SSH-CERTD(8) SSH2 SSH-CERTD(8)
ssh-certd - Secure Shell Certificate Validator on z/OS
ssh-certd [-d debug_level_spec] [-f config_file]
[-o options] [-l listener-path] [-F] [-v] [-V] [-q]
ssh-certd (Secure Shell Certificate Validator) is a common
process for validating certificates, used primarily by
sshd2 when validating user certificates. Without a common
place for the validations, all the data needed for the
validation would need to be duplicated in every process
doing the validations. This would be very inefficient
especially in cases where very large CRLs are to be used.
ssh-certd allows CRLs and CA certificates to be loaded
only once and then used for all subsequent validations.
ssh-certd is normally started at boot time from
/etc/rc.local or equivalent. It opens a listener socket by
default at /opt/tectia/var/run/ssh-certd-listener. The
location of the listener can be changed with the
CertdListenerPath keyword of sshd2_config.
ssh-certd can be configured using command-line options or
a configuration file. Command-line options override val-
ues specified in the configuration file. ssh-certd reads
configuration data from /opt/tectia/etc/ssh_certd_config
(or the file specified with -f on the command line). By
default, the configuration file contains only the keyword
UseSSHD2ConfigFile, which instructs ssh-certd to read the
specified sshd2 configuration file in compatibility mode,
where the configuration options of sshd2 are silently
ignored, and only the options relating to certificate or
general daemon configuration are read.
Debug mode. The server sends verbose debug output
to stderr. This option is only intended for debug-
ging for the server. The debugging level is either
a number, or a comma-separated list of assignments
of the format ModulePattern=debug_level, for exam-
ple "*=10,sshd2=2". This should be the first argu-
ment on the command line.
Specifies the name of the configuration file. The
default is /opt/tectia/etc/ssh_certd_config. Note:
If this is specified, the default configuration
file is not read at all.
Can be used to give options in the format used in
the configuration files. This is useful for speci-
fying options for which there is no separate com-
mand-line flag. The option has the same format as
a line in the configuration file. Comment lines
are not accepted. Where applicable, egrep regex
format is used.
Specifies the path where the server will open the
-F Disables daemon mode. The server does not spawn a
new process to the background.
-v Enables verbose mode. Displays verbose debugging
messages. Equal to -d 2. This option can also be
specified in the configuration file.
-V Displays version string.
-q Quiet mode. Nothing is sent to the system log.
Normally the beginning, authentication, and termi-
nation of each connection is logged. This option
can also be specified in the configuration file.
ssh-certd reads configuration data from
/opt/tectia/etc/ssh_certd_config (or the file specified with -f
on the command line). The file contains keyword-value
pairs, one per line. Lines starting with '#' and empty
lines are interpreted as comments.
For the format of ssh_certd_config, see ssh_certd_con-
Contains configuration data for ssh-certd. This
file should be writable by root only, but it is
recommended (though not necessary) that it be
world-readable. For ease of migration from older
installations, ssh_certd_config contains by default
the line "UseSSHD2ConfigFile sshd2_config", which
instructs ssh-certd to read the certificate config-
uration from the sshd2 configuration file and
ignore the options that are not relevant to it.
ssh-certd is normally run as root.
For more information, see http://www.tectia.com.
Copyright 2011 Tectia Corporation This software is protected by international copyright laws. All rights reserved. Contact Information