SSH Tectia

SSH Tectia Server

For further details and use of the parameters, see the sshd2_config(5) man page or SSH Tectia Server (Windows) Administrator's Guide.

General

name

Name of the configuration. The name will be used in the management system only; it does not affect how the server operates.

description

Description of the configuration. The description will be used in the management system only; it does not affect how the server operates.

comment

A free form comment field that is included in the generated configuration files. The value of this field is always quoted so that it is never interpreted as configuration.

BannerMessageFile

This text is displayed to all users who log into a system, even before they have actually logged in. Note, however, that some clients may ignore text sent before authentication.

HostKeyFile

Specifies the file containing the private host key (default /etc/ssh2/hostkey on Unix and hostkey on Windows).

PublicHostKeyFile

Specifies the file containing the public host key (default /etc/ssh2/hostkey on Unix and hostkey on Windows).

General / Log settings

EventLogFilter (Windows only)

Specifies the filters for Event log messages.

SftpLogCategory (Windows only)

Specifies the SFTP operations that are logged to the Event log by the SFTP server.

SyslogFacility (Unix only)

Specifies the syslog facility code that is used where sshd2 sends log messages. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. You may need to configure /etc/syslog.conf on the managed host, so that messages to the specified facility will be logged properly.

SftpSyslogFacility (Unix only)

As SysLogFacility, but specifies the log facility the SFTP server (internal or otherwise) will use. By default, no facility is specified, disabling logging. You may need to configure /etc/syslog.conf on the managed host so that messages to the specified facility will be logged properly.

QuietMode (Unix only)

Specifies quiet mode for the server, which means that it will log very little and generally generate very few messages.

Selecting this option is not recommended.

General / SSH1

Ssh1Compatibility (Unix only)

If this option is selected, sshd1 is executed if the client only supports the 1.x protocol. This option only works if SSH 1.x is also installed on the system.

[Note]Note

Using this option is not recommended due to known vulnerabilities in many versions of SSH 1.x and the protocol itself.

Sshd1Path (Unix only)

Specifies the path to the sshd1 executable to be executed in SSH1 compatibility mode. The arguments for sshd2 are passed on to sshd1. This is only used if Ssh1Compatibility is set.

Sshd1ConfigFile (Unix only)

This option is used only if sshd2 is executed with the -f command-line option. It specifies an alternate configuration file for sshd1 in case sshd2 runs in compatibility mode. If -f is not specified, sshd1 will read its configuration from the standard location, typically /etc/sshdconfig.

General / Advanced

subsystem-sftp

Specifies a subsystem. The argument is a command that will be executed when the subsystem is requested.

SFTP uses a subsystem of sshd2 on Unix and ssh2master on Windows to transfer files securely. In order to use the SFTP server, you must have a subsystem defined for it.

Unix-specific

Management Server has three options for SFTP server on Unix:

  • sftp-server

  • Internal sftp-server

  • Deny sftp service (subsystem will not be defined)

Where sftp-server is the default way, with the defined command:

subsystem-sftp sftp-server

It is also possible to use Internal sftp-server:

subsystem-sftp internal://sftp-server

which will execute an SFTP service internally in the child process. Normally, the child process would execute a command using the user's shell, but in this case it will start to handle SFTP requests. This enables better logging in chrooted environments, and does not require any static binaries to be built, as the only binary needed will be sshd2 itself.

Windows-specific

Management Server has two options for SFTP server on Windows:

  • sftp-server

  • Deny sftp service (subsystem will not be defined)

Where sftp-server is the default way, with the defined executable:

subsystem-sftp sftp_server2.exe

HostKeyEkProvider (Unix only)

Specifies the external key provider for host keys. This is ignored if external key support is not included in the software. See the ssh-externalkeys(5) man page for more information.

External key providers can be used, for example, to use Entrust certificates for host keys.

HostKeyEkInitString (Unix only)

Specifies the initialization string for the extenal key provider for host keys. See HostKeyEkProvider.

HostKeyEkTimeOut (Unix only)

Specifies the maximum time in seconds to wait for keys from the external host key provider. See HostKeyEkProvider.

DisableVersionFallback

Specifies whether to disable fallback compatibility code for older, or otherwise incompatible versions of the Secure Shell software. The keyword is distributed from version 4.2.0 onwards.

DoubleBackSpace (Windows only)

Relevant when the Windows Server is installed on a Japanese Windows platform. Change this setting if a client does not display backspace correctly in its terminal window.

When selected, if backspace is pressed on the client, the server replies with two backspace characters for each two-byte Japanese character.

When cleared, if backspace is pressed on the client, the server replies with one backspace character for each two-byte Japanese character.

PrivateWindowStation (Windows only)

Specifies whether the terminal is created in a fully private window station. For security reasons, it is recommended that this value is selected. If logging in takes too much time, try clearing this value. This settings has no effect on a tunneling-only server setup.

TerminalProvider (Windows only)

Specifies the name of the executable that provides terminal access. The default is cmd.exe.

PermitUserTerminal (Windows only)

Specifies whether the users can have terminal access. See also Terminal.AllowUsers for fine-grained control over terminal access.

Subconfigurations

Subconfigurations specify configuration options that apply only to specific hosts or users. For more information, see Special Extensions and Subconfigurations.

Special Extensions

Additional configuration options for SSH Tectia Server can be specified here.

Any text written here will be included in the generated configuration file for any server versions. Verify the syntax and compatibility carefully as a broken configuration may prevent server daemon from starting.

For more information, see Special Extensions and Subconfigurations.

/etc/nologin (Unix only)

If this text is non-empty, all non-root logins to hosts using this configuration are denied, with this message displayed to the users. This option should be used with great care, since it prevents normal logins. This should only be used during certain system maintenance operations.

unixfilemode (Unix only)

File mode for a configuration file in numeric octal form. Default 600.

Network

Port

Specifies the port number on which SSH Tectia Server listens to connections. Normally there should be no need to change this from the default 22.

ListenAddress

Specifies the IP address of the interface where the server socket is bound. By default, all interfaces are listened to. A specific IP address should be defined only if, for example, the service should be available only through the internal interface of the server host.

ResolveClientHostName

Specifies whether the client hostname should be resolved (using DNS).

RequireReverseMapping

Specifies whether to require a reverse DNS mapping for the client. If selected, connections from clients that do not have a valid reverse DNS mapping are refused. ResolveClientHostName must be enabled to use this option.

NoDelay

Specifies whether the TCPNODELAY options should be enabled for connections. Enabling this speeds up certain interactive and especially port forwarding operations where small packets are transmitted back and forth. On the other hand, enabling this also consumes both CPU and network resources.

KeepAlive

Specifies whether to enable or disable the TCP keepalive mechanism. The keepalive mechanism causes the server to detect and close dead connections after a while. Enabling this is recommended, especially for any busy server. Note also that on Windows the TCP keepalive has to be specifically enabled on the operating system itself.

However, it may sometimes be desirable to disable this on systems with remote users connecting over bad networks; this setting can help to avoid unnecessary disconnections during short network outages. The downside of disabling keepalives is that when a connection actually dies, the server process may hang forever, unnecessarily consuming system resources.

It is recommended that an idle timeout should be specified if keepalives are disabled. Keepalives are enabled by default in Secure Shell. To disable keepalives, they must be disabled in both both the server and the client configuration files.

MaxConnections

Specifies the maximum number of simultaneous Secure Shell connections allowed. The system will reject any additional connections once the limit has been reached, until some of the old connections have been closed. The default value 0 means no limit (or limited only by system resources); however, it also makes the system susceptible to denial-of- service attacks by opening Secure Shell sessions until the system runs out of memory. Setting this to a non-zero value is recommended for production servers, especially if they are accessible from the public Internet.

MaxBroadcastsPerSecond

Specifies the maximum number of UDP broadcasts that the server handles per second. If it receives more broadcasts per second, the rest are silently ignored. The broadcasts are used in discovering the host keys on the network. The default value 0 disables processing of UDP broadcasts.

Login

AllowAgentForwarding (Unix only)

Specifies whether agent forwarding is allowed. Disabling this effectively prevents the use of ssh-agent2 or SSH Accession from implementing authentication forwarding.

AllowedAuthentications

Specifies the authentication methods that can be used to log into the system. The server refuses any authentication attempts using any method which is not allowed.

Note that even if an authentication method has been enabled, the appropriate credentials must be configured on the system for authentication to succeed (for example, password authentication uses the system's normal user and password database, public-key authentication requires a valid PKI setup for certificate authentication, or the allowed authorizations to be configured in the .ssh2/authorization file for plain public-key authentication).

RequiredAuthentications

Specifies the authentication methods that are REQUIRED for login to be allowed. If specified, AllowedAuthentications is ignored and ALL the authentication methods configured here must succeed before authentication is allowed. In other words, this forces the server to always require multiple authentications before accepting the user. An example would be to require both a certificate (from a hardware token) and a password to access a high-security system.

AuthKbdInt.Optional

Specifies which methods can be optionally used for authentication in keyboard-interactive authentication. If no required keyboard-interactive methods have been configured, (see AuthKbdInt.Required), at least one method configured here must succeed.

Note that keyboard-interactive authentication must also be enabled in the Allowed/RequiredAuthentications setting.

AuthKbdInt.Required

Specifies which methods are required for keyboard-interactive authentication. Authentication will fail unless all methods indicated here succeed. Usually it is sufficient to specify a list of allowed methods in AuthKbdInt.Optional.

Note that keyboard-interactive authentication must also be enabled in the Allowed/RequiredAuthentications setting.

AuthKbdInt.Plugin

Specifies the program name which is used by the plugin method in keyboard-interactive authentication. Plugin authentication is disabled if this is empty.

AuthKbdInt.RADIUS.Server

List of RADIUS servers used in keyboard-interactive authentication if RADIUS is enabled. At least one server must be specified. The keyword is distributed from version 4.2.0 onwards.

Server address specifies the RADIUS server address. For example radius.example.com.

Timeout specifies the time in seconds to wait for a reply from a RADIUS server. The default is 120 seconds.

NAS identifier specifies the NAS identifier used in a request when connecting to the RADIUS server. The following variables can be used:

  • IPADDRESS, substituted with the IP address of the host.

  • DNSNAME, substituted with the DNS name of the host.

  • HOSTNAME, substituted with the short host name of the host (DNS name without domain part).

  • Secret file specifies the path to the secret file. If not specified, the default file /etc/ssh2/sshradiusnassecret.dat on Unix and sshradiusnassecret.dat in server install directory on Windows will be used.

GSSAPI.AllowedMethods

Specifies the actual mechanism that is used through GSSAPI. Select the method used in the network. The GSSAPI-related parameters and values are distributed on Windows to software versions 4.0.0 and later and on Unix to versions 4.2.0 and later, unless otherwise stated.

GSSAPI.AllowOldMethodWhichIsInsecure

Specifies whether GSSAPI authentication is allowed without message integrity check. The legacy GSSAPI method is vulnerable to replay attacks. Enable for backwards compatibility with versions 4.1.0 and earlier. The keyword is distributed from version 4.2.0 onwards.

GSSAPI.DelegateToken

Specifies whether delegation is requested for the Kerberos GSSAPI token.

GSSAPI.Dlls (Unix only)

Specifies the dynamic libraries used in GSSAPI authentication as a comma-separated list. By default, the MIT KerberosV5 libraries available at the time of software installation are used. The libraries are loaded in the given order to satisfy any dependencies. For example: /usr/local/lib/libkrb5.so, /usr/local/lib/libgssapikrb5.so. The GSSAPI-related keywords are distributed from version 4.2.0 onwards.

Login / Login restrictions

LoginGraceTime

Specifies the time limit for the user to successfully log in before the server closes the connection. Default is 10 minutes.

PasswordGuesses

Specifies the number of times that password authentication can be tried before the connection is closed.

PermitEmptyPasswords

Specifies whether empty passwords are allowed. If this is enabled, then login to accounts with an empty password is permitted by anyone without entering a password. If this is disabled, empty passwords are always rejected, and logging into accounts that have an empty password is only possible using authentication methods other than password. It is strongly recommended not to use or accept empty passwords.

AuthInteractiveFailureTimeout

Specifies the number of seconds that the server waits after a failed attempt to log in using keyboard-interactive or password authentication. This is used to limit the rate at which an attacker could try different passwords.

AuthPublicKey.MaxSize

Specifies the maximum size (in bits) of the public key that can be used to log in. Zero means no limit. Values higher than 2048 or so are not recommended, as the computations can take excessively long, leading to a potential denial-of-service attack.

AuthPublicKey.MinSize

Specifies the minimum size (in bits) of the public key that can be used to log in. Zero means no limit. Values lower than 768 are not recommended, as such small keys are quite easily breakable, and using for example 1024-bit keys is still computationally quite efficient.

HostbasedAuthForceClientHostnameDNSMatch (Unix only)

Specifies whether to enforce that the hostname supplied by the client as its hostname and the hostname given to the client by DNS must match. The hostnames could differ, for example, if the connection came through NAT (Network Address Translation). Traditional .rhosts authentication verifies the client host name from DNS; however, in the Secure Shell host-based authentication, the client's host name is cryptographically authenticated using a public key (the client's host key must exist in the host key database, and the client must prove that it knows the host's private key by digitally signing the authentication request using the host's private key). Verifying the hostname gives a small improvement in security, but breaks operation over NAT. By default, the verification is disabled.

IgnoreLoginRestrictions.NISPlusNoPermission

Specifies whether the server should ignore the no permission result ("*NP*") returned by the operating system password check when NIS+ is being used. By default, the server denies login for the users for whom it cannot access the password database. If this option is enabled, the server will not deny login in such a case if login would be otherwise allowable. The default is no.

Login / Login actions

PrintMotd (Unix only)

Specifies whether /etc/motd should be printed at login.

CheckMail (Unix only)

Specifies whether to check at login whether the user has mail.

StrictModes

Specifies whether ssh2 should check file modes of credentials during public-key authentication. Specifically, this checks the user's .ssh2 directory and private keys for invalid permissions. .ssh2 must only be writable and the private keys must only be readable and writable by the user. The permission check of the user's .ssh2 directory can be further controlled by using the StrictModes.UserDirMaskBits configuration option.

Note that the option is enabled by default in the centrally managed configurations also for SSH Tectia 4.3.5 and later. On Windows this option is supported for 4.3.5 and later.

StrictModes.UserDirMaskBits (Unix only)

Specifies the permission mask for the user's .ssh2 directory if the StrictModes configuration option is used. The bits set with this option are not allowed to be set in the actual permissions. This means that with StrictModes and this option set to "077", the user's .ssh2 directory may not have any permissions to group or others (only for the user). The default is "022".

UserConfigDirectory

Specifies the directory from which the user's configuration data (authorization file and public key(s)) are read during user authentication. Normally, they are in the user's home directory in the .ssh2 subdirectory; however, this allows the users to modify their own configurations for public-key authentication. This setting can be used to place the configuration data somewhere else where the users cannot modify it. The default value %D/.ssh2 expands to $HOME/.ssh2 on Unix and %USERPROFILE%/.ssh2 on Windows. This setting enables the system administrator to force a policy on the user.

AuthorizationFile

The name of the authorization file, typically in UserConfigDirectory, which contains file names of the user's public key(s) that the server accepts in public-key authentication, for example key iddsa_2048_a.pub. Normally, all users should have their own authorization files and public key pairs.

AuthorizedKeysFile

Specifies the name of the user's authorized keys file. The file is a legacy format file containing multiple public keys, so that each line holds a single public key. The keys are in the ssh1/openssh public key format. This option is disabled by default.

PasswdPath (Unix only)

If set, specifies the location of the passwd program (or equivalent). This program will be run with the privileges of the user logging in, whenever the user's password needs to be changed.

AuthPassword.ChangePlugin (Unix only)

Set this to the path of the password change plugin, typically ssh-passwd-plugin (if you have the binary packages or you have configured the source with ––with-passwd-plugin). This allows the password to be changed during the authentication phase, instead of using a system's passwd command to do it, replacing the actual session (requiring the user to login again). By default, this is not set. This parameter is distributed in software versions 4.0.0 and later.

ExternalAuthorizationProgram (Unix only)

If set, this program is run to verify whether the user is authorized to log in. sshd2 converses with this program using a line-based protocol, so it is very easy to implement as a shell script, for example. If this is set, and the program does not exist, or cannot be run, authorization (user login) will be denied.

More information about the protocol can be found in the SSH Tectia Server source code distribution package, in RFC.authorizationprogramprotocol and in the sample script included in the same package, extauthorizationexample.sh. Note that the program is run with the privileges of the sshd2 process, typically root, and information from the remote user is passed to it before login. Thus, extreme care should be exercised when writing external authentication programs to avoid accidentally creating security vulnerabilities.

SettableEnvironmentVars (Unix only)

Specifies the allowed environment variables the user can set before a shell is allocated. This option is used to check whether a setting is allowed by the client (ssh2), by the user's $HOME/.ssh2/environment file or public-key options. This is not used when setting variables from /etc/environment or other "root-only" files, as the user does not have control over those anyway.

This keyword can be followed by any number of patterns, separated by commas. Patterns are matched using the egrep syntax (see the sshregex man page). It is possible to use a comma (,) in the patterns by escaping it with a backslash (\).

It should be noted that some environment variables can be dangerous and allow break-ins, and new variables should only be allowed after careful consideration. Safe examples of allowed environment variables are: LANG,LC(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ.

Note that this option only changes the setting of environment variables before the user's shell is run. After that, the users are of course free to set whichever variables they want in the environment.

AlwaysUsePAMAccountManagement

If PAM authentication was not used, this option still uses the PAM function pam_acct_mgmt to check login restrictions as configured in the account group of the system's PAM configuration. Even if this option is disabled, the account management will be called if PAM authentication was used. The argument must be yes or no. The default is no.

AlwaysUsePAMSessionLogging

If PAM authentication was not used, this option still uses PAM functions pam_open_session and pam_close_session to log session data, as configured in the session group of the system's PAM configuration. Even if this option is disabled, the account management will be called if PAM authentication was used. The argument must be yes or no. The default is no.

ForcedPAMAccountManagementPasswordChange

If PAM account management is used and it requires an authentication token change (pam_acct_mgmt returns PAM_NEW_AUTHOK_REQD) and the used authentication method also requires a password change, allow this connection, as it can only be used to change the password. The user login shell will be replaced with the passwd command and the user is disconnected afterwards. Note that if AlwaysUsePAMSessionLogging is enabled, the pam_open_session will be called on connection before the password has been changed. Disabling this option will cause the server to disconnect the client with an error message stating that password change is needed and that the user should connect again using the keyboard-interactive authentication method. This option does not affect normal PAM authentication, which will still prompt for a new password event if this option has been disabled. The argument must be yes or no. The default is no.

Cryptography

Ciphers

Specifies the encryption algorithms that the server is willing to negotiate. If the client and the server have no algorithms in common, the connection fails. Usually the default AnyStdCipher works just fine.

MACs

Specifies the MAC (Message Authentication Code) algorithms the server is willing to negotiate. If the client and the server have no algorithms in common, the connection fails. Usually the default AnyStdMac works just fine.

RekeyIntervalSeconds

Specifies how often the key exchange will be repeated, and all encryption keys changed. Normally there is no need to change this setting. Disabling rekey for the server does not prevent the client from requesting rekey. Value 0 disables rekey. The default is once per hour.

RandomSeedFile

Specifies the random seed file typically located in the server configuration directory. The random seed file is used to pass entropy from one invocation of Secure Shell to the next. It improves the cryptographic security of encryption keys. Normally there is no need to change this setting.

Cert.RSA.Compat.HashScheme

An advanced PKI option that defines (for SSH Secure Shell client versions prior to 3.2.9) the hash scheme that is used when signing with an RSA private key during certificate authentication. Usually, the default MD5 works just fine.

FIPSMode (Windows only)

Specifies whether to use the FIPS (U.S. Federal Information Processing Standard) 140-2 certified SSH Cryptographic Library. By default, the standard SSH Cryptographic Library is used. The keyword is distributed in software versions 4.0.4 and later.

Tunneling

AllowTcpForwarding

Specifies whether TCP forwarding (tunneling) is allowed. TCP forwarding enables users to forward arbitrary TCP connections securely over the Secure Shell connection. This can be very useful for securing business applications, access to intranet databases, or FTP connections in case SFTP cannot be used. However, it can also be used to effectively get around the protection offered by firewalls, and organizations may want to disable this on hosts accessible through a firewall.

Note that disabling TCP forwarding in the SSH Tectia Server configuration does not prevent advanced users with terminal access from passing arbitrary information. Terminal access can be disabled, for example, by using Terminal.DenyUsers. See SSH Tectia Server documentation for details.

AllowX11Forwarding (Unix only)

Specifies whether X11 forwarding is allowed. If this is enabled, and the user logs in from an X terminal, then DISPLAY will be automatically set on the machine being logged into, and any X11 connections will be securely tunneled over Secure Shell. X11 authentication cookies are also changed during login, so that the server never sees the real authentication cookies. This further improves security.

XauthPath (Unix only)

Specifies the path for the xauth program. xauth is used after login to set authentication credentials for X11 on the server host. If this is not set, the default location for xauth will be assumed. Normally there is no need to set this option.

AllowTcpForwardingForUsers

Specifies that TCP forwarding is allowed for the specified users. The value should be a comma-separated list of login names (or, more precisely, regular expressions matching login names). The name can also be user@hostname, in which case TCP forwarding is only allowed if logged in as the specified user and the connection is coming from the given hostname (client).

Note that when hostnames are written, all dots (.) in the hostname must be quoted because it is actually a regular expression. For example, tunnel@company\.com would be a valid quoted name, as would .*@.*\.company\.com.

DenyTcpForwardingForUsers

Specifies that TCP forwarding is denied for the specified users. The value should be a comma-separated list of login names (or, more precisely, regular expressions matching login names). The name can also be user@hostname, in which case TCP forwarding is only allowed if logged in as the specified user and the connection is coming from the given hostname (client).

Note that when hostnames are entered, all dots (.) in the hostname must be quoted because it is actually a regular expression. For example, tunnel@company\.com would be a valid quoted name, as would .*@.*\.company\.com.

AllowTcpForwardingForGroups (Unix only)

Specifies that TCP forwarding is allowed for users belonging to the specified groups. The value is a comma-separated list of group names.

DenyTcpForwardingForGroups (Unix only)

Specifies that TCP forwarding is denied for users belonging to the specified groups. The value is a comma-separated list of group names.

ForwardACL

Specifies a TCP forwarding access control list that provides fine-grained control over what the client is allowed to forward and where. The format of this option is:

(allow|deny) (local|remote) user-pat forward-pat [originator-pat]

user-pat is used to match the client user, as the pattern user[group][@host], where the pattern user is matched with the username and UID, group is matched with the user's primary and any secondary groups, both group name and GID, and host is matched as described for option AllowHosts.

forward-pat is a pattern of format host-id[port]. This has different interpretations depending on whether the ACL is specified for local or remote tunnels. For local forwards, the host-id will match with the target host of the forwarding, as specified under option AllowHosts. port will match with the target port. Also, if the client sent a hostname, the IP will be looked up from the DNS, which will be used to match the pattern. For remote forwardings, where the forward target is not known (the client handles that end of the connection), this will be used to match with the listen address specified by the user (and as such is not as usable as with local forwards). port will match the port the server is supposed to be listening to with this forward.

With local forwards, originator-pat will match with the originator address that the client has reported. Remember that if you do not administer the client machine, or the users on that machine have shell access, they may use a modified copy of Secure Shell that can be used to give a false originator address. Also, with NATs (Network Address Translation) the originator address will not be meaningful (it will probably be an internal network address). So, you should not rely on the originator address with local forwards, unless the information can be trusted. With remote forwards, on the other hand, originator-pat will match with the IP address of the host connecting to the forwarded port. This will be valid information, as it is the server checking the information.

If you specify any allow directives, all forwards in that class (local or remote) not specifically allowed will be denied (note that local and remote forwards are separate in this respect; for example if you have one allow remote definition, local forwards are still allowed, pending other restrictions). If a forward matches with both allow and deny directives, the forwarding will be denied. Also, if you have specified any of the options

{Allow,Deny}TcpForwardingFor{Users,Groups}

or

AllowTcpForwarding

and the forwarding for the user is disabled with those, an allow directive will not re-enable the forwarding for the user. Forwarding is enabled by default. See the examples below.

Example 1

Local port forwardings to host 10.1.0.25 ports 143 and 25 are allowed for all users in group users. Note that forwardings using the name of this host will be allowed (if it can be resolved from the DNS):

ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)

Example 2

Local port forwardings requested exactly to host proxy.example.com port 8080 are allowed for users that have s as the first character and belong to the group with group ID 10:

ForwardACL allow local s.*%10 proxy\.company\.com%8080

Example 3

Remote port forwarding is denied for all users to all hosts:

ForwardACL deny remote .* .*

Host restrictions

AllowHosts

Specifies which hosts are allowed to connect. (If this is not set, then all hosts are allowed to connect.) This is a comma-separated list of regular expressions, which are compared to both reverse-mapped hostnames obtained from DNS and the IP address of the client host. If a value is set for this parameter, then the incoming connection is refused if it is not coming from a host whose name or IP address matches one of the regular expressions. Note that since these are regular expressions, any dots in the host names must be quoted. For example, www\.ssh\.com would be a valid regular expression matching www.ssh.com, whereas www.ssh.com would also match, for example, wwwxssh.com, making certain attacks possible.

DenyHosts

Specifies which hosts are NOT allowed to connect (overriding AllowHosts for those hosts). This is a comma-separated list of regular expressions, which are compared to both reverse-mapped hostnames obtained from DNS and the IP address of the client host. If a value is set for this parameter, then the incoming connection is refused if it is coming from a host whose name or IP address matches one of the regular expressions.

AllowSHosts (Unix only)

Specifies a comma-separated list of hostname patterns (regular expressions) that are allowed in .shosts, .rhosts, /etc/hosts.equiv, and /etc/shosts.equiv. Hostnames in those files that do not match one of the patterns specified here are ignored. This can be used to restrict host-based authentication to specific hosts or domains.

DenySHosts (Unix only)

Specifies a comma-separated list of hostname patterns (regular expressions) that are not allowed in .shosts, .rhosts, /etc/hosts.equiv, and /etc/shosts.equiv. Hostnames in those files that match one of the patterns specified here are ignored. This can be used to restrict host-based authentication to specific hosts or domains.

IgnoreRhosts (Unix only)

If set to true, specifies that the user-specific .rhosts and .shosts files are not used in host-based authentication. The system-wide /etc/hosts.equiv and /etc/shosts.equiv files will still be used.

IgnoreRootRhosts (Unix only)

If true, specifies that the user-specific .rhosts and .shosts are not used in root logins. The system-wide /etc/hosts.equiv and /etc/shosts.equiv files will still be used.

User restrictions

IdleTimeOut

Specifies the time after which idle users should be disconnected from the system. Using this is recommended on large production systems, to disconnect users that are not actively using the system and are only tying up system resources. This is especially important if TCP keepalives have been disabled.

AllowUsers

Specifies which users are allowed to log in using Secure Shell. This is a comma-separated list of regular expressions, which are compared to the username which the user is trying to log in as. Login is only allowed if a match is found. If this settings is not specified, login is allowed to all users with a valid password or other valid credentials.

DenyUsers

Specifies which users are not allowed to log in using Secure Shell. This is a comma-separated list of regular expressions. If the login name matches any of the specified regular expressions, then login is denied.

Terminal.AllowUsers

Lists users that are allowed terminal access to the server host. This option can be followed by any number of patterns of the form user or user@host, separated by commas. The details explained under the AllowHosts option apply accordingly.

If this configuration option is used, only users that match the users listed under Terminal.AllowUsers may gain terminal access (provided that they are not restricted by other configuration options). By default, all users are allowed terminal access.

Note that all the other login authentication steps must still be successfully completed. Terminal.AllowUsers and Terminal.DenyUsers are additional restrictions.

Terminal.DenyUsers

Lists users that are denied terminal access to the server host. This is the opposite of Terminal.AllowUsers and works accordingly.

If a user matches a pattern in both Terminal.AllowUsers and Terminal.DenyUsers then terminal access is denied.

Note that when terminal access is denied, so is remote command execution, forced commands (including commands related to public-key authentication and forced password changes), X11 forwarding, and agent forwarding. As a user has no shell access, no password changes (using system commands) will be possible.

Access to subsystems (such as SFTP) and port forwarding (TCP tunneling) are still possible. If a client requests terminal access (in addition to any other services, such as port forwarding) the client may disconnect upon being refused terminal access. To prevent this, the client should be configured to not request terminal access, for example, by using the -S option in the ssh command or Enable Terminal (the option may vary with the ssh implementation).

ChRootUsers (Unix only)

sshd2 gives all users listed here a chrooted environment in the user's home directory. This stops users from getting access to sensitive areas of the server's file system. By default, this is not set. The logic follows that of DenyUsers. Users are defined on the server in /etc/passwd.

AllowGroups (Unix only)

Specifies that only users that belong to one of the listed groups are allowed to log in. This is a comma-separated list of regular expressions, and login is permitted if the name of any of the groups that the user belongs to matches any of the regular expressions. If this is not specified, then all users are allowed to log in.

DenyGroups (Unix only)

Specifies that users belonging to one of the listed groups are not allowed to log in. This is a comma-separated list of regular expressions, and login is denied if the name of any of the groups that the user belongs to matches any of the regular expressions. This setting overrides AllowGroups. If this is not specified, then all users are allowed to log in.

Terminal.AllowGroups (Unix only)

Similar to Terminal.AllowUsers but matches groups rather than usernames. The details explained under the AllowGroups option apply accordingly.

Terminal.DenyGroups (Unix only)

Similar to Terminal.DenyUsers but matches groups rather than usernames. This is the opposite of Terminal.AllowGroups and works accordingly.

ChRootGroups (Unix only)

This option works like ChRootUsers, except that it can be used to list groups instead of single users. Groups are listed on the server in /etc/group. Follows the logic of DenyGroups.

PermitRootLogin

Specifies whether a user with administrative privileges can log in using Secure Shell. The default is Yes, allowing root logins. No disables root logins. The Yes, but not with password authentication option disables password-authentication for root logins. Using this option requires that root has some other means of authentication, for example public-key authentication.

Root login with public-key authentication when the command option has been specified will be allowed regardless of the value of this setting (which may be useful for taking remote backups even if root login is normally not allowed).

See SSH Tectia Server Administrator Manual for details.

UserKnownHosts (Unix only)

Specifies whether the $HOME/.ssh2/knownhosts directory is used to look up host keys for host-based authentication in addition to the system-wide directory /etc/ssh2/hostkeys. This should normally be enabled, so that the host keys are automatically configured correctly if the user logs in once in the "reversed" direction. If this is disabled, all host keys must be properly configured by the administrator.

SFTP server

See also subsystem-sftp for details.

Sftp-AdminDirList (Windows only)

Specifies accessible directories for privileged SFTP users as a comma-separated list.

The format is virtual dir=real dir. The virtual directory name can be anything, and it must point to a real and existing directory on the network or local drive. For example: Uploads=\networkshare\directory\

The following pattern strings can be used in the real directory:

  • %D expands to user profile directory

  • %U expands to user login name

Sftp-AdminUsers (Windows only)

Specifies the list of privileged SFTP users. Names are separated with commas. Names can include wildcards.

Sftp-DirList (Windows only)

Specifies the accessible directories for standard SFTP users as a comma-separated list.

The format is virtual dir=real dir. The virtual directory name can be anything, and it must point to a real and existing directory on the network or local drive. For example: Downloads=\networkshare\read-only-directory\

The following pattern strings can be used in the real directory:

  • %D expands to user profile directory

  • %U expands to user login name

Sftp-Home (Windows only)

Specifies the SFTP home directory for all SFTP users. The home directory must be specified as an accessible directory in Sftp-DirList (or Sftp-AdminDirList for a privileged user).