Default sshd2_config Configuration File
The default sshd2_config configuration file is shown below. For
descriptions of the configuration options, see sshd2_config(5)
## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
##
## sshd2_config
##
## SSH Tectia Server 6.4 for IBM z/OS - SSHD2 Server Configuration File
##
## General
# Server Authentication: server keys in files
# HostKeyFile hostkey
# PublicHostKeyFile hostkey.pub
# HostCertificateFile hostkey.crt # Comment out the pubkey
# if cert is specified
# Server Authentication: server key and certificate in SAF
# HostKeyEkProvider "zos-saf"
# HostKeyEkInitString "KEYS(ID(SSHD2) RING(HOSTKEY) LABEL('Host \
key label'))"
# HostKey.Cert.Required yes
#
# RandomSeedFile random_seed
# BannerMessageFile /opt/tectia/etc/ssh_banner_message
# BannerMessageFile /etc/issue.net
#
# VerboseMode no # For debugging only. See man page.
# QuietMode no
# SyslogFacility AUTH
# SyslogFacility LOCAL7
# SftpSyslogFacility DAEMON
# SftpSmfType none
# SftpSmfType TYPE119
# WTORoutingCodes 1,11
## Communication with ssh-certd
# CertdListenerPath /opt/tectia/var/run/ssh-certd-listener
## Network
# Port 22
# AddressFamily inet
# inet: IPv4 only
# inet6: IPv6 only
# any: Ipv4 and IPv6
#
# PidFile default
# PidFile /opt/tectia/var/run/sshd2_22.pid
# PidFile /opt/tectia/var/run/sshd2.pid
# ListenAddress any
# ListenerRetryInterval 0
# ListenerRetryInterval 60
# ResolveClientHostName yes
# RequireReverseMapping no
# MaxBroadcastsPerSecond 0
# MaxBroadcastsPerSecond 1
# NoDelay no
# KeepAlive yes
## Load Control
# MaxConnections 1000
# LoadControl.Active yes
# LoadControl.DiscardLimit see below
# LoadControl.WhitelistSize 1000
#
# MaxConnections is the limit of the number of concurrent connections. It must be
# greater than 1 when Load Control is active. The value 0 means that the number
# of connections is unlimited and causes Load Control to be disabled.
#
# Set LoadControl.Active to no to disable load control.
#
# LoadControl.DiscardLimit must not be larger than MaxConnections. The default
# value is 90 % of MaxConnections.
#
# LoadControl.WhitelistSize is the number of distinct IP addresses that the
# whitelist can hold.
## Crypto
# Ciphers aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
# Specifies the accepted encryption algorithms for connection security. It is
# a list of cipher names or one of the names Any, AnyCipher, AnyStd or AnyStdCipher.
# Any and AnyCipher include all the ciphers supported by Tectia.
# AnyStd and AnyStdCipher include ciphers listed in the SSH standards.
# Any and AnyStd also include "none", which means no encryption.
#
# MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256, \
hmac-sha256-2@ssh.com,hmac-sha224@ssh.com, \
hmac-sha256@ssh.com,hmac-sha384@ssh.com, \
hmac-sha2-512,hmac-sha512@ssh.com
# Specifies the accepted Message Authentication Codes for connection security. It is
# a list of MAC names or one of the names Any, AnyMAC, AnyStd or AnyStdMAC.
# Any and AnyMAC include all the MACs supported by Tectia.
# AnyStd and AnyStdMAC include the MACs listed in the SSH standards.
# Any and AnyStd also include "none", which means no message authentication.
#
# KEXs diffie-hellman-group14-sha1, \
diffie-hellman-group1-sha1, \
diffie-hellman-group14-sha256@ssh.com
# A list of key exchange names or Any, AnyKEX, AnyStd or AnyStdKEX.
#
# HostKeyAlgorithms ssh-dss,ssh-rsa,ssh-dss-sha256@ssh.com, \
ssh-rsa-sha256@ssh.com,x509v3-sign-dss, \
x509v3-sign-rsa, \
x509v3-sign-dss-sha256@ssh.com, \
x509v3-sign-rsa-sha256@ssh.com
# A list of host key algorithm names or Any, AnyKEX, AnyStd or AnyStdKEX.
#
# RekeyIntervalSeconds 3600
## Crypto Hardware
# UseCryptoHardware yes
# Specifies whether hardware support is wanted for certain
# algorithms. The support levels are
# no do not use crypto hardware
# yes use crypto hardware if available
# must use crypto hardware, fail if not available
#
# The level may be given alone as a default for all algorithms or
# together with an algorithm. The algorithm names that may
# be used are:
# rng random number generator
# sha SHA1 and SHA2 digest algorithms (sha1 is equivalent)
# aes AES algorithms
# 3des Triple DES
#
# UseCryptoHardware is a comma-delimited list of algorithm:support level
# pairs. It may start with a sole support level
#
# E.g. To use all available hardware support and fail if support for 3DES
# or SHA is not available, specify "yes,aes:must,sha:must"
#
# On most IBM mainframe systems the following algorithms have hardware support:
# the ciphers "aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" and the MACs
# "hmac-sha1,hmac-sha224@ssh.com,hmac-sha256@ssh.com,hmac-sha2-256,
# hmac-sha256-2@ssh.com, hmac-sha384@ssh.com,hmac-sha2-512,
# hmac-sha512@ssh.com". The support is provided by
# the CPACF facility and ICSF.
#
## User
# PrintMotd yes
# CheckMail yes
# StrictModes yes
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
# minute, 's' for seconds)
# IdleTimeOut 1h
# without specifier, the default number is in seconds
# IdleTimeOut 3600
#
# UserConfigDirectory "%D/.ssh2"
# UserConfigDirectory "/opt/tectia/etc/auth/%U"
# AuthorizationFile authorization
#
# Authorized keys file directive can be used in enabling public-key
# authentication against legacy authorized_keys file that contains
# several keys in single file.
# AuthorizedKeysFile "authorized_keys"
# AuthorizedKeysFile "%D/.ssh/authorized_keys"
#
# This variable is set here, because by default it is empty, and so no
# variables can be set. Because of that, we set a few common ones here.
SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY| \
NUMERIC|TIME),PATH,TERM,TZ,SSH.*
## Conversion on terminal session
# ShellTransferCodeset ISO8859-1
# ShellTransferLineDelimiter UNIX
# ShellAccountCodeset IBM-1047
# ShellAccountLineDelimiter MVS
# ShellTranslateTable ""
# ShellConvert yes
## Tunneling
# AllowTcpForwarding yes
# AllowTcpForwardingForUsers sjl, ra-user@remote\.example
# DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo
# AllowTcpForwardingForGroups privileged_tcp_forwarders
# DenyTcpForwardingForGroups coming_from_outside
#
# AllowLocalForwarding no
AllowLocalForwarding yes
# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
# ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.example.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group ID (GID) 10:
#
# ForwardACL allow local s.*%10 proxy\.example\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
# ForwardACL deny remote .* .*
## Authentication
## publickey and password allowed by default
# AllowedAuthentications publickey,password
# AllowedAuthentications hostbased,publickey,password
# AllowedAuthentications hostbased,publickey,keyboard-interactive
# RequiredAuthentications publickey,password
# LoginGraceTime 600
# AuthInteractiveFailureTimeout 2
#
# HostbasedAuthForceClientHostnameDNSMatch no
# UserKnownHosts yes
#
# AuthPublicKey.MaxSize 0
# AuthPublicKey.MinSize 0
# AuthPublicKey.Algorithms AnyStdPublicKeyAlgorithm
#
# AllowAgentForwarding yes
# AuthKbdInt.NumOptional 0
# AuthKbdInt.Optional password,plugin
# AuthKbdInt.Required password
# AuthKbdInt.Retries 3
#
# PermitEmptyPasswords no
# PasswordGuesses 3
#
## publickey authentication with certificates in SAF
# Users logging in with name "-" need SAF certificate
# IdentityDispatchUsers -
#
# All users logging in need SAF certificate
# IdentityDispatchUsers .*
#
# AuthPublicKey.Cert.ValidationMethods saf
#
# Certificate is also validated in ssh-certd
# AuthPublicKey.Cert.ValidationMethods saf,tectia
#
# Client must send user certificate
# AuthPublicKey.Cert.Required yes
#
# AuthorizationEkProvider "zos-saf:KEYS(ID(%U) RING(%U))"
# AuthorizationEkProvider "zos-saf:[USERNAME=%U UID=%IU GID=%IG]"
# AuthorizationEkInitStringMapper /home/SSHD2/mapper.sh
# AuthorizationEkInitStringMapperTimeout 0 # 0 = Timeout disabled
#
## hostbased authentication with certificates in SAF
# AuthHostbased.Cert.ValidationMethods saf
#
# Certificate is also validated in ssh-certd
# AuthHostbased.Cert.ValidationMethods saf,tectia
#
# Client must send host certificate
# AuthHostbased.Cert.Required yes
# KnownhostsEkProvider "zos-saf:KEYS(ID(SSHD2) RING(KNOWNHOSTS))"
#
# Ignoring certain restrictions during user login: password expiration
# on AIX, HP-UX in trusted mode and Windows.
# IgnoreLoginRestrictions.PasswordExpiration no
# To enable authentication time password changing (instead of the old
# forced command style), uncomment the following line:
# AuthPassword.ChangePlugin ssh-passwd-plugin
# (this will also be used by the "password" submethod in
# keyboard-interactive).
## Host restrictions
# AllowHosts localhost, example\.com, friendly\.example
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
## AllowHosts t..l.\..*
##
## The following matches any numerical IP address (yes, it is cumbersome)
##
## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with the special prefix "\i" in a pattern.
## This means that the pattern is only used to match IP addresses.
##
## Using the above example:
##
## AllowHosts \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
## AllowHosts \m127.0/8
## and
## AllowHosts \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
# DenyHosts evil\.example, aol\.example
# AllowSHosts trusted\.host\.example
# DenySHosts not\.quite\.trusted\.example
# IgnoreRhosts no
# IgnoreRootRHosts no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)
## User restrictions
# User and group names must be in uppercase.
# AllowUsers SJ.*,S[[:digit:]]*,S(JL|AMZA)
# DenyUsers SKUUPPA,WAREZDUDE,31373
# DenyUsers DON@example\.org
# AllowGroups STAFF,USERS
# DenyGroups GUEST,ANONYMOUS
# PermitRootLogin yes
# PermitRootLogin nopwd
## Chrooted environment
# User and group names must be in uppercase.
# ChRootUsers ANONYMOUS,FTP,GUEST
# ChRootGroups SFTP,GUEST
## Subsystem definitions
# Subsystems do not have defaults, so this is needed here (uncommented).
# subsystem-sftp sftp-server
subsystem-sftp /opt/tectia/libexec/sft-server-g3
# Also internal SFTP subsystem can be used.
# subsystem-sftp internal://sftp-server
## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host-specific files
# are read before the user-specific files.
# User and group names must be in uppercase.
# Following matches (from) any host:
#
# HostSpecificConfig .* /opt/tectia/etc/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
# HostSpecificConfig \m192.168.0.0/16 /opt/tectia/etc/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character
# username or username is SJL and belong to group WHEEL or WHEEL[0-9]:
#
# UserSpecificConfig (..|SJL)%WHEEL[[:digit:]]?@ssh\.com /opt/tectia/etc/ \
subconfig/user.example
#
# Following matches to the user ANONYMOUS from any host:
#
# UserSpecificConfig ANONYMOUS@.* /opt/tectia/etc/subconfig/anonymous.example
2015 SSH Communications Security Corporation