The default sshd2_config
configuration file is
shown below. For descriptions of the configuration options, see
sshd2_config
## SSH CONFIGURATION FILE FORMAT VERSION 1.1 ## REGEX-SYNTAX egrep ## end of metaconfig ## (leave above lines intact!) ## ## sshd2_config ## ## SSH Tectia Server 6.2 for IBM z/OS - SSHD2 Server Configuration File ## ## General # Server Authentication: server keys in files # HostKeyFile hostkey # PublicHostKeyFile hostkey.pub # HostCertificateFile hostkey.crt # Comment out the pubkey # if cert is specified # Server Authentication: server key and certificate in SAF # HostKeyEkProvider "zos-saf" # HostKeyEkInitString "KEYS(ID(SSHD2) RING(HOSTKEY) LABEL('Host \ key label'))" # HostKey.Cert.Required yes # # RandomSeedFile random_seed # BannerMessageFile /opt/tectia/etc/ssh_banner_message # BannerMessageFile /etc/issue.net # # VerboseMode no # For debugging only. See man page. # QuietMode no # SyslogFacility AUTH # SyslogFacility LOCAL7 # SftpSyslogFacility DAEMON # SftpSmfType none # SftpSmfType TYPE119 ## Communication with ssh-certd # CertdListenerPath /opt/tectia/var/run/ssh-certd-listener ## Network # Port is not commented out, as it is needed by the example startup # scripts. Well, the default will not likely change. Port 22 # PidFile default # PidFile /opt/tectia/var/run/sshd2_22.pid # PidFile /opt/tectia/var/run/sshd2.pid # ListenAddress any # ListenerRetryInterval 0 # ListenerRetryInterval 60 # ResolveClientHostName yes # RequireReverseMapping no # MaxBroadcastsPerSecond 0 # MaxBroadcastsPerSecond 1 # NoDelay no # KeepAlive yes # MaxConnections 50 # MaxConnections 0 # 0 == number of connections not limited ## Crypto # Ciphers aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc # Specifies the accepted encryption algorithms for connection security. It is # a list of cipher names or one of the names Any, AnyCipher, AnyStd or AnyStdCipher. # Any and AnyCipher include all the ciphers supported by Tectia. # AnyStd and AnyStdCipher include ciphers listed in the SSH standards. # Any and AnyStd also include "none", which means no encryption. # # MACs hmac-sha1,hmac-sha1-96,hmac-sha256-2@ssh.com,\ hmac-sha224@ssh.com,hmac-sha256@ssh.com, \ hmac-sha384@ssh.com,hmac-sha512@ssh.com # Specifies the accepted Message Authentication Codes for connection security. It is # a list of MAC names or one of the names Any, AnyMAC, AnyStd or AnyStdMAC. # Any and AnyMAC include all the MACs supported by Tectia. # AnyStd and AnyStdMAC include the MACs listed in the SSH standards. # Any and AnyStd also include "none", which means no message authentication. # # KEXs diffie-hellman-group14-sha1, \ diffie-hellman-group1-sha1, \ diffie-hellman-group14-sha256@ssh.com # A list of key exchange names or Any, AnyKEX, AnyStd or AnyStdKEX. # # HostKeyAlgorithms ssh-dss,ssh-rsa,ssh-dss-sha256@ssh.com, \ ssh-rsa-sha256@ssh.com,x509v3-sign-dss, \ x509v3-sign-rsa, \ x509v3-sign-dss-sha256@ssh.com, \ x509v3-sign-rsa-sha256@ssh.com # A list of host key algorithm names or Any, AnyKEX, AnyStd or AnyStdKEX. # # RekeyIntervalSeconds 3600 ## Crypto Hardware # UseCryptoHardware yes # Specifies whether hardware support is wanted for certain # algorithms. The support levels are # no do not use crypto hardware # yes use crypto hardware if available # must use crypto hardware, fail if not available # # The level may be given alone as a default for all algorithms or # together with an algorithm. The algorithm names that may # be used are: # rng random number generator # sha SHA1 and SHA2 digest algorithms (sha1 is equivalent) # aes AES algorithms # 3des Triple DES # # UseCryptoHardware is a comma-delimited list of algorithm:support level # pairs. It may start with a sole support level # # E.g. To use all available hardware support and fail if support for 3DES # or SHA is not available, specify "yes,aes:must,sha:must" # # On most IBM mainframe systems the following algorithms have hardware support: # the ciphers "aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" and the MACs # "hmac-sha1,hmac-sha224@ssh.com,hmac-sha256@ssh.com,hmac-sha256-2@ssh.com, # hmac-sha384@ssh.com,hmac-sha512@ssh.com". The support is provided by # the CPACF facility and ICSF. # ## User # PrintMotd yes # CheckMail yes # StrictModes no # Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for # minute, 's' for seconds) # IdleTimeOut 1h # without specifier, the default number is in seconds # IdleTimeOut 3600 # # UserConfigDirectory "%D/.ssh2" # UserConfigDirectory "/opt/tectia/etc/auth/%U" # AuthorizationFile authorization # # Authorized keys file directive can be used in enabling public-key # authentication against legacy authorized_keys file that contains # several keys in single file. # AuthorizedKeysFile "authorized_keys" # AuthorizedKeysFile "%D/.ssh/authorized_keys" # # This variable is set here, because by default it is empty, and so no # variables can be set. Because of that, we set a few common ones here. SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY| \ NUMERIC|TIME),PATH,TERM,TZ,SSH.* ## Conversion on terminal session # ShellTransferCodeset ISO8859-1 # ShellTransferLineDelimiter UNIX # ShellAccountCodeset IBM-1047 # ShellAccountLineDelimiter MVS # ShellTranslateTable "" # ShellConvert yes ## Tunneling # AllowTcpForwarding yes # AllowTcpForwardingForUsers sjl, ra-user@remote\.example # DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo # AllowTcpForwardingForGroups privileged_tcp_forwarders # DenyTcpForwardingForGroups coming_from_outside # # AllowLocalForwarding no AllowLocalForwarding yes # Local port forwardings to host 10.1.0.25 ports 143 and 25 are # allowed for all users in group users. # Note that forwardings using the name of this host will be allowed (if # it can be resolved from the DNS). # # ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25) # # Local port forwardings requested exactly to host proxy.example.com # port 8080 are allowed for users that have 's' as first character # and belong to the group with group ID (GID) 10: # # ForwardACL allow local s.*%10 proxy\.example\.com%8080 # # Remote port forwarding is denied for all users to all hosts: # ForwardACL deny remote .* .* ## Authentication ## publickey and password allowed by default # AllowedAuthentications publickey,password # AllowedAuthentications hostbased,publickey,password # AllowedAuthentications hostbased,publickey,keyboard-interactive # RequiredAuthentications publickey,password # LoginGraceTime 600 # AuthInteractiveFailureTimeout 2 # # HostbasedAuthForceClientHostnameDNSMatch no # UserKnownHosts yes # # AuthPublicKey.MaxSize 0 # AuthPublicKey.MinSize 0 # AuthPublicKey.Algorithms AnyStdPublicKeyAlgorithm # # AllowAgentForwarding yes # AuthKbdInt.NumOptional 0 # AuthKbdInt.Optional password,plugin # AuthKbdInt.Required password # AuthKbdInt.Retries 3 # # PermitEmptyPasswords no # PasswordGuesses 3 # ## publickey authentication with certificates in SAF # Users logging in with name "-" need SAF certificate # IdentityDispatchUsers - # # All users logging in need SAF certificate # IdentityDispatchUsers .* # # AuthPublicKey.Cert.ValidationMethods saf # # Certificate is also validated in ssh-certd # AuthPublicKey.Cert.ValidationMethods saf,tectia # # Client must send user certificate # AuthPublicKey.Cert.Required yes # # AuthorizationEkProvider "zos-saf:KEYS(ID(%U) RING(%U))" # AuthorizationEkProvider "zos-saf:[USERNAME=%U UID=%IU GID=%IG]" # AuthorizationEkInitStringMapper /home/SSHD2/mapper.sh # AuthorizationEkInitStringMapperTimeout 0 # 0 = Timeout disabled # ## hostbased authentication with certificates in SAF # AuthHostbased.Cert.ValidationMethods saf # # Certificate is also validated in ssh-certd # AuthHostbased.Cert.ValidationMethods saf,tectia # # Client must send host certificate # AuthHostbased.Cert.Required yes # KnownhostsEkProvider "zos-saf:KEYS(ID(SSHD2) RING(KNOWNHOSTS))" # # Ignoring certain restrictions during user login: password expiration # on AIX, HP-UX in trusted mode and Windows. # IgnoreLoginRestrictions.PasswordExpiration no # To enable authentication time password changing (instead of the old # forced command style), uncomment the following line: # AuthPassword.ChangePlugin ssh-passwd-plugin # (this will also be used by the "password" submethod in # keyboard-interactive). ## Host restrictions # AllowHosts localhost, example\.com, friendly\.example # ## Next one matches with, for example, taulu.foobar.com, tuoli.com, but ## not tuoli1.com. Note that you have to input string "\." when you want it ## to match only a literal dot. You also have to escape "," when you ## want to use it in the pattern, because otherwise it is considered a list ## separator. ## ## AllowHosts t..l.\..* ## ## The following matches any numerical IP address (yes, it is cumbersome) ## ## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3} ## ## Same thing is achieved with the special prefix "\i" in a pattern. ## This means that the pattern is only used to match IP addresses. ## ## Using the above example: ## ## AllowHosts \i.* ## ## You can probably see the difference between the two. ## ## Also, you can use subnet masks, by using prefix "\m" ## ## AllowHosts \m127.0/8 ## and ## AllowHosts \m127.0.0.0/24 ## ## would match localhost ("127.0.0.1"). ## # DenyHosts evil\.example, aol\.example # AllowSHosts trusted\.host\.example # DenySHosts not\.quite\.trusted\.example # IgnoreRhosts no # IgnoreRootRHosts no # (the above, if not set, is defaulted to the value of IgnoreRHosts) ## User restrictions # User and group names must be in uppercase. # AllowUsers SJ.*,S[[:digit:]]*,S(JL|AMZA) # DenyUsers SKUUPPA,WAREZDUDE,31373 # DenyUsers DON@example\.org # AllowGroups STAFF,USERS # DenyGroups GUEST,ANONYMOUS # PermitRootLogin yes # PermitRootLogin nopwd ## Chrooted environment # User and group names must be in uppercase. # ChRootUsers ANONYMOUS,FTP,GUEST # ChRootGroups SFTP,GUEST ## Subsystem definitions # Subsystems do not have defaults, so this is needed here (uncommented). # subsystem-sftp sftp-server subsystem-sftp /opt/tectia/libexec/sft-server-g3 # Also internal SFTP subsystem can be used. # subsystem-sftp internal://sftp-server ## Subconfiguration # There are no default subconfiguration files. When specified the last # obtained keyword value will prevail. Note that the host-specific files # are read before the user-specific files. # User and group names must be in uppercase. # Following matches (from) any host: # # HostSpecificConfig .* /opt/tectia/etc/subconfig/host_ext.example # # Following matches to subnet mask: # # HostSpecificConfig \m192.168.0.0/16 /opt/tectia/etc/subconfig/host_int.example # # Following matches to users from ssh.com that have two character # username or username is SJL and belong to group WHEEL or WHEEL[0-9]: # # UserSpecificConfig (..|SJL)%WHEEL[[:digit:]]?@ssh\.com /opt/tectia/etc/ \ subconfig/user.example # # Following matches to the user ANONYMOUS from any host: # # UserSpecificConfig ANONYMOUS@.* /opt/tectia/etc/subconfig/anonymous.example