Files Used by the Client


User-specific configuration file. The format is the same as the system-wide configuration file. Recommended permissions = 644.


System-wide configuration file. This file is installed when you install Reflection for Secure IT. The installed file shows default values as commented out lines. Edit this file to change system-wide settings. For information about keywords and supported values, see ssh2_config(5). Recommended permissions = 644.


This directory contains the public keys of hosts trusted by the current user. By default, keys are added automatically to this location when the user answers `yes' in response to an unknown host prompt. (This behavior can be changed using the StrictHostKeyChecking keyword in the configuration file.) Starting with version 7.0, host keys use the following file name format:


Where port is the port used for the ssh connection, host is the host name, and IP is the host IP address. (Earlier versions used, and this format is still supported.)

Note: By default the keys added to this directory have group and public read access (644). To improve security, set permissions on these files to make them readable only by the owner (600).


System-wide known hosts. Hosts with keys in this list are trusted for all users of the computer. No keys are installed to this location automatically. To add a system-wide trusted host, create this directory and put a copy of the host public key in it. Use the file name format described above for $HOME/.ssh2/hostkeys/key_*.pub.


An identification file is required if you use public keys or certificates for user authentication. (This is the default file name and location. You can redefine the name and/or location of the identification file on the ssh command line using -i or in the configuration file using the IdentificationFile keyword.) The identification file contains a list of one or more private keys held by a client user. Any listed key can be used by the client for user authentication. If more than one key is listed, the client tries the first key in the list, then continues trying the other keys in order. If no path information is provided, the client looks for listed keys in $HOME/.ssh2/. This file should have user-only write access (permissions = 600 or 644).

For standard keys use the following syntax to add keys to the list:

IdKey <keyname>

For example:

IdKey id_dsa_2048_a

For keys associated with n X.509 certificate use the following syntax.

CertKey <keyname>

The associated certificate must be in the same directory as the specified key and use the same base name with a .crt file extension.

Note: For public key authentication, you also need to configure the server. For certificate authentication, you need to install and configure Reflection PKI Services Manager and also configure the server.

Note: When ChrootSftpUsers or ChrootSftpGroups is enabled, connected users see additional subdirectories (etc on all platforms and dev on AIX) added to their home directory. These directories cannot be moved or deleted. The etc directory contains two required files. The rsit.conf file identifies the installation location of files required by Reflection for Secure IT. The localtime file is needed so that processes such as logging can get the current time. The system localtime file is in a location that cannot be accessed by a chrooted user. Users running on AIX also require /dev/null, which is needed for correct logging to syslog.

Related Topics

Client Configuration Files

File and Directory Permissions