[Contents] [Index]

About This Document >>     Installing SSH Tectia Server for IBM z/OS >>     Using SSH Tectia Server for IBM z/OS >>     Configuring the Server >>     Configuring the Client >>     Authentication >>     Troubleshooting SSH Tectia Server for IBM z/OS >>     Examples of Use >>     Man Pages >>         scp2         sftp2         ssh-add2         ssh-agent2         ssh-dummy-shell         ssh-keygen2         ssh-probe2         ssh-sft-stage         ssh2         ssh2_config         sshd-check-conf         sshd2         sshd2_config         sshd2_subconfig         sshregex     Log Messages >>

ssh2_config

SSH2_CONFIG(5) SSH2 SSH2_CONFIG(5) NAME ssh2_config - configuration file format for ssh2 on z/OS CONFIGURATION FILES ssh2 obtains all configuration data from the following sources (in this order): the system's global configuration file (typically /etc/ssh2/ssh2_config), the user's config- uration file ($HOME/.ssh2/ssh2_config), and the command- line options. For each parameter, the last obtained value will be effective. A configuration file can begin with "metaconfiguration" information, that is, information configuring the configu- ration language itself. If the configuration file starts with a line matching the following egrep-style regex #.*VERSION[ \t\f]+[0-9]+.[0-9]+ it is interpreted as the version of the configuration style. If this kind of line is not found, the version is considered to be "1.0". The version string can be followed by one or more metacon- figuration parameters. The lines have to start with '#', and they have to match the following egrep style regex: #[# \t]+[A-Z0-9]+[ \t]+.* The parsing of metaconfiguration directives stops with the first non-recognized line. Version 1.1 and later recognize the following parameter: REGEX-SYNTAX This denotes the regex syntax used to parse the configuration file in question. The regex syntax is used in parsing the labels, lists, and so on, and when matching something with the regex patterns specified in the configuration file. The value can be egrep, ssh, zsh_fileglob or tradi- tional (the arguments are not case-sensitive). zsh_fileglob and traditional are synonymous. The configuration file has the following format: 'expression' denotes the start of a per-host con- figuration block, where 'expression' is an arbi- trary string which distinguishes this block from others. 'expression' can contain wildcards. The 'expression' will be compared with the hostname obtained from the command line, and if it matches, the block will be evaluated. Evaluation stops at the next 'expression:' statement. If more than one match is found, all will be evaluated and the last obtained values for parameters will be effective. Note that 'expression' does not have to be a real hostname, as long as the 'expression' block con- tains a Host configuration parameter where the real hostname to connect to is defined. Empty lines and lines starting with '#' are ignored as comments. Otherwise a line is of the format 'keyword argu- ments'. Note that it is possible to enclose argu- ments in quotes, and use the standard C convention. The possible keywords and their meanings are as follows (note that the configuration files are case-sensitive but the keywords are not case-sensi- tive): AllowedAuthentications This keyword specifies the authentication methods that are allowed. This is a comma-separated list currently consisting of the following words: keyboard-interactive, password, publickey, and hostbased. Each specifies an authentication method. The default is "publickey,keyboard-interactive,pass- word". The authentication methods are tried in the order in which they are specified in this configu- ration parameter. This means that the least inter- active methods should be placed first in this list, for example "hostbased,publickey,keyboard-interac- tive" (because public-key authentication can be automated by the user with ssh-agent). AuthenticationSuccessMsg Specifies whether to print "Authentication success- ful." after authentication has completed success- fully. This is mainly to prevent malicious servers from getting information from the user by display- ing additional password or passphrase prompts. The argument must be yes or no. The default is yes. BatchMode If set to yes, ssh2 disables password/passhphrase querying. This is useful in scripts and other batch jobs where there is no user to supply the password. If the StrictHostKeyChecking parameter is set to ask, ssh2 assumes a no answer to queries (this is because ssh does not even try to get user input when invoked with BatchMode yes). The argu- ment must be yes or no. The default is no. Ciphers Specifies the ciphers to use for encrypting the session. The supported ciphers are aes128-cbc, aes192-cbc, aes256-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, twofish-cbc, twofish128-cbc, twofish192-cbc, twofish256-cbc, arcfour, rijndael- cbc@ssh.com, des-cbc@ssh.com, and cast128-12-cbc@ssh.com. Multiple ciphers can be specified as a comma-sepa- rated list. Special values for this option are Any, AnyStd, none, AnyCipher, and AnyStdCipher. Any allows all ciphers including none; AnyStd allows only those mentioned in the IETF-SecSh draft plus none; none forbids any use of encryption; Any- Cipher and AnyStdCipher are analogous to the first two cases but exclude none. AnyStdCipher is the default. ClearAllForwardings Specifies whether to clear all remote and local forwarded ports defined so far. The argument must be yes or no. Note that scp always automatically clears all forwarded ports. Compression Specifies whether to use compression. The argument must be yes or no. DebugLogFile Writes debug messages to a specified file. (Remem- ber to enable debugging.) DefaultDomain This option is only useful if set in the global configuration file. This is used by ssh2 and ssh- signer2 to find out the system name, if only the base part of the system name is available by normal means (those used by, for example, hostname(1)). This is appended to the found system name, if the returned system name does not contain a dot ('.'). DisableVersionFallback Selects whether to disable fallback compatibility code for earlier, or otherwise incompatible ver- sions of software. Do not disable this unless you know what you are doing. The argument must be yes or no. The default is no. DontReadStdin Redirects input from /dev/null, that is, do not read stdin. The argument must be yes or no. The default is no. EscapeChar Sets the escape character (default: ~). The escape character can also be set on the command line. The argument should be a single character, '^' followed by a letter, or none to disable the escape charac- ter entirely (making the connection transparent for binary data). ForcePTTYAllocation Allocates a tty even if a command is given. The argument must be yes or no. The default is no. ForwardAgent Specifies whether the connection to the authentica- tion agent (if any) will be forwarded to the remote machine. The argument must be yes or no. The default is yes. ForwardX11 Specifies whether X11 connections will be automati- cally redirected over the secure channel and DIS- PLAY will be set. The argument must be yes or no. The default is yes. GatewayPorts Specifies that also remote hosts may connect to locally forwarded ports. The argument must be yes GoBackground Requests ssh2 to go to the background after authen- tication is done and the forwardings have been established. This is useful if ssh2 is going to ask for passwords or passphrases but the user wants it in the background. The argument must be yes, no or oneshot. With oneshot, ssh2 behaves the same way as with -fo command-line arguments. The default is no. Host The real hostname to log in to. With 'expression' above, this can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications). IdentityFile The name of the user's identification file. KeepAlive Specifies whether the system should send keepalive messages to the other side. If they are sent, a broken connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporar- ily, and some people find this annoying. The default is yes (to send keepalives), and the client will notice if the network goes down or the remote host dies. This is important when using scripts, and many users want it. To disable keepalives, the value should be set to no in both the server and the client configuration files. LocalForward The argument format is port:host:hostport. See -L in ssh2(1) for more detailed information on forward definitions. MACs Specifies the MAC (Message Authentication Code) algorithm to use for data integrity verification. The supported algorithms are hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-sha256@ssh.com, and hmac-sha256-96@ssh.com. Multiple MACs can be specified as a comma-separated list. Special values for this option are Any, AnyStd, none, AnyMac, and AnyStdMac. Any allows all MACs including none; AnyStd allows only those mentioned in the IETF-SecSh draft and none; none forbids any use of MACs; AnyMac and AnyStdMac are analogous to the first two cases but exclude none. AnyStdMac is the default. NoDelay If yes, enables socket option TCP_NODELAY. The argument must be yes or no. The default is no. PasswordPrompt Sets the password prompt that the user sees when connecting to a host. Variables %U and %H can be used to give the user's login name and host, respectively. PidFile Specifies the file where the process ID of the client is written. The default is none. Port Specifies the port number to connect to on the remote host. The default is 22. ProxyServer With this option, the client can connect using SOCKS or HTTP proxy. With SOCKS, you can specify whether to use SOCKS5 with the option UseSocks5. Overrides the value of the SSH_SOCKS_SERVER environment variable. The format of the variable is socks://user- name@socks_server:port/network/netmask,network/net- mask ... (with SOCKS proxy) or http://user- name@socks_server:port/network/netmask,network/net- mask ... (with HTTP proxy). For instance, by setting ProxyServer to socks://mylo- gin@socks.ssh.com:1080/203.123.0.0/16,198.74.23.0/24, host socks.ssh.com and port 1080 are used as your SOCKS server for connections outside of networks 203.123.0.0 (16-bit domain) and 198.74.23.0 (8-bit domain). Those networks are connected directly. If this option is set, it should almost always con- tain the local loopback network (127.0.0.0/8) as a network that is connected directly. This option and the option SocksServer behave iden- tically. Specifying both will cause the later defi- nition to override the first.

QuietMode All warnings and diagnostic messages are sup- pressed. Only fatal errors are displayed. The argument must be yes or no. The default is no. RandomSeedFile The name of the user's random-seed file. RekeyIntervalSeconds The number of seconds after which the key exchange is done again. The default is 3600 seconds (1 hour). Value '0' turns rekey requests off. This does not prevent the server from requesting rekeys. Other servers may not have rekey capabilities implemented correctly, and your connection may be cut off if you are connecting to a server other than sshd2. (The server may also crash, but this is not the fault of ssh2.) RemoteForward The argument format is port:host:hostport. See -R in ssh2(1) for more detailed information on forward definitions. SetRemoteEnv Specifies an environment variable to set in the server before executing a shell or command. The value should be of form VAR=val. val can be empty. You can specify multiple variables by using multi- ple options. Setting the variable may fail on the server end, e.g. because of policy decisions (see SettableEnvi- ronmentVars in sshd2_config(5)). Note: This fea- ture is not implemented in sshd2 versions 3.0.x and earlier. Ssh1AgentCompatibility Specifies whether to forward also an SSH1 agent connection. Legal values for this option are none, traditional, and ssh2. With value none (default), the SSH1 agent connection is not forwarded at all. With value traditional, SSH1 agent connection is forwarded transparently like in SSH1. Value tradi- tional can always be used but it constitutes a security risk, because the agent does not get the information about the forwarding path. Value ssh2 makes SSH1 agent forwarding similar to SSH2 agent forwarding and with this mode, the agent gets the information about the agent forwarding path. Note that value ssh2 can only be used if you use ssh- agent2 in the SSH1 compatibility mode. Ssh1Compatibility Specifies whether to use SSH1 compatibility. With this option, ssh1 is executed when the server sup- ports only the SSH1 protocols. The argument must be yes or no. Ssh1InternalEmulation Specifies whether to use SSH1 internal emulation code. With this option, ssh2 can also communicate with ssh1 servers, without using an external ssh1 program. The argument must be yes or no. Ssh1MaskPasswordLength Specifies whether to send SSH_MSG_IGNORE packets to mask the password length (otherwise, it is very easy to get, as the SSH1 protocol does not encrypt the length fields of packets). The argument must be yes or no. The default is yes. Ssh1Path Specifies the path to the ssh1 client, which is executed if the server supports only SSH 1.x proto- cols. The arguments for ssh2 are passed to the ssh1 client. SocksServer Equal to ProxyServer. StrictHostKeyChecking If this flag is set to yes, ssh2 will never auto- matically add host keys to the $HOME/.ssh2/hostkeys directory, and refuses to connect to hosts whose key has changed. This provides maximum protection against man-in-the-middle attacks. However, it can be somewhat annoying if you frequently connect to new hosts. The argument must be yes, no, or ask. The default is ask, which means that new hosts will automati- cally be added to the known host files after you have acknowledged this. If a host key has changed, you will be asked whether you want to accept the new host key as the only valid one. If you set this to no, the new host will be automatically added to $HOME/.ssh2/hostkeys. yes forces the user to add all new hosts manually. The host keys of known hosts will be verified automatically in any case. StrictModes Specifies whether ssh2 should check file modes of credentials during public key authentication. Specifically, this checks the user's .ssh2 direc- tory and private keys for invalid permissions. .ssh2 must only be writable and the private keys must only be readable and writable by the user. The permission check of the user's .ssh2 directory can be further controlled by using the Strict- Modes.UserDirMaskBits configuration option. The argument must be yes or no. The default is no. StrictModes.UserDirMaskBits Specifies the permission mask for the user's .ssh2 directory if StrictModes configuration option is used. The bits set this with option are not allowed to be set in the actual permissions. This means that with StrictModes and this option set to "077", the user's (only for the user). Default is "022". TrustX11Applications Specifies whether the Xserver should treat X11 client applications as trusted (with forwarding X11). Treating X11 applications as untrusted enables avoiding the problem in which logging into a compromised host allows applications on that host to "sniff" any input operations (e.g. key strokes, mouse movements, drag and drop and clipboard data transfers etc.) via the forwarded X11 connection, unless the security policy for this X server allows these operations for untrusted clients. You should only need this option if the X client program you are running needs exceptional privileges for the Xserver. Note that SSH1-internal emulation mode does not support the SECURITY extension. The argu- ment must be yes or no. The default is no. UseCryptoHardware Specifies how cryptographic hardware is utilized. Currently this option has an effect only on IBM z/OS platforms. The value for this option is a comma-separated list of algorithm:support_level pairs. The list may start with a sole support level specifier. Valid values for support level are yes, no, and must. yes means that cryptographic hardware is used for this algorithm if available and software cryptography is used if hardware cryptography is not available. no means that software cryptography is used for this algorithm. must means that only cryptographic hardware is used for the algorithm. Valid values for the algorithm part of this option are 3des, aes, sha1, and rng. 3des and aes mean the Triple DES and AES symmetric ciphers used for encrypting the session. sha1 means the SHA-1 algorithm used for MAC (Message Authenti- cation Code). rng means random number generator. The hardware is used to generate entropy for the random seed at start up and for reseeding the ran- dom number generator algorithm periodically during execution. Example: use hardware for 3des and sha1, all others should use software: UseCryptoHardware no,3des:must,sha1:must This could be coupled with allowing only the 3des cipher and sha1 MAC with Ciphers and MACs options. Another example: use crypto hardware for all ciphers except AES: UseCryptoHardware yes,aes:no User Specifies who the user will log in as. This can be useful if you have a different username in differ- ent machines. This saves the trouble of having to remember to specify the username on the command line. UseSocks5 Use SOCKS5 instead of SOCKS4 when connecting to a remote host. Note that you have to set SocksServer to a meaningful value. The argument must be yes or no. The default is no (i.e. use SOCKS4). VerboseMode Causes ssh2 to print debugging messages about its progress. This is helpful when debugging connec- tion, authentication, and configuration problems. The argument must be yes or no. The default is no. XauthPath Specifies where to find the "xauth" program. This option is mostly useful if you are using binaries and your X11 programs are installed in a location unknown to ssh2. The default is set by the config- ure script. AUTHORS SSH Communications Security Corp. For more information, see http://www.ssh.com. SEE ALSO ssh2(1)