Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Using SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
        Configuration Files >>
        Subconfigurations >>
        Ciphers and MACs
        Compression
        Configuring Root Logins
        Restricting User Logins
        Subsystems
        Auditing >>
        Securing the Server >>
        Default sshd2_config Configuration File
        Default ssh_certd_config Configuration File
    Configuring the Client >>
    Authentication >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Examples of Use >>
    Man Pages >>
    Log Messages >>

Default sshd2_config Configuration File

The default sshd2_config configuration file is shown below. For more information on the configuration options, see Appendix sshd2_config

## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
##
## sshd2_config
##
## SSH Tectia Server for IBM z/OS 5.3 - SSHD2 Server Configuration File
##

## General

#       HostKeyFile                     hostkey
#       PublicHostKeyFile               hostkey.pub
#       HostCertificateFile             hostkey.crt 
# Comment out the pubkey if cert is specified

## Server key in SAF

#       HostKeyEkProvider               "zos-saf"
#       HostKeyEkInitString             "KEYS(ID(SSHD2) RING(HOSTKEY))"
#       HostKey.Cert.Required           yes # Server will send certificate
#
#       RandomSeedFile                  random_seed
#       BannerMessageFile               /etc/ssh2/ssh_banner_message
#       BannerMessageFile               /etc/issue.net
#
#       VerboseMode                     no
#       QuietMode                       no
#       SyslogFacility                  AUTH
#       SyslogFacility                  LOCAL7
#       SftpSyslogFacility              LOCAL7

## Communication with ssh-certd

#       CertdListenerPath               /tmp/ssh-certd-listener

## Network

# Port is not commented out, as it is needed by the example startup
# scripts. Well, the default will not likely change.
        Port                            22
#       ListenAddress                   any
#       ResolveClientHostName           yes
#       RequireReverseMapping           no
#       MaxBroadcastsPerSecond          0
#       MaxBroadcastsPerSecond          1
#       NoDelay                         no
#       KeepAlive                       yes
#       MaxConnections                  50
#       MaxConnections                  0
# 0 == number of connections not limited

## Crypto

#       Ciphers                         AnyCipher
#       Ciphers                         AnyStdCipher
# Following includes "none" 'cipher':
#       Ciphers                         AnyStd
#
#       MACs                            AnyMAC
#       MACs                            AnyStdMAC
# Following includes "none" 'mac':
#       MACs                            AnyStd
#
#       RekeyIntervalSeconds            3600

# In order to maximize crypto hardware utilization,
# on z/OS we'll accept only 3des-cbc and hmac-sha1 by default
        Ciphers                         3des-cbc
        MACs                            hmac-sha1

## Crypto Hardware 

# UseCryptoHardware specifies whether hardware support is wanted for certain
# algorithms. The support levels are
#   no          do not use crypto hardware
#   yes         use crypto hardware if available
#   must        use crypto hardware, do not fall back to software 
# 
# The level may be given alone as a default for all algorithms or 
# together with an algorithm. The algorithm names that may 
# be used are:
#   rng         random number generator
#   sha1        SHA1 digest algorithm
#   3des        Triple DES
#   dh          Diffie-Hellman
#   rsa         RSA
#
# UseCryptoHardware is a comma-delimited list of algorithm:support level
# pairs. It may start with a sole support level
#
# E.g. Must have support for 3des and sha1, all other should use software
#       UseCryptoHardware               no,3des:must,sha1:must
#
#       UseCryptoHardware               yes
#
# To enable FIPS certification, use
#       Ciphers                         3des-cbc,aes128-cbc
#       MACs                            hmac-sha1
#       UseCryptoHardware               must
#
UseCryptoHardware yes,aes:no

## User

#       PrintMotd                       yes
#       CheckMail                       yes
#       StrictModes                     no
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
#                   minute, 's' for seconds)
#       IdleTimeOut                     1h
# without specifier, the default number is in seconds
#       IdleTimeOut                     3600
#
#       UserConfigDirectory             "%D/.ssh2"
#       UserConfigDirectory             "/etc/ssh2/auth/%U"
#       AuthorizationFile               authorization
# This variable is set here, because by default it is empty, and so no
# variables can be set. Because of that, we set a few common ones here.
        SettableEnvironmentVars         LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|
                                        NUMERIC|TIME),PATH,TERM,TZ,SSH.*

## Tunneling

#       AllowX11Forwarding              yes
#       AllowTcpForwarding              yes
#       AllowTcpForwardingForUsers      sjl, ra-user@remote\.example
#       DenyTcpForwardingForUsers       2[[:digit:]]*4,peelo
#       AllowTcpForwardingForGroups     privileged_tcp_forwarders
#       DenyTcpForwardingForGroups      coming_from_outside
#
#       AllowLocalForwarding            no
        AllowLocalForwarding            yes

# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
#      ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group ID (GID) 10:
#
#      ForwardACL allow local s.*%10 proxy\.company\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
#      ForwardACL deny remote .* .*


## Authentication

## publickey and password allowed by default
#       AllowedAuthentications          publickey,password
#       AllowedAuthentications          hostbased,publickey,password
#       AllowedAuthentications          hostbased,publickey,keyboard-interactive
#       RequiredAuthentications         publickey,password
#       LoginGraceTime                  600
#       AuthInteractiveFailureTimeout   2
#
#       HostbasedAuthForceClientHostnameDNSMatch no
#       UserKnownHosts                  yes
#
#       AuthPublicKey.MaxSize           0
#       AuthPublicKey.MinSize           0
#       AllowAgentForwarding            yes

#       AuthKbdInt.NumOptional          0
#       AuthKbdInt.Optional             password,plugin
#       AuthKbdInt.Required             password
#       AuthKbdInt.Retries              3
#
#       PermitEmptyPasswords            yes
#       PasswordGuesses                 3
#
## publickey authentication with certificates in SAF
# Users logging in with name "-" need SAF certificate
#       IdentityDispatchUsers                  -          
# All users logging in need SAF certificate
#       IdentityDispatchUsers                  .*         
#       AuthPublicKey.Cert.ValidationMethods   saf
# Certificate is also validated in ssh-certd
#       AuthPublicKey.Cert.ValidationMethods   saf,tectia 
# Client must send user certificate
#       AuthPublicKey.Cert.Required     yes        
#       AuthorizationEkProvider         "zos-saf:KEYS(ID(%U) RING(%U))"
#       AuthorizationEkProvider         "zos-saf:[USERNAME=%U UID=%IU GID=%IG]"
#       AuthorizationEkInitStringMapper /home/SSHD2/mapper.sh
#       AuthorizationEkInitStringMapperTimeout 0          
# 0 = Timeout disabled
#
## hostbased authentication with certificates in SAF
#       AuthHostbased.Cert.ValidationMethods   saf
# Certificate is also validated in ssh-certd
#       AuthHostbased.Cert.ValidationMethods   saf,tectia 
# Client must send host certificate
#       AuthHostbased.Cert.Required  yes        
#       KnownhostsEkProvider         "zos-saf:KEYS(ID(SSHD2) RING(KNOWNHOSTS))"
#

# Ignoring certain restrictions during user login: password expiration
# on z/OS.
# Setting this to "yes" will make an authentication during which an expired
# password was changed count as a successful authentication.

#       IgnoreLoginRestrictions.PasswordExpiration no

# To enable authentication time password changing (instead of the old
# forced command style), uncomment the following line: 

#       AuthPassword.ChangePlugin       ssh-passwd-plugin

# (this will also be used by the "password" submethod in
#  keyboard-interactive).

## Host restrictions

#       AllowHosts              localhost, example\.com, friendly\.example
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
##     AllowHosts               t..l.\..*
##
## The following matches any numerical IP address (yes, it is cumbersome)
##
##     AllowHosts               ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with the special prefix "\i" in a pattern.
## This means that the pattern is only used to match IP addresses.
##
## Using the above example:
##
##     AllowHosts               \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
##     AllowHosts               \m127.0/8
## and
##     AllowHosts               \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
#       DenyHosts                       evil\.example, aol\.example
#       AllowSHosts                     trusted\.host\.example
#       DenySHosts                      not\.quite\.trusted\.example
#       IgnoreRhosts                    no
#       IgnoreRootRHosts                no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions
# User and group names must be in uppercase.

#       AllowUsers                      SJ.*,S[[:digit:]]*,S(JL|AMZA)
#       DenyUsers                       SKUUPPA,WAREZDUDE,31373
#       DenyUsers                       DON@example\.org
#       AllowGroups                     STAFF,USERS
#       DenyGroups                      GUEST,ANONYMOUS
#       PermitRootLogin                 yes
#       PermitRootLogin                 nopwd

## Chrooted environment
# User and group names must be in uppercase.

#       ChRootUsers                     ANONYMOUS,FTP,GUEST
#       ChRootGroups                    SFTP,GUEST

## Subsystem definitions

# Subsystems do not have defaults, so this is needed here (uncommented).
#       subsystem-sftp                  sftp-server
        subsystem-sftp                  /usr/lpp/ssh2/libexec/sft-server-g3
# Also internal SFTP subsystem can be used.
#       subsystem-sftp                  internal://sftp-server

## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host-specific files
# are read before the user-specific files.
# User and group names must be in uppercase.

# Following matches (from) any host:
#
#      HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
#      HostSpecificConfig \m192.168.0.0/16 /etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character
# username or username is SJL and belong to group WHEEL or WHEEL[0-9]:
#
#      UserSpecificConfig (..|SJL)%WHEEL[[:digit:]]?@ssh\.com 
#                          /etc/ssh2/subconfig/user.example
#
# Following matches to the user ANONYMOUS from any host:
#
#      UserSpecificConfig ANONYMOUS@.* /etc/ssh2/subconfig/anonymous.example

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2006 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice

===AUTO_SCHEMA_MARKUP===