Tectia Server for IBM z/OS requires an authorization file that lists the user public keys that are authorized for login.
The default location for the authorization file is
$HOME/.ssh2/authorization. The file location can be changed with the
AuthorizationFile option in the
The authorization file contains a list of public key file names each preceded by the keyword
Key. If there is more than one
Key, they are all authorized for login.
It is possible to define different settings in the authorization file depending on which key is used in public-key authentication. The authorization file has the same general syntax as the
sshd2_config configuration file. The following keywords may be used:
This is followed by the file name of a public key in the user configuration directory (by default,
$HOME/.ssh2) that is used for identification when contacting the host. If there is more than one key defined, they are all acceptable for login.
This keyword, if used, must follow the
Keykeyword above. The various options are specified as a comma-separated list.
Optionscan be used:
- allow-from and deny-from
In addition to public-key authentication, the canonical name of the remote host must match the given pattern(s). These parameters follow the logic of
sshd2_config. Specify one pattern per keyword; multiple keywords can be used.
This is used to specify a "forced command" that will be executed on the server side instead of anything else when the user is authenticated. The command supplied by the user (if any) is put in the environment variable
SSH2_ORIGINAL_COMMAND. The command is run on a pty if the connection requests a pty; otherwise it is run without a tty. Quotes may be used in the command if escaped with backslashes.
This option might be useful for restricting certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Note that the client may specify TCP/IP and/or X11 forwarding, unless they are explicitly prohibited (see
Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. Multiple options of this type are permitted.
Sets idle timeout limit to time either in seconds (s or nothing after the number), in minutes (m), in hours (h), in days (d), or in weeks (w). If the connection has been idle (all channels) this long, the connection is closed.
Forbids TCP/IP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This is useful in combination with the
Forbids authentication agent forwarding when this key is used for authentication.
Prevents tty allocation (a request to allocate a pty will fail).
authorization file could, for example, contain the following:
Key master.pub Key maid.pub Options allow-from=".*\.example\.org" Key butler.pub Options deny-from=".*\.evil\.example",no-pty
When someone now logs in using the
master key, the connection is not limited in any way by the
authorization file. However, if the
maid key is used, only connections from certain hosts will be allowed. And if the
butler key is used, connections are denied from certain hosts, and additionally the allocation of tty is prevented.