SSH

ssh-certd

SSH-CERTD(8)                   SSH2                  SSH-CERTD(8)


NAME
       ssh-certd  - Secure Shell Certificate Validator on z/OS


SYNOPSIS
       ssh-certd [-d debug_level_spec] [-f config_file]
       [-o options] [-l listener-path] [-F] [-v] [-V] [-q]


DESCRIPTION
       ssh-certd (Secure Shell Certificate Validator) is a common
       process  for  validating  certificates,  used primarily by
       sshd2 when validating user certificates. Without a  common
       place  for  the  validations,  all the data needed for the
       validation would need to be duplicated  in  every  process
       doing  the  validations.  This  would  be very inefficient
       especially in cases where very large CRLs are to be  used.
       ssh-certd  allows  CRLs  and  CA certificates to be loaded
       only once and then used for all subsequent validations.

       ssh-certd  is  normally  started   at   boot   time   from
       /etc/rc.local or equivalent. It opens a listener socket by
       default   at  /opt/tectia/var/run/ssh-certd-listener.  The
       location  of  the  listener  can   be  changed   with  the
       CertdListenerPath keyword of sshd2_config.

       ssh-certd  can be configured using command-line options or
       a configuration file.  Command-line options override  val-
       ues  specified in the configuration file.  ssh-certd reads
       configuration data  from  /opt/tectia/etc/ssh_certd_config
       (or the file  specified  with -f on the command line).  By
       default, the configuration file contains only the  keyword
       UseSSHD2ConfigFile,  which instructs ssh-certd to read the
       specified sshd2 configuration file in compatibility  mode,
       where  the  configuration  options  of  sshd2 are silently
       ignored, and only the options relating to  certificate  or
       general daemon configuration are read.



OPTIONS
       -d debug_level_spec
              Debug  mode.  The server sends verbose debug output
              to stderr. This option is only intended for  debug-
              ging for the server.  The debugging level is either
              a number, or a comma-separated list of  assignments
              of  the format ModulePattern=debug_level, for exam-
              ple "*=10,sshd2=2".  This should be the first argu-
              ment on the command line.

       -f configuration_file
              Specifies  the name of the configuration file.  The
              default is  /opt/tectia/etc/ssh_certd_config. Note:
              If this   is  specified, the  default configuration
              file is not read at all.

       -o 'option'
              Can be used to give options in the format  used  in
              the configuration files.  This is useful for speci-
              fying options for which there is no  separate  com-
              mand-line  flag.  The option has the same format as
              a line in the configuration  file.   Comment  lines
              are  not  accepted.   Where applicable, egrep regex
              format is used.

       -l listener-path
              Specifies the path where the server will  open  the
              listener socket.

       -F     Disables  daemon mode.  The server does not spawn a
              new process to the background.

       -v     Enables verbose mode.  Displays  verbose  debugging
              messages.   Equal to -d 2.  This option can also be
              specified in the configuration file.

       -V     Displays version string.

       -q     Quiet mode.  Nothing is sent  to  the  system  log.
              Normally  the beginning, authentication, and termi-
              nation of each connection is logged.   This  option
              can also be specified in the configuration file.


CONFIGURATION FILE
       ssh-certd      reads      configuration      data     from
       /opt/tectia/etc/ssh_certd_config (or  the  file  specified 
       with -f on the command line). The file  contains  keyword-
       value pairs, one per line. Lines  starting  with  '#'  and 
       empty lines are interpreted as comments.

       For  the  format  of  ssh_certd_config, see ssh_certd_con-
       fig(5).


FILES
       /opt/tectia/etc/ssh_certd_config
              Contains configuration data  for  ssh-certd.   This
              file  should  be  writable  by root only, but it is
              recommended  (though  not  necessary)  that  it  be
              world-readable.   For  ease of migration from older
              installations, ssh_certd_config contains by default
              the  line  "UseSSHD2ConfigFile sshd2_config", which
              instructs ssh-certd to read the certificate config-
              uration  from  the  sshd2  configuration  file  and
              ignore the options that are not relevant to it.


INSTALLATION
       ssh-certd is normally run as root.


AUTHORS
       SSH Communications Security Corporation

       For more information, see http://www.ssh.com.


SEE ALSO
       ssh_certd_config(5), sshd2(8)