Using the Authorization File

Tectia Server for IBM z/OS requires an authorization file that lists the user public keys that are authorized for login.

The default location for the authorization file is $HOME/.ssh2/authorization. The file location can be changed with the AuthorizationFile keyword in the sshd2_config file.

The authorization file contains a list of public key file names each preceded by the keyword Key. If there is more than one Key, they are all authorized for login.

Authorization File Options

It is possible to define different settings in the authorization file depending on which key is used in public-key authentication. The authorization file has the same general syntax as the sshd2_config configuration file. The following keywords may be used:


This is followed by the file name of a public key in the user configuration directory (by default, $HOME/.ssh2) that is used for identification when contacting the host. If there is more than one key defined, they are all acceptable for login.


This keyword, if used, must follow the Key keyword above. The various options are specified as a comma-separated list.

The following Options can be used:

allow-from and deny-from

In addition to public-key authentication, the canonical name of the remote host must match the given pattern(s). These parameters follow the logic of the AllowHosts and DenyHosts keywords of sshd2_config. Specify one pattern per keyword; multiple keywords can be used.


This is used to specify a "forced command" that will be executed on the server side instead of anything else when the user is authenticated. The command supplied by the user (if any) is put in the environment variable SSH2_ORIGINAL_COMMAND. The command is run on a pty if the connection requests a pty; otherwise it is run without a tty. Quotes may be used in the command if escaped with backslashes.

This option might be useful for restricting certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Note that the client may specify TCP/IP and/or X11 forwarding, unless they are explicitly prohibited (see no-port-forwarding).


Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. Multiple options of this type are permitted.


Sets idle timeout limit to time either in seconds (s or nothing after the number), in minutes (m), in hours (h), in days (d), or in weeks (w). If the connection has been idle (all channels) this long, the connection is closed.


Forbids TCP/IP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This is useful in combination with the command option.


Forbids authentication agent forwarding when this key is used for authentication.


Prevents tty allocation (a request to allocate a pty will fail).

Example: Your authorization file could, for example, contain the following:

Options allow-from=".*\.example\.org"
Options deny-from=".*\.evil\.example",no-pty

When someone now logs in using the master key, the connection is not limited in any way by the authorization file. However, if the maid key is used, only connections from certain hosts will be allowed. And if the butler key is used, connections are denied from certain hosts, and additionally the allocation of tty is prevented.