SSH-CERTD(8) SSH2 SSH-CERTD(8) NAME ssh-certd - Secure Shell Certificate Validator on z/OS SYNOPSIS ssh-certd [-d debug_level_spec] [-f config_file] [-o options] [-l listener-path] [-F] [-v] [-V] [-q] DESCRIPTION ssh-certd (Secure Shell Certificate Validator) is a common process for validating certificates, used primarily by sshd2 when validating user certificates. Without a common place for the validations, all the data needed for the validation would need to be duplicated in every process doing the validations. This would be very inefficient especially in cases where very large CRLs are to be used. ssh-certd allows CRLs and CA certificates to be loaded only once and then used for all subsequent validations. ssh-certd is normally started at boot time from /etc/rc.local or equivalent. It opens a listener socket by default at /opt/tectia/var/run/ssh-certd-listener. The location of the listener can be changed with the CertdListenerPath keyword of sshd2_config. ssh-certd can be configured using command-line options or a configuration file. Command-line options override val- ues specified in the configuration file. ssh-certd reads configuration data from /opt/tectia/etc/ssh_certd_config (or the file specified with -f on the command line). By default, the configuration file contains only the keyword UseSSHD2ConfigFile, which instructs ssh-certd to read the specified sshd2 configuration file in compatibility mode, where the configuration options of sshd2 are silently ignored, and only the options relating to certificate or general daemon configuration are read. OPTIONS -d debug_level_spec Debug mode. The server sends verbose debug output to stderr. This option is only intended for debug- ging for the server. The debugging level is either a number, or a comma-separated list of assignments of the format ModulePattern=debug_level, for exam- ple "*=10,sshd2=2". This should be the first argu- ment on the command line. -f configuration_file Specifies the name of the configuration file. The default is /opt/tectia/etc/ssh_certd_config. Note: If this is specified, the default configuration file is not read at all. -o 'option' Can be used to give options in the format used in the configuration files. This is useful for speci- fying options for which there is no separate com- mand-line flag. The option has the same format as a line in the configuration file. Comment lines are not accepted. Where applicable, egrep regex format is used. -l listener-path Specifies the path where the server will open the listener socket. -F Disables daemon mode. The server does not spawn a new process to the background. -v Enables verbose mode. Displays verbose debugging messages. Equal to -d 2. This option can also be specified in the configuration file. -V Displays version string. -q Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termi- nation of each connection is logged. This option can also be specified in the configuration file. CONFIGURATION FILE ssh-certd reads configuration data from /opt/tectia/etc/ssh_certd_config (or the file specified with -f on the command line). The file contains keyword- value pairs, one per line. Lines starting with '#' and empty lines are interpreted as comments. For the format of ssh_certd_config, see ssh_certd_con- fig(5). FILES /opt/tectia/etc/ssh_certd_config Contains configuration data for ssh-certd. This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. For ease of migration from older installations, ssh_certd_config contains by default the line "UseSSHD2ConfigFile sshd2_config", which instructs ssh-certd to read the certificate config- uration from the sshd2 configuration file and ignore the options that are not relevant to it. INSTALLATION ssh-certd is normally run as root. AUTHORS SSH Communications Security Corporation For more information, see http://www.ssh.com. SEE ALSO ssh_certd_config(5), sshd2(8)
What to read next:
Reduce Secure Shell risk. Get to know the NIST 7966.
The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
ISACA Practitioner Guide for SSH
With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.