SSH

sshd2_subconfig

SSHD2_SUBCONFIG(5)             SSH2            SSHD2_SUBCONFIG(5)


NAME
       sshd2_subconfig - advanced configuration of sshd2 on z/OS


DESCRIPTION
       You  can  also  specify configuration options in so-called
       subconfiguration files, which have the same  basic  format
       as the main configuration file. The process forked to han-
       dle the user's connection reads these files. They are read
       at  run-time, so if they are modified, it is not necessary
       to restart the server process.

       If parsing of the subconfiguration files fails,  the  con-
       nection is terminated (for the host-specific subconfigura-
       tion) or access denied (for the user-specific  subconfigu-
       ration) by the server.

       Most  of  the  configuration options that work in the main
       file work also in these, but some do not, where it  either
       does  not  make sense to set them (e.g.  ListenAddress and
       Port, which only affect the daemon  process  listening  to
       the port, and would not affect that behavior in any way in
       a subconfiguration file) or it would  be  confusing  (e.g.
       AllowUsers    in   user-specific   subconfiguration,   and
       AllowHosts in host-specific subconfiguration.).

       The value for {Host,User}SpecificConfig keywords is a pat-
       tern-filename  pair, separated by a whitespace. With User-
       SpecificConfig,    the    pattern     is     of     format
       "user[%group][@host]",  where  the pattern user is matched
       with the user name and UID,  group  is  matched  with  the
       user's  primary  and any secondary groups, both group name
       and GID, and host is matched  as  described  under  option
       AllowHosts.    With  HostSpecificConfig,  the  pattern  is
       "host" (as in UserSpecificConfig).

       Unlike sshd2_config, the subconfiguration files  may  have
       configuration  blocks,  or  stanzas, in them.  The sub-
       configuration heading is interpreted identically  to  what
       is described above, i.e. with UserSpecificConfig   the
       pattern is  of the format "user[%group][@host]", and  with
       HostSpecificConfig the format is "host".

       The subconfiguration files  are  divided  into  two  cate-
       gories:  user-specific  and  host-specific.  User-specific
       subconfiguration files are read when the client has stated
       the  username  it is trying to log in with. At this point,
       the server will obtain additional  information  about  the
       user:  does  the  user  exist, what is the user's UID, and
       what groups does the user belong to.  With  this  informa-
       tion,  the server can read the user-specific configuration
       files specified by UserSpecificConfig in  the  main  sshd2
       configuration file.

       The  other  category is host-specific configuration files,
       which are configured with the HostSpecificConfig variable.
       These  files  are  read  immediately  after the daemon has
       forked a new process to handle the connection.  Thus  most
       configuration options can be set in these.

       Note that it is possible to mix these configuration files.
       This is not recommended, because any  global  settings  in
       these  files  would be set multiple times (which would not
       do any harm  per  se,  but  might  lead  to  behavior  not
       intended by the administrator).

       Subconfigurations  are  really  flexible,  and  because of
       that, dangerous if the logic of the files is not carefully
       planned.  You can specify different authentication methods
       for different users, different banner messages for  people
       from certain hosts, and set log messages of certain groups
       to go to different files. There are a lot of possibilities
       here.


OPTIONS
       Configuration  variables that work everywhere, i.e. in the
       main file, the user-specific, and the  host-specific  con-
       figuration files:


              AllowShosts
              AllowTcpForwarding
              AllowedAuthentications
              AuthHostBased.Cert.Required
              AuthHostbased.Cert.ValidationMethods
              AuthInteractiveFailureTimeout
              AuthKbdInt.NumOptional
              AuthKbdInt.Optional
              AuthKbdInt.Plugin
              AuthKbdInt.Required
              AuthKbdInt.Retries
              AuthPublicKey.Cert.Required
              AuthPublicKey.Cert.ValidationMethods
              AuthorizationEkInitStringMapper
              AuthorizationEkInitStringMapperTimeout
              AuthorizationEkProvider
              AuthorizationFile
              AuthPublicKey.MaxSize
              AuthPublicKey.MinSize
              CheckMail
              DenyShosts
              ForwardAgent
              HostbasedAuthForceClientHostnameDNSMatch
              IdleTimeout
              IgnoreRhosts
              IgnoreRootRhosts
              KnownHostsEkProvider
              PasswdPath
              PasswordGuesses
              PermitEmptyPasswords
              PrintMOTD
              QuietMode
              RekeyIntervalSeconds
              RequiredAuthentications
              SettableEnvironmentVars
              SftpSysLogFacility
              ShellConvert
              ShellAccountCodeset
              ShellTransferCodeset
              ShellTranslateTable
              StrictModes
              SysLogFacility
              UserConfigDirectory
              UserKnownHosts
              VerboseMode


       Variables  that  work  in  the host-specific configuration
       file and the main file:


              AllowGroups
              AllowTcpForwardingForGroups
              AllowTcpForwardingForUsers
              AllowUsers
              BannerMessageFile
              ChrootGroups
              ChrootUsers
              Ciphers
              DenyGroups
              DenyTcpForwardingForGroups
              DenyTcpForwardingForUsers
              DenyUsers
              DisableVersionFallback
              ExternalAuthorizationProgram
              ForwardACL
              IdentityDispatchUsers
              KEXs
              LoginGraceTime
              MACs
              PermitRootLogin


AUTHORS
       SSH Communications Security Corporation

       For more information, see http://www.ssh.com.


SEE ALSO
       sshd2_config(5), sshd2(8), sshd-check-conf(5), sshregex(1)