[Contents] [Index]

About This Document >>     Installing SSH Tectia Server for IBM z/OS >>     Getting Started with SSH Tectia Server for IBM z/OS >>     Configuring the Server >>         Server Configuration Files >>         Subconfigurations >>         Ciphers and MACs >>         Configuring Root Logins         Restricting User Logins         Subsystems         Auditing >>         Securing the Server >>         Default sshd2_config Configuration File         Default ssh_certd_config Configuration File     Configuring the Client >>     Authentication >>     Transferring Files >>     Tunneling >>     Troubleshooting SSH Tectia Server for IBM z/OS >>     Advanced Information >>     Man Pages >>     Log Messages >>

Default sshd2_config Configuration File

The default sshd2_config configuration file is shown below. For more information on the configuration options, see Appendix sshd2_config

## SSH CONFIGURATION FILE FORMAT VERSION 1.1 ## REGEX-SYNTAX egrep ## end of metaconfig ## (leave above lines intact!) ## ## sshd2_config ## ## SSH Tectia Server 5.4 for IBM z/OS - SSHD2 Server Configuration File ## ## General # HostKeyFile hostkey # PublicHostKeyFile hostkey.pub # HostCertificateFile hostkey.crt # Comment out the pubkey # if cert is specified ## Server key in SAF # HostKeyEkProvider "zos-saf" # HostKeyEkInitString "KEYS(ID(SSHD2) RING(HOSTKEY))" # HostKey.Cert.Required yes # Server will send certificate # # RandomSeedFile random_seed # BannerMessageFile /etc/ssh2/ssh_banner_message # BannerMessageFile /etc/issue.net # # VerboseMode no # QuietMode no # SyslogFacility AUTH # SyslogFacility LOCAL7 # SftpSyslogFacility LOCAL7 # SftpSmfType none # SftpSmfType TYPE119 ## Communication with ssh-certd # CertdListenerPath /tmp/ssh-certd-listener ## Network # Port is not commented out, as it is needed by the example startup # scripts. Well, the default will not likely change. Port 22 # PidFile default # PidFile /var/run/sshd2_22.pid # ListenAddress any # ListenerRetryInterval 0 # ListenerRetryInterval 60 # ResolveClientHostName yes # RequireReverseMapping no # MaxBroadcastsPerSecond 0 # MaxBroadcastsPerSecond 1 # NoDelay no # KeepAlive yes # MaxConnections 50 # MaxConnections 0 # 0 == number of connections not limited ## Crypto # Ciphers AnyCipher # Ciphers AnyStdCipher # Following includes "none" 'cipher': # Ciphers AnyStd # # MACs AnyMAC # MACs AnyStdMAC # Following includes "none" 'mac': # MACs AnyStd # # RekeyIntervalSeconds 3600 # In order to maximize crypto hardware utilization, # on z/OS we'll accept only 3des-cbc and hmac-sha1 by default Ciphers 3des-cbc MACs hmac-sha1 ## Crypto Hardware # UseCryptoHardware specifies whether hardware support is wanted for certain # algorithms. The support levels are # no do not use crypto hardware # yes use crypto hardware if available # must use crypto hardware, do not fall back to software # # The level may be given alone as a default for all algorithms or # together with an algorithm. The algorithm names that may # be used are: # rng random number generator # sha1 SHA1 digest algorithm # 3des Triple DES # dh Diffie-Hellman # rsa RSA # # UseCryptoHardware is a comma-delimited list of algorithm:support level # pairs. It may start with a sole support level # # E.g. Must have support for 3des and sha1, all other should use software # UseCryptoHardware no,3des:must,sha1:must # # UseCryptoHardware yes # # To enable FIPS certification, use # Ciphers 3des-cbc,aes128-cbc # MACs hmac-sha1 # UseCryptoHardware must # UseCryptoHardware yes,aes:no ## User # PrintMotd yes # CheckMail yes # StrictModes no # Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for # minute, 's' for seconds) # IdleTimeOut 1h # without specifier, the default number is in seconds # IdleTimeOut 3600 # # UserConfigDirectory "%D/.ssh2" # UserConfigDirectory "/etc/ssh2/auth/%U" # AuthorizationFile authorization # # Authorized keys file directive can be used in enabling public-key # authentication against legacy authorized_keys file that contains # several keys in single file. # AuthorizedKeysFile "authorized_keys" # AuthorizedKeysFile "%D/.ssh/authorized_keys" # # This variable is set here, because by default it is empty, and so no # variables can be set. Because of that, we set a few common ones here. SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY| NUMERIC|TIME),PATH,TERM,TZ,SSH.* ## Tunneling # AllowTcpForwarding yes # AllowTcpForwardingForUsers sjl, ra-user@remote\.example # DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo # AllowTcpForwardingForGroups privileged_tcp_forwarders # DenyTcpForwardingForGroups coming_from_outside # # AllowLocalForwarding no AllowLocalForwarding yes # Local port forwardings to host 10.1.0.25 ports 143 and 25 are # allowed for all users in group users. # Note that forwardings using the name of this host will be allowed (if # it can be resolved from the DNS). # # ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25) # # Local port forwardings requested exactly to host proxy.example.com # port 8080 are allowed for users that have 's' as first character # and belong to the group with group ID (GID) 10: # # ForwardACL allow local s.*%10 proxy\.example\.com%8080 # # Remote port forwarding is denied for all users to all hosts: # ForwardACL deny remote .* .* ## Authentication ## publickey and password allowed by default # AllowedAuthentications publickey,password # AllowedAuthentications hostbased,publickey,password # AllowedAuthentications hostbased,publickey,keyboard-interactive # RequiredAuthentications publickey,password # LoginGraceTime 600 # AuthInteractiveFailureTimeout 2 # # HostbasedAuthForceClientHostnameDNSMatch no # UserKnownHosts yes # # AuthPublicKey.MaxSize 0 # AuthPublicKey.MinSize 0 # AllowAgentForwarding yes # AuthKbdInt.NumOptional 0 # AuthKbdInt.Optional password,plugin # AuthKbdInt.Required password # AuthKbdInt.Retries 3 # # PermitEmptyPasswords yes # PasswordGuesses 3 # ## publickey authentication with certificates in SAF # Users logging in with name "-" need SAF certificate # IdentityDispatchUsers - # # All users logging in need SAF certificate # IdentityDispatchUsers .* # # AuthPublicKey.Cert.ValidationMethods saf # # Certificate is also validated in ssh-certd # AuthPublicKey.Cert.ValidationMethods saf,tectia # # Client must send user certificate # AuthPublicKey.Cert.Required yes # # AuthorizationEkProvider "zos-saf:KEYS(ID(%U) RING(%U))" # AuthorizationEkProvider "zos-saf:[USERNAME=%U UID=%IU GID=%IG]" # AuthorizationEkInitStringMapper /home/SSHD2/mapper.sh # AuthorizationEkInitStringMapperTimeout 0 # 0 = Timeout disabled # ## hostbased authentication with certificates in SAF # AuthHostbased.Cert.ValidationMethods saf # # Certificate is also validated in ssh-certd # AuthHostbased.Cert.ValidationMethods saf,tectia # # Client must send host certificate # AuthHostbased.Cert.Required yes # KnownhostsEkProvider "zos-saf:KEYS(ID(SSHD2) RING(KNOWNHOSTS))" # Ignoring certain restrictions during user login: password expiration # on z/OS. # Setting this to "yes" will make an authentication during which an expired # password was changed count as a successful authentication. # IgnoreLoginRestrictions.PasswordExpiration no # To enable authentication time password changing (instead of the old # forced command style), uncomment the following line: # AuthPassword.ChangePlugin ssh-passwd-plugin # (this will also be used by the "password" submethod in # keyboard-interactive). ## Host restrictions # AllowHosts localhost, example\.com, friendly\.example # ## Next one matches with, for example, taulu.foobar.com, tuoli.com, but ## not tuoli1.com. Note that you have to input string "\." when you want it ## to match only a literal dot. You also have to escape "," when you ## want to use it in the pattern, because otherwise it is considered a list ## separator. ## ## AllowHosts t..l.\..* ## ## The following matches any numerical IP address (yes, it is cumbersome) ## ## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3} ## ## Same thing is achieved with the special prefix "\i" in a pattern. ## This means that the pattern is only used to match IP addresses. ## ## Using the above example: ## ## AllowHosts \i.* ## ## You can probably see the difference between the two. ## ## Also, you can use subnet masks, by using prefix "\m" ## ## AllowHosts \m127.0/8 ## and ## AllowHosts \m127.0.0.0/24 ## ## would match localhost ("127.0.0.1"). ## # DenyHosts evil\.example, aol\.example # AllowSHosts trusted\.host\.example # DenySHosts not\.quite\.trusted\.example # IgnoreRhosts no # IgnoreRootRHosts no # (the above, if not set, is defaulted to the value of IgnoreRHosts) ## User restrictions # User and group names must be in uppercase. # AllowUsers SJ.*,S[[:digit:]]*,S(JL|AMZA) # DenyUsers SKUUPPA,WAREZDUDE,31373 # DenyUsers DON@example\.org # AllowGroups STAFF,USERS # DenyGroups GUEST,ANONYMOUS # PermitRootLogin yes # PermitRootLogin nopwd ## Chrooted environment # User and group names must be in uppercase. # ChRootUsers ANONYMOUS,FTP,GUEST # ChRootGroups SFTP,GUEST ## Subsystem definitions # Subsystems do not have defaults, so this is needed here (uncommented). # subsystem-sftp sftp-server subsystem-sftp /usr/lpp/ssh2/libexec/sft-server-g3 # Also internal SFTP subsystem can be used. # subsystem-sftp internal://sftp-server ## Subconfiguration # There are no default subconfiguration files. When specified the last # obtained keyword value will prevail. Note that the host-specific files # are read before the user-specific files. # User and group names must be in uppercase. # Following matches (from) any host: # # HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example # # Following matches to subnet mask: # # HostSpecificConfig \m192.168.0.0/16 /etc/ssh2/subconfig/host_int.example # # Following matches to users from ssh.com that have two character # username or username is SJL and belong to group WHEEL or WHEEL[0-9]: # # UserSpecificConfig (..|SJL)%WHEEL[[:digit:]]?@ssh\.com # /etc/ssh2/subconfig/user.example # # Following matches to the user ANONYMOUS from any host: # # UserSpecificConfig ANONYMOUS@.* /etc/ssh2/subconfig/anonymous.example