Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Authentication >>
    System Administration >>
    File Transfer Using SFTP >>
    Secure File Transfer Using Transparent FTP Security >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Man Pages and Default Configuration Files >>
        ssh-certd
        ssh_certd_config
        ssh-dummy-shell
        ssh-externalkeys
        sshd-check-conf
        sshd2
        sshd2_config
        sshd2_subconfig
        sshregex
        Default sshd2_config Configuration File
        Default ssh_certd_config Configuration File
    Log Messages >>

Default sshd2_config Configuration File

The default sshd2_config configuration file is shown below. For descriptions of the configuration options, see Appendix sshd2_config

## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
##
## sshd2_config
##
## SSH Tectia Server 6.1 for IBM z/OS - SSHD2 Server Configuration File
##

## General

#       HostKeyFile                     hostkey
#       PublicHostKeyFile               hostkey.pub
#       HostCertificateFile             hostkey.crt # Comment out the pubkey
                                                    # if cert is specified

## Server key in SAF

#       HostKeyEkProvider               "zos-saf"
#       HostKeyEkInitString             "KEYS(ID(SSHD2) RING(HOSTKEY) 
                                         LABEL('Host key label'))"
#       HostKey.Cert.Required           yes
#
#       RandomSeedFile                  random_seed
#       BannerMessageFile               /opt/tectia/etc/ssh_banner_message
#       BannerMessageFile               /etc/issue.net
#
#       VerboseMode                     no # For debugging only. See man page.
#       QuietMode                       no
#       SyslogFacility                  AUTH
#       SyslogFacility                  LOCAL7
#       SftpSyslogFacility              LOCAL7 # Default: DAEMON
#       SftpSmfType                     none
#       SftpSmfType                     TYPE119

## Communication with ssh-certd

#       CertdListenerPath               /opt/tectia/var/run/ssh-certd-listener

## Network

# Port is not commented out, as it is needed by the example startup
# scripts. Well, the default will not likely to change.
        Port                            22
#       PidFile                         default
#       PidFile                         /opt/tectia/var/run/sshd2_22.pid
#       PidFile                         /opt/tectia/var/run/sshd2.pid
#       ListenAddress                   any
#       ListenerRetryInterval           0
#       ListenerRetryInterval           60
#       ResolveClientHostName           yes
#       RequireReverseMapping           no
#       MaxBroadcastsPerSecond          0
#       MaxBroadcastsPerSecond          1
#       NoDelay                         no
#       KeepAlive                       yes
#       MaxConnections                  50
#       MaxConnections                  0
# 0 == number of connections not limited

## Crypto

#       Ciphers                         AnyCipher
#       Ciphers                         AnyStdCipher
# Following includes "none" 'cipher':
#       Ciphers                         AnyStd
#
#       MACs                            AnyMAC
#       MACs                            AnyStdMAC
# Following includes "none" 'mac':
#       MACs                            AnyStd
#
#       RekeyIntervalSeconds            3600

# In order to maximize crypto hardware utilization,
# on z/OS we'll accept only algorithms supported by CPACF
        Ciphers                         aes128-cbc,3des-cbc
        MACs                            hmac-sha1

## Crypto Hardware 

# UseCryptoHardware specifies whether hardware support is wanted for certain
# algorithms. The support levels are
#   no          do not use crypto hardware
#   yes         use crypto hardware if available
#   must        use crypto hardware, do not fall back to software 
# 
# The level may be given alone as a default for all algorithms or 
# together with an algorithm. The algorithm names that may 
# be used are:
#   rng         random number generator
#   sha1        SHA1 digest algorithm
#   aes         AES
#   3des        Triple DES
#
# UseCryptoHardware is a comma-delimited list of algorithm:support level
# pairs. It may start with a sole support level
#
# E.g. Must have support for 3des and sha1, all other should use software
#       UseCryptoHardware               no,3des:must,sha1:must
#
UseCryptoHardware               yes
#
# To enable FIPS certification, use
#       Ciphers                         3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
#       MACs                            hmac-sha1
#       UseCryptoHardware               must
#

## User

#       PrintMotd                       yes
#       CheckMail                       yes
#       StrictModes                     no
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
#                   minute, 's' for seconds)
#       IdleTimeOut                     1h
# without specifier, the default number is in seconds
#       IdleTimeOut                     3600
#
#       UserConfigDirectory             "%D/.ssh2"
#       UserConfigDirectory             "/opt/tectia/etc/auth/%U"
#       AuthorizationFile               authorization
#
# Authorized keys file directive can be used in enabling public-key
# authentication against legacy authorized_keys file that contains
# several keys in single file.
#       AuthorizedKeysFile              "authorized_keys"
#       AuthorizedKeysFile              "%D/.ssh/authorized_keys"
#
# This variable is set here, because by default it is empty, and so no
# variables can be set. Because of that, we set a few common ones here.
        SettableEnvironmentVars         LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|
                                        NUMERIC|TIME),PATH,TERM,TZ,SSH.*

## Conversion on terminal session

#       ShellTransferCodeset            ISO8859-1
#       ShellAccountCodeset             IBM-1047
#       ShellTranslateTable             ""
#       ShellConvert                     yes

## Tunneling

#       AllowTcpForwarding              yes
#       AllowTcpForwardingForUsers      sjl, ra-user@remote\.example
#       DenyTcpForwardingForUsers       2[[:digit:]]*4,peelo
#       AllowTcpForwardingForGroups     privileged_tcp_forwarders
#       DenyTcpForwardingForGroups      coming_from_outside
#
#       AllowLocalForwarding            no
        AllowLocalForwarding            yes

# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
#      ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.example.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group ID (GID) 10:
#
#      ForwardACL allow local s.*%10 proxy\.example\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
#      ForwardACL deny remote .* .*


## Authentication

## publickey and password allowed by default
#       AllowedAuthentications          publickey,password
#       AllowedAuthentications          hostbased,publickey,password
#       AllowedAuthentications          hostbased,publickey,keyboard-interactive
#       RequiredAuthentications         publickey,password
#       LoginGraceTime                  600
#       AuthInteractiveFailureTimeout   2
#
#       HostbasedAuthForceClientHostnameDNSMatch no
#       UserKnownHosts                  yes
#
#       AuthPublicKey.MaxSize           0
#       AuthPublicKey.MinSize           0
#       AllowAgentForwarding            yes

#       AuthKbdInt.NumOptional          0
#       AuthKbdInt.Optional             password,plugin
#       AuthKbdInt.Required             password
#       AuthKbdInt.Retries              3
#
#       PermitEmptyPasswords            no
#       PasswordGuesses                 3
#
## publickey authentication with certificates in SAF
# Users logging in with name "-" need SAF certificate
#       IdentityDispatchUsers                  -          
#
# All users logging in need SAF certificate
#       IdentityDispatchUsers                  .*         
#
#       AuthPublicKey.Cert.ValidationMethods   saf
#
# Certificate is also validated in ssh-certd
#       AuthPublicKey.Cert.ValidationMethods   saf,tectia
#
# Client must send user certificate
#       AuthPublicKey.Cert.Required            yes        
#
#       AuthorizationEkProvider         "zos-saf:KEYS(ID(%U) RING(%U))"
#       AuthorizationEkProvider         "zos-saf:[USERNAME=%U UID=%IU GID=%IG]"
#       AuthorizationEkInitStringMapper /home/SSHD2/mapper.sh
#       AuthorizationEkInitStringMapperTimeout 0   # 0 = Timeout disabled
#
## hostbased authentication with certificates in SAF
#       AuthHostbased.Cert.ValidationMethods   saf
#
# Certificate is also validated in ssh-certd
#       AuthHostbased.Cert.ValidationMethods   saf,tectia 
#
# Client must send host certificate
#       AuthHostbased.Cert.Required  yes        
#       KnownhostsEkProvider        "zos-saf:KEYS(ID(SSHD2) RING(KNOWNHOSTS))"

# Ignoring certain restrictions during user login: password expiration
# on AIX, HP-UX in trusted mode and Windows.

#       IgnoreLoginRestrictions.PasswordExpiration no

# To enable authentication time password changing (instead of the old
# forced command style), uncomment the following line: 

#       AuthPassword.ChangePlugin       ssh-passwd-plugin

# (this will also be used by the "password" submethod in
#  keyboard-interactive).

## Host restrictions

#       AllowHosts              localhost, example\.com, friendly\.example
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
##     AllowHosts               t..l.\..*
##
## The following matches any numerical IP address (yes, it is cumbersome)
##
##     AllowHosts               ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with the special prefix "\i" in a pattern.
## This means that the pattern is only used to match IP addresses.
##
## Using the above example:
##
##     AllowHosts               \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
##     AllowHosts               \m127.0/8
## and
##     AllowHosts               \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
#       DenyHosts                       evil\.example, aol\.example
#       AllowSHosts                     trusted\.host\.example
#       DenySHosts                      not\.quite\.trusted\.example
#       IgnoreRhosts                    no
#       IgnoreRootRHosts                no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions
# User and group names must be in uppercase.

#       AllowUsers                      SJ.*,S[[:digit:]]*,S(JL|AMZA)
#       DenyUsers                       SKUUPPA,WAREZDUDE,31373
#       DenyUsers                       DON@example\.org
#       AllowGroups                     STAFF,USERS
#       DenyGroups                      GUEST,ANONYMOUS
#       PermitRootLogin                 yes
#       PermitRootLogin                 nopwd

## Chrooted environment
# User and group names must be in uppercase.

#       ChRootUsers                     ANONYMOUS,FTP,GUEST
#       ChRootGroups                    SFTP,GUEST

## Subsystem definitions

# Subsystems do not have defaults, so this is needed here (uncommented).
#       subsystem-sftp                  sftp-server
        subsystem-sftp                  /opt/tectia/libexec/sft-server-g3
# Also internal SFTP subsystem can be used.
#       subsystem-sftp                  internal://sftp-server

## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host-specific files
# are read before the user-specific files.
# User and group names must be in uppercase.

# Following matches (from) any host:
#
#      HostSpecificConfig .* /opt/tectia/etc/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
#      HostSpecificConfig \m192.168.0.0/16 /opt/tectia/etc/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character
# username or username is SJL and belong to group WHEEL or WHEEL[0-9]:
#
#      UserSpecificConfig (..|SJL)%WHEEL[[:digit:]]?@ssh\.com 
#                          /opt/tectia/etc/subconfig/user.example
#
# Following matches to the user ANONYMOUS from any host:
#
#      UserSpecificConfig ANONYMOUS@.* /opt/tectia/etc/subconfig/anonymous.example

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice

===AUTO_SCHEMA_MARKUP===