconnect

The allowed values are `yes' and `no'. The default is `no'. When this setting is `no', the server responds identically to all failed authentication attempts. This complies with SSH convention. When this setting is `yes', users with blocked accounts are disconnected as soon as possible, which means they might not see any authentication prompts. If a user is denied access because of Reflection for Secure IT server settings (for example AllowUsers or DenyUsers), the disconnection always happens immediately. If a user is denied access because of operating system configuration, the timing of the disconnection is affected by the AccountManagement setting. When AccountManagement=pam, denied users see PAM authentication prompts before being disconnected. This is because PAM authentication happens before PAM account management. If you prefer to have users be disconnected without seeing PAM authentication prompts, set AccountManagement=pam,password (the default). In most cases, enabling password account management provides the server with enough information about the user account to reject the connection before PAM authentication starts.

Caution: Enabling this setting increases your security risk by providing clients with information about valid account names.

AuthKbdInt.Required

Specifies which authentication method to use for keyboard-interactive authentication. The specified authentication method must succeed for the user to be successfully authenticated. The allowed values are `pam', `password', and `radius'. The default is `pam', which specifies that PAM modules are used for authentication and password management. When `password' is specified, the user response is handled as a standard login password. When `radius' is specified, one or more RADIUS authentication servers are used for authentication.

AuthKbdInt.Retries

Sets the maximum number of attempts allowed for keyboard interactive authentication. The default is 3.

AuthKbdInt.Verbose

Specifies whether the server uses verbose keyboard interactive prompts. The allowed values are `yes' and `no'. The default is `no'.

AuthorizationFile

Specifies the name of the file used for configuring user keys for public key authentication. For public key authentication to succeed, a key presented by a client user for authentication must be correctly identified in this file. For file syntax, see the FILES section.

The file is assumed to be relative to ~/.ssh2 (or whatever location is set for UserConfigDirectory) unless you specify an absolute path. The following macros are recognized: %U = user log-in name, %D = user's home directory, %IU = UID for user, %IG = GID for user. The default file is %D/.ssh2/authorization.

AuthPublicKey.MaxSize

Sets the largest public key size allowed for user authentication. The default is 32768, and values larger than this are not allowed. The range of accepted values is 512-32769. Using zero (0) is equivalent to using the default.

AuthPublicKey.MinSize

Sets the smallest public key size allowed for user authentication. The default is 512, and values smaller than this are not allowed. Using zero (0) is equivalent to using the default.

AuthPublicKey.Retries

Specifies the maximum number of attempts the server accepts for public key authentication. Once this number is reached, further attempts to authenticate using a public key are rejected, but the connection is not broken. This allows the client to attempt authentication using the next allowed method. The default is 100.

BannerMessageFile

Identifies a file that contains text for a banner message. The server sends this text to the client before the client authenticates. Note: Some clients do not support banner display. If you configure a banner, you should ensure that your Secure Shell client supports this feature. The default is /etc/ssh2/ssh_banner_message.

ChrootSftpGroups

Specifies groups whose users are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against group names, not GID's.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. The SessionRestricted keyword also affects access to file transfers. The default value for SessionRestricted is `shell, exec, subsystem'. For Reflection for Secure IT clients, the `subsystem' session type is required for both sftp and scp transfers. For OpenSSH-style clients `subsystem' is required for sftp transfers; `exec' is required for scp transfers.

When ChrootSftpUsers or ChrootSftpGroups is enabled, connected users see additional subdirectories (etc on all platforms and dev on AIX) added to their home directory. These directories cannot be moved or deleted. The etc directory contains two required files. The rsit.conf file identifies the installation location of files required by Reflection for Secure IT. The localtime file is needed so that processes such as logging can get the current time. The system localtime file is in a location that cannot be accessed by a chrooted user. Users running on AIX also require /dev/null, which is needed for correct logging to syslog.

ChrootSftpUsers

Specifies users who are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against user names, not UID's.

Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. The SessionRestricted keyword also affects access to file transfers. The default value for SessionRestricted is `shell, exec, subsystem'. For Reflection for Secure IT clients, the `subsystem' session type is required for both sftp and scp transfers. For OpenSSH-style clients `subsystem' is required for sftp transfers; `exec' is required for scp transfers.

When ChrootSftpUsers or ChrootSftpGroups is enabled, connected users see additional subdirectories (etc on all platforms and dev on AIX) added to their home directory. These directories cannot be moved or deleted. The etc directory contains two required files. The rsit.conf file identifies the installation location of files required by Reflection for Secure IT. The localtime file is needed so that processes such as logging can get the current time. The system localtime file is in a location that cannot be accessed by a chrooted user. Users running on AIX also require /dev/null, which is needed for correct logging to syslog.

Ciphers

Specifies one or more (comma separated) encryption algorithms the server supports. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. Allowed values are `aes128-ctr', `aes128-cbc', `aes192-ctr', `aes192-cbc', `aes256-ctr', `aes256-cbc', `blowfish-cbc', `arcfour', `arcfour128', `arcfour256', `cast128-cbc', and `3des-cbc'.

You can also set this value to `none'. When `none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.

The following values are provided for convenience: `aes' (all supported aes ciphers), `blowfish' (equivalent to `blowfish-cbc'), `cast' (equivalent to `cast128-cbc'), `3des' (equivalent to `3des-cbc'), `Any' or `AnyStd' (all available ciphers plus `none'), and `AnyCipher' or `AnyStdCipher' (all available ciphers). The default is AnyStdCipher.

ClientAliveCountMax

The client alive mechanism enables the server to determine when the client has become inactive. ClientAliveCountMax sets the maximum number of client alive messages the server sends through the encrypted channel to request a response from the client. If this number is reached with no response from the client, the server ends the session and disconnects the client. Specify the message interval using ClientAliveInterval. The default is 3.

Note: These settings affect the SSH connection and messages are sent through the SSH tunnel.

ClientAliveInterval

Sets the interval, in seconds, for sending client alive messages to the client. If the client is unresponsive for this interval, the server sends a message through the encrypted channel to request a response from the client. Use ClientAliveCountMax to specify how many messages the server sends without response before it ends the session and disconnects the client. The default is 0 (disabled).

Compat.RSA.HashScheme

This keyword is no longer used. Prior to version 7.2 SP1, you needed to set this keyword to `yes' to enable verification of digital signatures using the MD5 hash. The server now always attempts verification using both SHA-1 and MD5, and allows authentication if either hash matches. This is equivalent to setting Compat.RSA.HashScheme to `yes' in earlier versions. If Compat.RSA.HashScheme is present in a configuration file and set to `no', the server now ignores this setting.

Compression

Specifies the level of compression. You can specify compression values 0-9. Increasing the value increases the amount of compression. Using higher values results in the use of less network bandwidth, but at the cost of more CPU cycles. Level 6 is equivalent to `yes'. Level 0 is equivalent to `no'. The default is `yes' (6).

DenyGroups

Use this keyword to deny login for specified user groups. Regular expressions are supported. For details, see Configuring Group Access. If this keyword is not configured, all groups are allowed to log in.

DenyHosts

Use this keyword to deny login for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not used, all client hosts are allowed.

Notes:

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'. You should also set RequireReverseMapping to `yes' to prevent access from hosts whose domain name could not be resolved. When ResolveClientHostName is `yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is `yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.

To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).

DenyTCPForwardingForGroups

Use this keyword to deny port forwarding for specified user groups. Regular expressions are supported. For details, see Configuring Group Access.

DenyTCPForwardingForUsers

Use this keyword to deny port forwarding for specified users. Regular expressions are supported. For details, see Configuring User Access.

DenyUsers

Use this keyword to deny login for specified users. Regular expressions are supported. For details, see Configuring User Access. If this keyword is not configured, all users are allowed to log in.

FipsMode

Specifies whether all connections will be made using security protocols and algorithms that meet FIPS 140-2 standards. The allowed values are `yes' and `no'. The default is `no'.

ForceSftpFilePermissions

Sets specified file permissions on all files uploaded to the server using sftp or scp and overrides all other permission setting actions. Use a three-digit permission mode value. For example, if you set ForceSftpFilePermissions to 600, all uploaded files are set to 600 (-rw-------). In addition, if a user attempts to change the permissions on an existing file, that file is also set to 600, regardless of the permission value requested by the client user. This setting does not affect directory permissions.

When ForceSftpFilePermissions is configured:

All uploaded files are set to the specified value regardless of whether or not a file is newly created or overwrites an existing file.

The system UMASK setting is ignored.

Any chmod command executed by an sftp user ignores the user-specified value and changes the file's permissions to the value set by ForceSftpFilePermissions.

The -p option is ignored if it is used on the sftp or scp command line.

ForwardACL

Use this keyword for detailed control over client access to port forwarding. Regular expressions are supported. The syntax is:

ForwardACL allow|deny local|remote user_ex forward_ex [origin_ex]

user_ex is a regular expression that determines which users are allowed or denied access to port forwarding. For details, see Configuring User Access."

forward_ex is a regular expression in the form host%port. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the target host and port. If you are configuring remote forwarding control, the host is the server computer and the port is the port that server is forwarding to the client.

origin_ex is a regular expression that identifies an IP address. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the client machine making the forward request. If you are configuring remote forwarding control, it specifies the computer that is connecting to the forwarded port on the server.

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The allowed values are `yes' and `no'. The default is `no'.

HostCertificateFile

Specifies an X.509 certificate to be used for server authentication. Specify the associated private key using HostKeyFile.

HostKeyFile

Specifies the filename and location of the private key used to authenticate the server. The default is /etc/ssh2/hostkey.

HostSpecificConfig

Specifies a host-specific subconfiguration file. The syntax is:

HostSpecificConfig host_expression subconfig_file

If the host expression matches the client host, the server uses the specified subconfiguration file.

If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

HPNDisabled

Specifies whether Reflection for Secure IT uses HPN dynamic TCP window features to enhance performance. When HPNDisabled = `no' (the default), Reflection for Secure IT adjusts the TCP window and TCP receive buffers to optimize performance. When HPNDisabled is `yes', the receive buffer is set to 64 KB.

IdleTimeout

Specifies how long a connection can remain inactive before the server terminates the connection. To set the time in seconds use an s or nothing after the number. You can also specify a time in minutes (m), hours (h), days (d), or weeks (w). Use zero (0) to set no limit. The default is 0.

IgnoreRlogin

This keyword applies only to AIX systems. It specifies whether the 'rlogin' attribute in /etc/security/user should be ignored or applied. The allowed values are `yes' and `no'. The default is `no', which means that the server honors the current 'rlogin' value.

Notes:

The 'login' attribute in /etc/security/user has no effect on remote logins made using the Secure Shell client. This is true regardless of the value of IgnoreRlogin.

On AIX systems IgnoreRlogin is ignored if AccountManagement is set to `none.'

KeepAlive

Specifies whether the system should send TCP keep alive messages to the other side. The server uses the system-wide value for how often the message is sent. The allowed values are `yes' and `no'. The default is `yes'. Note: ClientAliveCountMax and ClientAliveInterval affect the SSH connection and messages are sent through the SSH tunnel. The KeepAlive setting affects the TCP connection, and is more vulnerable to spoofing because TCP messages are not sent in the secure tunnel.

KEXs

Specifies which key exchange algorithms the server supports. Supported values are `diffie-hellman-group-exchange-sha256',`diffie-hellman-group-exchange-sha1',`diffie-hellman-group14-sha1',`diffie-hellman-group1-sha1'. Multiple algorithms can be specified as a comma-separated list. The default value is `diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'.

LibGssKrb5

Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libgssapi_krb5.so

LibKrb5

Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libkrb5.so.

Note: The server requires a library named libkrb5.so (or .sl on HP-UX PARISC). If a library of this name is not present, you need to create a symbolic link named libkrb5.so pointing to the actual library.

LibWrap

This keyword provides dynamic support for TCP Wrappers. To enable TCP Wrapper support, specify the fully qualified path to the libwrap shared library (for example, LibWrap=/usr/lib/libwrap.so). The libwrap file must be a shared library and not a static one. By default, this keyword is empty and the TCP Wrappers feature is disabled.

Note: Before using this keyword, you should confirm that the specified file is a valid libwrap library. This is important to ensure that only allowed users can connect. If the specified file doesn't exist, the sshd server won't start. However, if the file exists, sshd starts, but does not confirm that the file is a valid library. For each connection, the sshd process tries to load the specified file, and, if the file is not a valid library, the server logs an error message and allows the user to connect.

ListenAddress

Specifies the address of the interface to which the sshd server socket is bound. You can specify values using either IPv4 or IPv6 format, or use `any' (the default). The value `any' configures the server to listen to any available IPv4 or IPv6 address (equivalent to `[::],0.0.0.0'). If you specify only IPv4 addresses, the client must connect using an IPv4 address. If you specify only IPv6 format, most operating systems will still allow IPv4 clients to connect; this is controlled by the operating system, not the Secure Shell server. You can optionally include a port in the address by adding a colon or space followed by the port number. This port value overrides the Port keyword setting. If you are specifying an IPv6 address, you need to surround the address with square brackets. For example:

IPv4 syntax: ListenAddress=209.85.171.99:6666

IPv6 syntax: ListenAddress=[::D155:AB63]:6666

ListenAddress interacts with the AddressFamily setting. When AddressFamily=inet, the ListenAddress value `any' is equivalent to `0.0.0.0'. When AddressFamily=inet6, the ListenAddress value `any' is equivalent to `[::]'. If AddressFamily is set to either 'inet' or 'inet6' and ListenAddress specifies an address of a different family, sshd will fail to start because of a configuration file error. If you specify a host name for ListenAddress rather than an IP address, the AddressFamily restrictions require that the host name be associated with an address of the appropriate family; and the server will bind to that address.

Note: Values set with this keyword are cumulative; you can set multiple values by configuring this keyword multiple times in one or more configuration files.

LogCertificateSubject

Specifies whether the Serial Number and Subject of certificates used for authentication are logged to the system log. Messages are logged for both successful and failed attempts. The allowed values are `yes' and `no'. The default is `yes'.

LoginGraceTime

Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit. The default is 120.

LogLevel

Sets the verbosity level used for sshd messages logged to syslog. Allowed values are `fatal', `error', `quiet', `info', `verbose', `debug1' (`debug' and 1 are equivalent), `debug2' (2 is equivalent), `debug3' (3 is equivalent), and `trace' (`debug99' and 99 are equivalent). The syslog level associated with these values is CRIT for fatal, ERROR for error and quiet, INFO for info and verbose, and DEBUG for debug1, debug2, debug3, and trace. The default is `error'.

Note: Setting logging to `trace' can increase your security risk. At this level, information leakage is a concern, as unencrypted protocol information may be written out. Also, the volume of information written may fill up disk space rapidly, potentially causing the host or Reflection for Secure IT to stop responding.

LogPublicKeyFingerPrint

Specifies whether public key fingerprints used for authentication are logged to the system log. Messages are logged for both successful and failed attempts. The allowed values are `yes' and `no'. The default is `yes'.

MACs

Specifies, in order of preference, which MACs (hashed message authentication codes) the server allows for verifying data integrity. Allowed values are `hmac-sha256', `hmac-sha1', `hmac-sha1-96', `hmac-md5', `hmac-md5-96', `hmac-sha512', and `hmac-ripemd160'. Use `AnyMac' to support all of these. Use `AnyStdMac' to specify `hmac-sha256, hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96, hmac-sha512'. Specifying hmac-sha256 also enables hmac-sha2-256. Specifying hmac-sha512 also enables hmac-sha2-512. Multiple MACs can also be specified as a comma-separated list. Additional options are `none', `any' (equivalent to AnyMac plus `none'), and `AnyStd' (equivalent to `AnyStdMac' plus `none'). When `none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include `none' are not recommended. The default is `AnyStdMac'.

MaxConnections

Sets the maximum number of client connections allowed. Use zero (0) to set no limit. The default is 50.

MaxSessions

Specifies the maximum number of multiplexed sessions supported over a single TCP connection. (Multiplexing can be enabled on Reflection for Secure IT clients using the ConnectionReuse keyword.) The range of values is 0-10. The default is 10. Setting this value to 1 disables connection reuse. Setting this keyword to 0 disables all connections.

MaxStartups

Specifies the maximum number of concurrent unauthenticated connection attempts allowed. After this limit is reached additional connections are dropped until authentication succeeds or the LoginGraceTime limit is reached for a connection attempt. The default is 10.

PamServiceName

Specifies the name of the PAM (Pluggable Authentication Modules) service used for authentication and sessions. The default is `ssh'.

PamServiceNameForInternalProcesses

Specifies the name of an optional PAM service to be used for internal processes. You can use the specified service to provide additional account and session management. For example:

PamServiceNameForInternalProcesses ssh-shell

In this case, all users still go through the service specified by PamServiceName ("ssh" by default). Shell and exec users will also go through the “ssh-shell” service.

Note: The specified PAM service will always support PAM account and session management and may support authentication management on particular platforms (Linux and AIX, but not Solaris). Because authentication management may or may not be used depending on the platform, it should always be set to pam_permit.so so that access to the system can be configured using account and session management.

PamServiceNameForSubsystems

Specifies the name of an optional PAM service to be used for subsystems. You can use the specified service to provide additional account and session management. The syntax is:

PamServiceNameForSubsystems subsystem PAMservicename

For example, You could use the following to provide additional account and session management for SFTP connections:

PAMServiceNameforSubsystems sftp ssh-sftp

In this case, all users still go through the service specified by PamServiceName ("ssh" by default). SFTP users will also go through the "ssh-sftp" service.

Note: The specified PAM service will always support PAM account and session management and may support authentication management on particular platforms (Linux and AIX, but not Solaris). Because authentication management may or may not be used depending on the platform, it should always be set to pam_permit.so so that access to the system can be configured using account and session management.

PasswordGuesses

Sets the maximum number of attempts the user is allowed for password authentication. The default is 3.

PermitEmptyPasswords

Specifies whether the server allows password authentication by users with empty (null) passwords. The allowed values are `yes' and `no'. The default is `yes'.

PermitRootLogin

Specifies whether client users with root privileges can log in. The allowed values are `yes', `no', and `without-password'. If you specify `without-password', a user can log in with root privileges only if `public key' or `GSSAPI' authentication methods are used to authenticate the user. The default is `yes', which allows root login for all authentication methods.

PidFile

Specifies the file that contains the process ID of the sshd daemon. Use a fully qualified path. If the file name contains the string %s, the string will be replaced by the server port number.

PkidAddress

Specifies the port used to connect to PKI Services Manager. Use the format host:port. The default is localhost:18081. If you specify a host and omit the port, the default PKI Services Manager port (18081) is used.

PkidPublicKey

Specifies the name and location of the public key used by to confirm the identity of Reflection PKI Services Manager. The default is /opt/attachmate/pkid/config/pki_key.pub.

Port

Specifies the port on which the server listens. The default is 22, which is the standard port for Secure Shell connections.

PrintLastLog

Specifies whether the Reflection for Secure IT server displays the date and time of the last user login when a user logs in interactively. The allowed values are `yes' and `no'. The default is `yes'.

PrintMotd

Specifies whether the server prints the message-of-the-day text from the file /etc/motd when a user logs into a terminal session. (This setting does not override the display of /etc/issue.) The allowed values are `yes' and `no'. The default is `yes'.

ProtocolVersionString

Specifies the software version portion of the string that the server sends to clients during the initial connection protocol. (The first part of the string is always "SSH-2.0-", which indicates the SSH version supported by the server. This is required by the protocol RFC and cannot be edited.) Use double quotation marks if the string includes spaces. When ProtocolVersionString is an empty string (the default), the software version portion of the string is generated automatically, and includes the server's version and build number. This number will be updated automatically when you upgrade your server software.

Note: Many clients use the protocol string to identify the server type and enable compatible features. Changing the default value may cause public key authentication to fail, and may also affect the functionality of other features that vary between servers.

QuietMode

This keyword is deprecated. Use LogLevel.

RadiusFile

Specifies the name of the file used for configuring RADIUS authentication. The file is assumed to be relative to /etc/ssh2 unless you specify an absolute path. For file syntax, see /etc/ssh2/radius_config in the FILES section. There is no default; this keyword can have no value.

RekeyIntervalSeconds

Specify the interval (in seconds) after which the server initiates a new key exchange. Setting this value too low can make communication between the client and server impossible. To avoid this problem, it is recommended that you avoid specifying an interval of less than 200 seconds. Use 0 (zero) to turn off rekey requests initiated by the server. Using 0 does not prevent the client from requesting a rekey. The default is 3600.

RequiredAuthentications

Use this keyword to require one or more client authentication methods. All specified authentication methods must succeed before a user is considered authenticated. The supported authentication methods are `gssapi-keyex', `gssapi-with-mic', `publickey', `keyboard-interactive', and `password'.

Note: RequiredAuthentications overrides AllowedAuthentications.

RequireReverseMapping

Specifies whether DNS lookup must succeed when checking whether connections from client hosts are allowed. To enable this feature you also need to set ResolveClientHostName to `yes'. The allowed values are `yes' and `no'. The default is `no'.

ResolveClientHostname

Specifies whether the server attempts to resolve the client IP address to a domain name. Setting this to `yes' may slow down the connection time, but is required if you configure any keywords to match host names based on domain name, rather than IP address. (See AllowHosts, DenyHosts, UserSpecificConfig, and HostSpecificConfig.) Setting this keyword to `yes' also means that DNS names appear in the log rather than IP addresses. The allowed values are `yes' and `no'. The default is `yes'.

Note: When ResolveClientHostname is `yes', the resolved name is always the fully qualified domain name. This means that you must use a fully qualified domain name with any keywords in which you specify a host name, or use a regular expression to ensure that host names are handled correctly.

SessionRestricted

Specifies what session types the server allows. The possible values are `shell' (which allows terminal shell sessions), `exec' (which allows the client to execute commands on the server), and `subsystem' (which is required to support sftp and scp transfers from Reflection for Secure IT clients). The default is `shell, exec, subsystem'.

Note: For OpenSSH-style clients `subsystem' is required for sftp transfers;`exec' is required for scp transfers.

SettableEnvironmentVars

Specifies which environment variables can be configured by the client. This value limits the scope of the client SetRemoteEnv keyword on the client and the user-specific environment file (~/.ssh2/environment). (Note: This setting does not affect variables configured in /etc/environment, /etc/ssh2/environment or other server files which can be controlled only by root.) The arguments must be uppercase. This keyword is enabled in the default configuration file and set to the following value: 'LANG, LC_ALL, LC_COLLATE, LC_CTYPE,LC_MONETARY, LC_NUMERIC, LC_TIME, PATH, TERM, TZ, UMASK'

SftpLogCategory

Determines which categories of sftp server messages are sent to the facility specified by SftpSysLogFacility. Use a comma-separated list. The default is `loginlogout,directorylistings,downloads,modifications,uploads', which configures logging of all categories. You can specify any of those options, plus `all', or `none'.

SftpSysLogFacility

Specifies the facility code used for logging messages from the sftp-server subsystem. This value is empty by default. When this value is empty and LogLevel is not empty, logging goes to the AUTH facility. When SftpSysLogFacility and LogLevel are both empty, the server does no logging to syslog. When this value is `none', Reflection for Secure IT disables logging to syslog (regardless of the LogLevel setting). Other valid values are platform-dependent. See syslog(3).Valid values are platform-dependent. See syslog(3). Setting this to "auth" puts the log messages in the same facility as the default for sshd.

SftpVersion

Specifies the maximum SFTP protocol version supported by the server. Valid values are 3 and 4 (the default). If the client only supports an older version than what is specified in this setting, the version specified by the client is used.

Note: This keyword only affects connections when Subsystem-sftp is configured to use the default internal sftp-server (Subsystem-sftp internal://sftp-server). If you have configured an external sftp-server, use -v 3 or -v 4 to specify an SFTP version. For example, subsystem-sftp /usr/libexec/sftp-server -v 3.

SmartFileTransfer

Specifies whether the server performs checks for file equality before transferring data. When this keyword is `yes' (the default), the server supports smart file copy (which enables skipping transfer of identical files) and checkpoint resume (which enables interrupted file transfers to resume at the point of interruption). When this keyword is `no', Reflection for Secure IT always transfers the entire content of every file. Note: Smart file copy can be disabled on the client using SmartFileCopy. Checkpoint resume can be disabled on the client using CheckpointResume.

StrictModes

Specifies the directory permissions required for public key authentication. The allowed values are `yes' and `no'. The default is `yes'. When set to `yes', The user's directory (~/.ssh2) and all parent directories must be writable and executable only by the user (mode 744 is accepted). Recommended permissions for the user directory = 700. If these conditions aren't met, public key authentication fails. When set to `no' these file permissions are not enforced and sensitive files and information could be compromised.

Note: Additional file permission requirements are enforced for each user's authorization file (~/.ssh2/authorization) regardless of the current StrictModes setting. This file must be configured to prevent group and public write access (600 is recommended, 644 is accepted). If the authorization file is not sufficiently restricted, public key authentication will always fail.

Subsystem

Specifies a subsystem to export to the client. The argument specifies the command to execute when the client requests the subsystem. The separator character following the keyword can be a dash, an equals sign, or a space.

To support sftp and scp transfers, the sftp-server subsystem must be specified. The default configuration shown below executes the sftp service internally in the child process.

Subsystem-sftp internal://sftp-server

SyslogFacility

Specifies the facility code used for logging messages from the server. The default is `AUTH'. When this value is `none', Reflection for Secure IT disables logging to syslog. Other valid values are platform-dependent. See syslog(3).

Note: Setting this value to `none' is not recommended because it means you have no audit log of connection attempts or user logins. In the event of a denial-of-service attack, an audit log can help identify a set of IP addresses connecting excessively. An audit log can also provide important evidence if a user falsely claims to not have accessed your system (non-repudiation).

Note: The debugging level you specify for writing to this log can have security ramifications. For more information see LogLevel.

TrustAnchor

This keyword is no longer supported. Use Reflection PKI Services Manager to configure trust anchors.

UseLogin

Specifies whether login(1) is used for interactive login sessions. The allowed values are `yes' and `no'. The default is `no'.

Notes:

login(1) is never used for remote command execution.

Enabling this setting disables X11Forwarding because login(1) does not know how to handle xauth(1) cookies.

Using login(1) disables privilege separation. By default, sshd creates a new process that has the privilege of the authenticated user after a successful authentication. This is done to prevent privilege escalation by containing any corruption within the unprivileged processes. Enabling UseLogin disables this functionality.

UsePAM

This setting provides an alternate way to configure the server to use PAM. The allowed values are `yes' and `no'. If UsePam is not configured, the server uses the current values of AuthKbdInt.Required, AccountManagement, and UsePamSessions. Setting this keyword to `yes' is equivalent to setting AuthKbdInt.Required=pam, AccountManagement=pam, and UsePamSessions=yes. Setting this keyword to `no' is equivalent to setting AuthKbdInt.Required=password, AccountManagement=password, and UsePamSessions=no.

Note: If you modify UsePAM, be sure that none of the related keywords are set after UsePAM in the configuration file. If AuthKbdInt.Required, AccountManagement, or UsePamSessions is set to a conflicting value after UsePAM, that value overrides the value configured by UsePAM because the last value read by the server is the one it uses.

UsePAMAcctMgmt

This keyword is deprecated. Setting it to `yes' is equivalent to setting AccountManagement=pam.

UsePamSessions

Specifies whether or not PAM is used for session management. The allowed values are `yes' and `no'. The default is `yes'.

UserConfigDirectory

Specifies the directory used for user-specific information. This directory contains the authentication file (required for key authentication) and other user-specific files listed in the FILES section. The following macros are recognized: %U = user log-in name, %D = user's home directory, %IU = UID for user, %IG = GID for user. The default is `%D/.ssh2'.

UserSpecificConfig

Specifies a user-specific configuration file. The syntax is:

UserSpecificConfig user_expression subconfig_file

If the user expression matches the user attempting a connection, the server uses the specified subconfiguration file.

Note: If you configure the host portion of this expression to match based on host domain name (rather than IP address), you must also set ResolveClientHostName to `yes'.

VerboseMode

This keyword is deprecated. Use LogLevel.

X11DisplayOffset

Sets the first display number available for X11 forwarding by the server. The default is 10.

X11UseLocalHost

Specifies whether the server should bind X11 forwarding to the loopback address or to the wildcard address. The allowed values are `yes' and `no'. The default is `yes'.

XAuthPath

Specifies the location of the xauth(1) program. The default (for example /usr/X11R6/bin/xauth) is system-dependent.

FILES

The server uses system-wide files (in /etc/ssh2) for all connections. Files in user-specific directories (~/.ssh2 by default) apply to connections from individual client users.

System-wide server files

/etc/ssh2/sshd2_config

The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.

/etc/ssh2/hostkey

The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. This file must be limited to user-only read and write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.

/etc/ssh2/hostkey.pub

The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.

/etc/ssh2/subconfig

Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.

/etc/ssh2/subconfig/<subconfig_file>

User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5).

/etc/ssh2/environment

If this file is present, it sets environment variable settings to use for all Secure Shell client connections to this server. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment. If the same environment variable is configured in this global file and also in a user-specific environment file (~/.ssh2/environment), the user-specific value overrides the global value. The pound sign (#) marks comment lines. The syntax is:

environment_variable=value

/etc/nologin

Limits login to root. If this file exists, only root is allowed to login. The text of nologin is displayed to anyone else who attempts to log in.

<piddir>/sshd2_22.pid

Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword.

/etc/motd

The message-of-the-day file. The text of this file is displayed when a user logs in. The PrintMotd keyword can be used to turn off this display.

/etc/ssh2/radius_config

A user-created file listing one or more RADIUS authentication servers. The file name suggested above is not required. After you create this file, use the RadiusFile keyword to specify your file name. For each RADIUS server, you need to enter the name, port, and shared secret. Recommended permissions = 600. The syntax is:

server1:port1:shared_secret1

server2:port2:shared_secret2

User-specific server files

~/.ssh2

The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700.

~/.ssh2/authorization

The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. This file must be limited to user-only write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.

The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:

key

Specifies keys the server will accept for this user. The format for key entries is "key" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory (~/.ssh2 by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.

key mykey.pub

key id_rsa_2048_a.pub

options

Use this optional keyword to specify options that apply to the preceding key. All options for a given key must be configured on a single line. White space is allowed. Options must be configured on the line immediately following the line containing the key. The format is:

Options option_keyword="arg", [option_keyword="arg"],...

Three Options keywords are supported: command, allow-from, and deny-from

command command

The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever mykey.pub is used for authentication.

key mykey.pub

options command="sh myscript"

allow-from IP-address

The key is allowed only for connections from the specified IP address. For example, the following configuration allows the specified key to be used only for connections from IP addresses starting with "150." and "10.10.".

Key /home/joe/.ssh/mykey.pub

options allow-from="150\..*,10\.10\..*"

deny-from IP-address

The key is not allowed for connections from the specified IP address.

Notes: To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).

~/.hushlogin

If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check.

~/.ssh2/environment

If this file is present, it sets environment variables to set for this user at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment, and also override settings configured in the global file (/etc/ssh2/environment). The pound sign (#) marks comment lines. The syntax is:

environment_variable=value

COPYRIGHT

Copyright (C) 2014 Attachmate Corporation

SEE ALSO

ssh(1), ssh2_config(5), ssh-keygen(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), sshd2_config(5), ssh-certview(1),ssh-certtool(1), pkid(8), pki_config(5), pki_mapfile(5), pki-val(1)

Additional Reflection for Secure IT documentation is available online from the Attachmate documentation web page:

http://support.attachmate.com/manuals/

And from the technical note library:

http://support.attachmate.com/techdocs/