sshd2_subconfig — advanced configuration of sshd2 on z/OS


You can also specify configuration options in so-called subconfiguration files, which have the same basic format as the main configuration file. The process forked to handle the user's connection reads these files. They are read at run-time, so if they are modified, it is not necessary to restart the server process.

If parsing of the subconfiguration files fails, the connection is terminated (for the host-specific subconfiguration) or access denied (for the user-specific subconfiguration) by the server.

Most of the configuration options that work in the main file work also in these, but some do not, where it either does not make sense to set them (e.g. ListenAddress and Port, which only affect the daemon process listening to the port, and would not affect that behavior in any way in a subconfiguration file) or it would be confusing (e.g. AllowUsers in user-specific subconfiguration, and AllowHosts in host-specific subconfiguration.).

The value for {Host,User}SpecificConfig keywords is a pattern-filename pair, separated by a whitespace. With UserSpecificConfig, the pattern is of format "user[%group][@host]", where the pattern user is matched with the user name and UID, group is matched with the user's primary and any secondary groups, both group name and GID, and host is matched as described under option AllowHosts. With HostSpecificConfig, the pattern is "host" (as in UserSpecificConfig).

Unlike sshd2_config, the subconfiguration files may have configuration blocks, or stanzas, in them. The subconfiguration heading is interpreted identically to what is described above, i.e. with UserSpecificConfig the pattern is of the format "user[%group][@host]", and with HostSpecificConfig the format is "host".

The subconfiguration files are divided into two categories: user-specific and host-specific. User-specific subconfiguration files are read when the client has stated the user name it is trying to log in with. At this point, the server will obtain additional information about the user: does the user exist, what is the user's UID, and what groups does the user belong to. With this information, the server can read the user-specific configuration files specified by UserSpecificConfig in the main sshd2 configuration file.

The other category is host-specific configuration files, which are configured with the HostSpecificConfig variable. These files are read immediately after the daemon has forked a new process to handle the connection. Thus most configuration options can be set in these.

Note that it is possible to mix these configuration files. This is not recommended, because any global settings in these files would be set multiple times (which would not do any harm per se, but might lead to behavior not intended by the administrator).

Subconfigurations are really flexible, and because of that, dangerous if the logic of the files is not carefully planned. You can specify different authentication methods for different users, different banner messages for people from certain hosts, and set log messages of certain groups to go to different files. There are a lot of possibilities here.