SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
        Server Configuration Files >>
        Subconfigurations >>
        Ciphers and MACs >>
        Configuring Root Logins
        Restricting User Logins
        Subsystems
        Auditing >>
        Securing the Server >>
        Default sshd2_config Configuration File
        Default ssh_certd_config Configuration File
    Configuring the Client >>
    Authentication >>
    File Transfer Using SFTP >>
    File Transfer Using Transparent FTP Tunneling >>
    Tunneling on the Command Line >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
    Log Messages >>

Default sshd2_config Configuration File

The default sshd2_config configuration file is shown below. For more information on the configuration options, see Appendix sshd2_config

## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
##
## sshd2_config
##
## SSH Tectia Server 5.5 for IBM z/OS - SSHD2 Server Configuration File
##

## General

#       HostKeyFile                     hostkey
#       PublicHostKeyFile               hostkey.pub
#       HostCertificateFile             hostkey.crt # Comment out the pubkey
                                                    # if cert is specified

## Server key in SAF

#       HostKeyEkProvider               "zos-saf"
#       HostKeyEkInitString             "KEYS(ID(SSHD2) RING(HOSTKEY) 
                                         LABEL('Host key label'))"
#       HostKey.Cert.Required           yes
#
#       RandomSeedFile                  random_seed
#       BannerMessageFile               /etc/ssh2/ssh_banner_message
#       BannerMessageFile               /etc/issue.net
#
#       VerboseMode                     no # For debugging only. See man page.
#       QuietMode                       no
#       SyslogFacility                  AUTH
#       SyslogFacility                  LOCAL7
#       SftpSyslogFacility              LOCAL7
#       SftpSmfType                     none
#       SftpSmfType                     TYPE119

## Communication with ssh-certd

#       CertdListenerPath               /tmp/ssh-certd-listener

## Network

# Port is not commented out, as it is needed by the example startup
# scripts. Well, the default will not likely change.
        Port                            22
#       PidFile                         default
#       PidFile                         /var/run/sshd2_22.pid
#       ListenAddress                   any
#       ListenerRetryInterval           0
#       ListenerRetryInterval           60
#       ResolveClientHostName           yes
#       RequireReverseMapping           no
#       MaxBroadcastsPerSecond          0
#       MaxBroadcastsPerSecond          1
#       NoDelay                         no
#       KeepAlive                       yes
#       MaxConnections                  50
#       MaxConnections                  0
# 0 == number of connections not limited

## Crypto

#       Ciphers                         AnyCipher
#       Ciphers                         AnyStdCipher
# Following includes "none" 'cipher':
#       Ciphers                         AnyStd
#
#       MACs                            AnyMAC
#       MACs                            AnyStdMAC
# Following includes "none" 'mac':
#       MACs                            AnyStd
#
#       RekeyIntervalSeconds            3600

# In order to maximize crypto hardware utilization,
# on z/OS we'll accept only 3des-cbc and hmac-sha1 by default
        Ciphers                         3des-cbc
        MACs                            hmac-sha1

## Crypto Hardware 

# UseCryptoHardware specifies whether hardware support is wanted for certain
# algorithms. The support levels are
#   no          do not use crypto hardware
#   yes         use crypto hardware if available
#   must        use crypto hardware, do not fall back to software 
# 
# The level may be given alone as a default for all algorithms or 
# together with an algorithm. The algorithm names that may 
# be used are:
#   rng         random number generator
#   sha1        SHA1 digest algorithm
#   3des        Triple DES
#   dh          Diffie-Hellman
#   rsa         RSA
#
# UseCryptoHardware is a comma-delimited list of algorithm:support level
# pairs. It may start with a sole support level
#
# E.g. Must have support for 3des and sha1, all other should use software
#       UseCryptoHardware               no,3des:must,sha1:must
#
#       UseCryptoHardware               yes
#
# To enable FIPS certification, use
#       Ciphers                         3des-cbc,aes128-cbc
#       MACs                            hmac-sha1
#       UseCryptoHardware               must
#
UseCryptoHardware yes,aes:no

## User

#       PrintMotd                       yes
#       CheckMail                       yes
#       StrictModes                     no
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
#                   minute, 's' for seconds)
#       IdleTimeOut                     1h
# without specifier, the default number is in seconds
#       IdleTimeOut                     3600
#
#       UserConfigDirectory             "%D/.ssh2"
#       UserConfigDirectory             "/etc/ssh2/auth/%U"
#       AuthorizationFile               authorization
#
# Authorized keys file directive can be used in enabling public-key
# authentication against legacy authorized_keys file that contains
# several keys in single file.
#       AuthorizedKeysFile              "authorized_keys"
#       AuthorizedKeysFile              "%D/.ssh/authorized_keys"
#
# This variable is set here, because by default it is empty, and so no
# variables can be set. Because of that, we set a few common ones here.
        SettableEnvironmentVars         LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|
                                        NUMERIC|TIME),PATH,TERM,TZ,SSH.*

## Tunneling

#       AllowTcpForwarding              yes
#       AllowTcpForwardingForUsers      sjl, ra-user@remote\.example
#       DenyTcpForwardingForUsers       2[[:digit:]]*4,peelo
#       AllowTcpForwardingForGroups     privileged_tcp_forwarders
#       DenyTcpForwardingForGroups      coming_from_outside
#
#       AllowLocalForwarding            no
        AllowLocalForwarding            yes

# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
#      ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.example.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group ID (GID) 10:
#
#      ForwardACL allow local s.*%10 proxy\.example\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
#      ForwardACL deny remote .* .*


## Authentication

## publickey and password allowed by default
#       AllowedAuthentications          publickey,password
#       AllowedAuthentications          hostbased,publickey,password
#       AllowedAuthentications          hostbased,publickey,keyboard-interactive
#       RequiredAuthentications         publickey,password
#       LoginGraceTime                  600
#       AuthInteractiveFailureTimeout   2
#
#       HostbasedAuthForceClientHostnameDNSMatch no
#       UserKnownHosts                  yes
#
#       AuthPublicKey.MaxSize           0
#       AuthPublicKey.MinSize           0
#       AllowAgentForwarding            yes

#       AuthKbdInt.NumOptional          0
#       AuthKbdInt.Optional             password,plugin
#       AuthKbdInt.Required             password
#       AuthKbdInt.Retries              3
#
#       PermitEmptyPasswords            yes
#       PasswordGuesses                 3
#
## publickey authentication with certificates in SAF
# Users logging in with name "-" need SAF certificate
#       IdentityDispatchUsers                  -          
#
# All users logging in need SAF certificate
#       IdentityDispatchUsers                  .*         
#
#       AuthPublicKey.Cert.ValidationMethods   saf
#
# Certificate is also validated in ssh-certd
#       AuthPublicKey.Cert.ValidationMethods   saf,tectia
#
# Client must send user certificate
#       AuthPublicKey.Cert.Required            yes        
#
#       AuthorizationEkProvider         "zos-saf:KEYS(ID(%U) RING(%U))"
#       AuthorizationEkProvider         "zos-saf:[USERNAME=%U UID=%IU GID=%IG]"
#       AuthorizationEkInitStringMapper /home/SSHD2/mapper.sh
#       AuthorizationEkInitStringMapperTimeout 0   # 0 = Timeout disabled
#
## hostbased authentication with certificates in SAF
#       AuthHostbased.Cert.ValidationMethods   saf
#
# Certificate is also validated in ssh-certd
#       AuthHostbased.Cert.ValidationMethods   saf,tectia 
#
# Client must send host certificate
#       AuthHostbased.Cert.Required  yes        
#       KnownhostsEkProvider        "zos-saf:KEYS(ID(SSHD2) RING(KNOWNHOSTS))"

# Ignoring certain restrictions during user login: password expiration
# on z/OS.
# Setting this to "yes" will make an authentication during which an expired
# password was changed count as a successful authentication.

#       IgnoreLoginRestrictions.PasswordExpiration no

# To enable authentication time password changing (instead of the old
# forced command style), uncomment the following line: 

#       AuthPassword.ChangePlugin       ssh-passwd-plugin

# (this will also be used by the "password" submethod in
#  keyboard-interactive).

## Host restrictions

#       AllowHosts              localhost, example\.com, friendly\.example
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
##     AllowHosts               t..l.\..*
##
## The following matches any numerical IP address (yes, it is cumbersome)
##
##     AllowHosts               ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with the special prefix "\i" in a pattern.
## This means that the pattern is only used to match IP addresses.
##
## Using the above example:
##
##     AllowHosts               \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
##     AllowHosts               \m127.0/8
## and
##     AllowHosts               \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
#       DenyHosts                       evil\.example, aol\.example
#       AllowSHosts                     trusted\.host\.example
#       DenySHosts                      not\.quite\.trusted\.example
#       IgnoreRhosts                    no
#       IgnoreRootRHosts                no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions
# User and group names must be in uppercase.

#       AllowUsers                      SJ.*,S[[:digit:]]*,S(JL|AMZA)
#       DenyUsers                       SKUUPPA,WAREZDUDE,31373
#       DenyUsers                       DON@example\.org
#       AllowGroups                     STAFF,USERS
#       DenyGroups                      GUEST,ANONYMOUS
#       PermitRootLogin                 yes
#       PermitRootLogin                 nopwd

## Chrooted environment
# User and group names must be in uppercase.

#       ChRootUsers                     ANONYMOUS,FTP,GUEST
#       ChRootGroups                    SFTP,GUEST

## Subsystem definitions

# Subsystems do not have defaults, so this is needed here (uncommented).
#       subsystem-sftp                  sftp-server
        subsystem-sftp                  /usr/lpp/ssh2/libexec/sft-server-g3
# Also internal SFTP subsystem can be used.
#       subsystem-sftp                  internal://sftp-server

## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host-specific files
# are read before the user-specific files.
# User and group names must be in uppercase.

# Following matches (from) any host:
#
#      HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
#      HostSpecificConfig \m192.168.0.0/16 /etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character
# username or username is SJL and belong to group WHEEL or WHEEL[0-9]:
#
#      UserSpecificConfig (..|SJL)%WHEEL[[:digit:]]?@ssh\.com 
#                          /etc/ssh2/subconfig/user.example
#
# Following matches to the user ANONYMOUS from any host:
#
#      UserSpecificConfig ANONYMOUS@.* /etc/ssh2/subconfig/anonymous.example

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice