SSHD2(8) SSH2 SSHD2(8) NAME sshd2 - Secure Shell server daemon on z/OS SYNOPSIS sshd2 [-d debug_level_spec] [-D debug_level_spec] [-f config_file] [-h host_key_file] [-o options] [-4|-6] [-p port] [-F] [-v] [-V] [-g login_grace_time] [-i] [-q] DESCRIPTION Sshd2 (Secure Shell Daemon) is the server counterpart of sshg3. Together, these two programs replace and extend the services rlogin and rsh, and provide secure encrypted com- munication channels between two hosts connected over an unsecured network. They are intended to be as easy to install and use as possible. sshd2 can be started manually from USS or by using a started task. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange. sshd2 can be configured using command-line options or a configuration file. Command-line options override values specified in the configuration file. sshd2 reads configu- ration data from /opt/tectia/etc/sshd2_config (or the file specified with -f on the command line). Subconfiguration files can also be specified in the main configuration file. Note that if changes are made in the main configuration file, sshd2 will have to be restarted, for example with the restart command: # /opt/tectia/etc/init.d/sshd2 restart OPTIONS -d debug_level_spec Runs the server in one-shot debug mode. The server process accepts only one connection and exits after the connection has disconnected. The server sends verbose debug output to stderr. The debugging level is either a number, or a comma-separated list of assignments of the format ModulePat- tern=debug_level, for example "*=10,sshd2=2". This should be the first argument on the command line. -D debug_level_spec Runs the server in continuous debug mode. As -d, but the server accepts several connections and needs to be stopped manually when you want to fin- ish the debugging. -f configuration_file Specifies the name of the configuration file. The default is /opt/tectia/etc/sshd2_config. Note: If this is specified, the default configuration file is not read at all. -h host_key_file Specifies the file from which the host key is read (default /opt/tectia/etc/hostkey). -o 'option' Can be used to give options in the format used in the configuration files. This is useful for speci- fying options for which there is no separate com- mand-line flag. The option has the same format as a line in the configuration file. Comment lines are not accepted. Where applicable, the egrep regex format is used. -4 Specifies that sshd2 will only use IPv4 addresses. IPv6 addresses from ListenAddress configuration statements, name resolution and port forwarding will be ignored. -6 Specifies that sshd2 will only use IPv6 addresses. IPv4 addresses from ListenAddress configuration statements, name resolution and port forwarding will be ignored. -p port Specifies the port on which the server listens for connections. Note that when -p is specified, the server will ignore any defined ListenAddress and AddressFamily configuration statements and listen on all available IPv4 and IPv6 interfaces. -p is intended for testing - for greater control use the sshd2_config configuration file. The value of the Port configuration variable can be specified on the command line with the -o option. However, explicit port numbers on ListenAddress statements will over- ride -oPort. -F Disables daemon mode. The server does not spawn a new process to the background. -v Enables verbose mode. Displays verbose debugging messages. Equivalent to -d 2. This option can also be specified in the configuration file. -V Displays version string. -q Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termi- nation of each connection is logged. This option can also be specified in the configuration file. -g login_grace_time Gives the grace time for clients to authenticate themselves (the default is 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. The value zero indicates no limit. -i Specifies that sshd is invoked via inetd. CONFIGURATION FILE sshd2 reads configuration data from /opt/tec- tia/etc/sshd2_config (or the file specified with -f on the command line). The file contains keyword-value pairs, one per line. Lines starting with '#' and empty lines are interpreted as comments. For the format of sshd2_config, see sshd2_config(5). LOGIN PROCESS When a user logs in successfully, sshd2 does the follow- ing: 1. Changes process to run with normal user privileges. 2. Sets up the basic environment. 3. Reads /etc/environment if it exists. 4. Changes to the user's home directory. 5. Runs the user's shell or command. FILES /opt/tectia/etc/sshd2_config Contains configuration data for sshd2. This file should be writable by root only, but it is recom- mended (though not necessary) that it be world- readable. /opt/tectia/etc/hostkey Contains the private part of the host key. This file is normally created automatically by "make install", but can also be created manually using ssh-keygen-g3(1). This file contains vital crypto- graphic information and may only be read or modi- fied by root. /opt/tectia/etc/hostkey.pub Contains the public part of the host key. This file is normally created automatically by "make install", but can also be created manually. This file should be world-readable but must not be writable by anyone but root. If it does not match the private counterpart, clients probably get con- fused about the server's identity. /opt/tectia/etc/random_seed This file contains a seed for the random number generator. This file must not be accessible by anyone but root. $HOME/.ssh2/authorization Contains information on how the server will verify the identity of an user. See Tectia Server for IBM z/OS Administrator Manual for more information. $HOME/.hushlogin If this file exists, sshd2 will not print informa- tion during login. (This is normally the user's last login time, message of the day and mail check.) /etc/nologin If this file exists, sshd2 refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in. The file should be world-readable. /etc/nologin_<hostname> As above, but the file name is constructed from the name of the host. Check output of hostname to see which name you should use in the file name. This functionality is supposed to be used by clustered machines (which share /etc). $HOME/.rhosts This file contains host-username pairs, separated by a whitespace, one per line. The given user is permitted to log in from the given host without a password. The same file is used by rlogind and rshd. sshd2 differs from rlogind and rshd in that it requires public host-key authentication from the ssh2 server running on this host in addition to validating the host name retrieved from domain name servers. The file must be writable only by the user; it is recommended that it is not accessible by others. It is also possible to use netgroups in the file. Either host or user name may be of the form +@groupname to specify all hosts or all users in the group. $HOME/.shosts For sshg3, this file is exactly the same as for .rhosts. However, this file is not used by rlogin and rshd, so using this permits access using sshg3 only. /etc/hosts.equiv This file is used during .rhosts authentication. In its simplest form, this file contains host names, one per line. Users on those hosts are per- mitted to log in without a password, provided they have the same username on both machines. The host- name may also be followed by a username; such users are permitted to log in as any user on this machine (except root). Additionally, the syntax +@group can be used to specify netgroups. Negated entries start with '-'. If the client host/user is successfully matched in this file, login is automatically permitted pro- vided the client and server usernames are the same. Additionally, successful host-based authentication is normally required. This file must be writable only by root; it is recommended that it be world- readable. Warning: It is almost never a good idea to use usernames in hosts.equiv. Note that it really means that the named user(s) can log in as anybody, including bin, daemon, adm, and other accounts that own critical binaries and directories. Using a username practically grants the user root access. The only valid use for usernames should be in nega- tive entries. Note that this warning also applies to rsh/rlogin. /etc/shosts.equiv This is processed exactly as /etc/hosts.equiv. However, this file is not used by rlogin and rshd, so using this permits access using sshg3 only. $HOME/.ssh2/knownhosts/xxxxyyyy.pub These are the public host keys of hosts that a user wants to log in from using hostbased authentication (equivalent to RhostsRSAAuthentication in ssh1). Also, users have to set up their $HOME/.shosts (only used by ssh) or $HOME/.rhosts files (inse- cure, as it is used by the r* commands also). If the username is the same on both hosts, it is ade- quate to put the public host key to /opt/tec- tia/etc/knownhosts and add the hostname to /etc/shosts.equiv (or /etc/hosts.equiv). xxxx denotes the host name (FQDN) and yyyy denotes the public-key algorithm of the key. For example, if zappa.foo.fi's host-key algorithm is ssh-dss, the host key is contained in the file zappa.foo.fi.ssh-dss.pub in the knownhosts direc- tory. Possible names for public-key algorithms are ssh- dss and ssh-rsa. /opt/tectia/etc/knownhosts/xxxxyyyy.pub As above, but system-wide. These settings can be overridden by the user by putting a file with the same name to the $HOME/.ssh2/knownhosts directory. AUTHORS SSH Communications Security Corporation For more information, see http://www.ssh.com. SEE ALSO sshd2_config(5), ssh-broker-g3(1), ssh-keygen-g3(1), sshg3(1), scpg3(1), sftpg3(1), rlogin(1), rsh(1), tel- net(1)
What to read next:
Reduce Secure Shell risk. Get to know the NIST 7966.
The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
ISACA Practitioner Guide for SSH
With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.