Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH

Default sshd2_config Configuration File

The default sshd2_config configuration file is shown below. For descriptions of the configuration options, see sshd2_config(5)

## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
##
## sshd2_config
##
## SSH Tectia Server 6.5 for IBM z/OS - SSHD2 Server Configuration File
##

## General

# Server Authentication: server keys in files
#       HostKeyFile                     hostkey
#       PublicHostKeyFile               hostkey.pub
#       HostCertificateFile             hostkey.crt # Comment out the pubkey
                                                    # if cert is specified
# Server Authentication: server key and certificate in SAF
#       HostKeyEkProvider               "zos-saf"
#       HostKeyEkInitString             "KEYS(ID(SSHD2) RING(HOSTKEY) LABEL('Host \
                                        key label'))"
#       HostKey.Cert.Required           yes
#
#       RandomSeedFile                  random_seed
#       BannerMessageFile               /opt/tectia/etc/ssh_banner_message
#       BannerMessageFile               /etc/issue.net
#
#       VerboseMode                     no # For debugging only. See man page.
#       QuietMode                       no
#       SyslogFacility                  AUTH
#       SyslogFacility                  LOCAL7
#       SftpSyslogFacility              DAEMON
#       SftpSmfType                     none
#       SftpSmfType                     TYPE119
#       WTORoutingCodes                 1,11

## Communication with ssh-certd

#       CertdListenerPath               /opt/tectia/var/run/ssh-certd-listener

## Network

#       Port                            22
#       AddressFamily                   inet
#                                         inet:  IPv4 only
#                                         inet6: IPv6 only
#                                         any:   Ipv4 and IPv6
#
#       PidFile                         default
#       PidFile                         /opt/tectia/var/run/sshd2_22.pid
#       PidFile                         /opt/tectia/var/run/sshd2.pid
#       ListenAddress                   any
#       ListenerRetryInterval           0
#       ListenerRetryInterval           60
#       ResolveClientHostName           yes
#       RequireReverseMapping           no
#       MaxBroadcastsPerSecond          0
#       MaxBroadcastsPerSecond          1
#       NoDelay                         no
#       KeepAlive                       yes

## Load Control

#       MaxConnections                  1000
#       LoadControl.Active              yes
#       LoadControl.DiscardLimit        see below
#       LoadControl.WhitelistSize       1000
#
# MaxConnections is the limit of the number of concurrent connections. It must
# be greater than 1 when Load Control is active. The value 0 means that the
# number of connections is unlimited and causes Load Control to be disabled.
#
# Set LoadControl.Active to no to disable load control.
#
# LoadControl.DiscardLimit must not be larger than MaxConnections. The default
# value is 90 % of MaxConnections.
#
# LoadControl.WhitelistSize is the number of distinct IP addresses that the
# whitelist can hold.

## Crypto

#       Ciphers                         aes128-ctr,aes192-ctr,aes256-ctr, \
#                                       aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
# Specifies the accepted encryption algorithms for connection security. It is
# a list of cipher names or one of the names Any, AnyCipher, AnyStd or AnyStdCipher.
# Any and AnyCipher include all the ciphers supported by Tectia.
# AnyStd and AnyStdCipher include ciphers listed in the SSH standards.
# Any and AnyStd also include "none", which means no encryption.
#

#       MACs                            hmac-sha1,hmac-sha1-96,hmac-sha2-256, \
#                                       hmac-sha256-2@ssh.com,hmac-sha224@ssh.com, \
#                                       hmac-sha256@ssh.com,hmac-sha384@ssh.com, \
#                                       hmac-sha2-512,hmac-sha512@ssh.com
# Specifies the accepted Message Authentication Codes for connection security.
# It is a list of MAC names or one of the names Any, AnyMAC, AnyStd or 
# AnyStdMAC.
# Any and AnyMAC include all the MACs supported by Tectia.
# AnyStd and AnyStdMAC include the MACs listed in the SSH standards.
# Any and AnyStd also include "none", which means no message authentication.
#

#       KEXs                            ecdh-sha2-nistp521, \
#                                       ecdh-sha2-nistp384,ecdh-sha2-nistp256, \
#                                       diffie-hellman-group14-sha1, \
#                                       diffie-hellman-group14-sha256@ssh.com
# A list of key exchange names or Any, AnyKEX, AnyStd or AnyStdKEX.
#

#       HostKeyAlgorithms               x509v3-ecdsa-sha2-nistp521, \
#                                       x509v3-ecdsa-sha2-nistp384, \
#                                       x509v3-ecdsa-sha2-nistp256, \
#                                       ecdsa-sha2-nistp521,ecdsa-sha2-nistp384, \
#                                       ecdsa-sha2-nistp256,ssh-dss,ssh-rsa, \
#                                       ssh-dss-sha256@ssh.com, \
#                                       ssh-rsa-sha256@ssh.com,x509v3-sign-dss, \
#                                       x509v3-sign-rsa, \
#                                       x509v3-sign-dss-sha256@ssh.com, \
#                                       x509v3-sign-rsa-sha256@ssh.com
# A list of host key algorithm names or Any, AnyHostKeyAlgorithm, AnyStd or\
# AnyStdHostKeyAlgorithm.
#

#       RekeyIntervalSeconds            3600

## Crypto Hardware

#       UseCryptoHardware               yes
# Specifies whether hardware support is wanted for certain
# algorithms. The support levels are
#   no          do not use crypto hardware
#   yes         use crypto hardware if available
#   must        use crypto hardware, fail if not available
#
# The level may be given alone as a default for all algorithms or
# together with an algorithm. The algorithm names that may
# be used are:
#   rng         random number generator
#   sha         SHA1 and SHA2 digest algorithms (sha1 is equivalent)
#   aes         AES algorithms
#   3des        Triple DES
#
# UseCryptoHardware is a comma-delimited list of algorithm:support level
# pairs. It may start with a sole support level
#
# E.g. To use all available hardware support and fail if support for 3DES
#      or SHA is not available, specify "yes,aes:must,sha:must"
#
# On most IBM mainframe systems the following algorithms have hardware support:
# the ciphers "aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" and the MACs
# "hmac-sha1,hmac-sha224@ssh.com,hmac-sha256@ssh.com,hmac-sha2-256,
# hmac-sha256-2@ssh.com, hmac-sha384@ssh.com,hmac-sha2-512,
# hmac-sha512@ssh.com". The support is provided by
# the CPACF facility and ICSF.
#

## User

#       PrintMotd                       yes
#       CheckMail                       yes
#       StrictModes                     yes
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
#                   minute, 's' for seconds)
#       IdleTimeOut                     1h
# without specifier, the default number is in seconds
#       IdleTimeOut                     3600
#
#       UserConfigDirectory             "%D/.ssh2"
#       UserConfigDirectory             "/opt/tectia/etc/auth/%U"
#       AuthorizationFile               authorization
#
# Authorized keys file directive can be used in enabling public-key
# authentication against legacy authorized_keys file that contains
# several keys in single file.
#       AuthorizedKeysFile             "authorized_keys"
#       AuthorizedKeysFile             "%D/.ssh/authorized_keys"
#
# This variable is set here, because by default it is empty, and so no
# variables can be set. Because of that, we set a few common ones here.
        SettableEnvironmentVars         LANG,LC_(ALL|COLLATE|CTYPE|MONETARY| \
                                        NUMERIC|TIME),PATH,TERM,TZ,SSH.*

## Conversion on terminal session

#       ShellTransferCodeset            ISO8859-1
#       ShellTransferLineDelimiter      UNIX
#       ShellAccountCodeset             IBM-1047
#       ShellAccountLineDelimiter       MVS
#       ShellTranslateTable             ""
#       ShellConvert                     yes

## Tunneling

#       AllowTcpForwarding              yes
#       AllowTcpForwardingForUsers      sjl, ra-user@remote\.example
#       DenyTcpForwardingForUsers       2[[:digit:]]*4,peelo
#       AllowTcpForwardingForGroups     privileged_tcp_forwarders
#       DenyTcpForwardingForGroups      coming_from_outside
#
#       AllowLocalForwarding            no
        AllowLocalForwarding            yes

# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
#      ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.example.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group ID (GID) 10:
#
#      ForwardACL allow local s.*%10 proxy\.example\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
#      ForwardACL deny remote .* .*


## Authentication

## publickey and password allowed by default
#      AllowedAuthentications          publickey,password
#      AllowedAuthentications          hostbased,publickey,password
#      AllowedAuthentications          hostbased,publickey,keyboard-interactive
#      RequiredAuthentications         publickey,password
#      LoginGraceTime                  600
#      AuthInteractiveFailureTimeout   2
#
#      HostbasedAuthForceClientHostnameDNSMatch no
#      UserKnownHosts                  yes
#
#      AuthPublicKey.MaxSize           0
#      AuthPublicKey.MinSize           0
#      AuthPublicKey.Algorithms        AnyStdPublicKeyAlgorithm
#
#      AllowAgentForwarding            yes

#      AuthKbdInt.NumOptional          0
#      AuthKbdInt.Optional             password,plugin
#      AuthKbdInt.Required             password
#      AuthKbdInt.Retries              3
#
#      PermitEmptyPasswords            no
#      PasswordGuesses                 3
#
## publickey authentication with certificates in SAF
# Users logging in with name "-" need SAF certificate
#       IdentityDispatchUsers                  -
#
# All users logging in need SAF certificate
#       IdentityDispatchUsers                  .*
#
#       AuthPublicKey.Cert.ValidationMethods   saf
#
# Certificate is also validated in ssh-certd
#       AuthPublicKey.Cert.ValidationMethods   saf,tectia
#
# Client must send user certificate
#       AuthPublicKey.Cert.Required            yes
#
#       AuthorizationEkProvider         "zos-saf:KEYS(ID(%UU) RING(%UU))"
#       AuthorizationEkProvider         "zos-saf:[USERNAME=%U UID=%IU GID=%IG]"
#       AuthorizationEkInitStringMapper /home/SSHD2/mapper.sh
#       AuthorizationEkInitStringMapperTimeout 0   # 0 = Timeout disabled
#
## hostbased authentication with certificates in SAF
#       AuthHostbased.Cert.ValidationMethods   saf
#
# Certificate is also validated in ssh-certd
#       AuthHostbased.Cert.ValidationMethods   saf,tectia
#
# Client must send host certificate
#       AuthHostbased.Cert.Required  yes
#       KnownhostsEkProvider        "zos-saf:KEYS(ID(SSHD2) RING(KNOWNHOSTS))"
#

# To enable authentication time password changing (instead of the old
# forced command style), uncomment the following line:

#       AuthPassword.ChangePlugin       ssh-passwd-plugin

# (this will also be used by the "password" submethod in
#  keyboard-interactive).

## Host restrictions

#       AllowHosts               localhost, example\.com, friendly\.example
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
##     AllowHosts               t..l.\..*
##
## The following matches any numerical IP address (yes, it is cumbersome)
##
##     AllowHosts               ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with the special prefix "\i" in a pattern.
## This means that the pattern is only used to match IP addresses.
##
## Using the above example:
##
##     AllowHosts               \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
##     AllowHosts               \m127.0/8
## and
##     AllowHosts               \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
#       DenyHosts                       evil\.example, aol\.example
#       AllowSHosts                     trusted\.host\.example
#       DenySHosts                      not\.quite\.trusted\.example
#       IgnoreRhosts                    no
#       IgnoreRootRHosts                no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions
# User and group names must be in uppercase.

#       AllowUsers                      SJ.*,S[[:digit:]]*,S(JL|AMZA)
#       DenyUsers                       SKUUPPA,WAREZDUDE,31373
#       DenyUsers                       DON@example\.org
#       AllowGroups                     STAFF,USERS
#       DenyGroups                      GUEST,ANONYMOUS
#       PermitRootLogin                 yes
#       PermitRootLogin                 nopwd

## Chrooted environment
# User and group names must be in uppercase.

#       ChRootUsers                     ANONYMOUS,FTP,GUEST
#       ChRootGroups                    SFTP,GUEST

## Subsystem definitions

# Subsystems do not have defaults, so this is needed here (uncommented).
#       subsystem-sftp                  sftp-server
        subsystem-sftp                  /opt/tectia/libexec/sft-server-g3
# Also internal SFTP subsystem can be used.
#       subsystem-sftp                  internal://sftp-server

## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host-specific files
# are read before the user-specific files.
# User and group names must be in uppercase.

# Following matches (from) any host:
#
#      HostSpecificConfig .* /opt/tectia/etc/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
#      HostSpecificConfig \m192.168.0.0/16 /opt/tectia/etc/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character
# username or username is SJL and belong to group WHEEL or WHEEL[0-9]:
#
#      UserSpecificConfig (..|SJL)%WHEEL[[:digit:]]?@ssh\.com /opt/tectia/etc/  \
                           subconfig/user.example
#
# Following matches to the user ANONYMOUS from any host:
#
#      UserSpecificConfig ANONYMOUS@.* /opt/tectia/etc/subconfig/anonymous.example

===AUTO_SCHEMA_MARKUP===