![]() ![]() |
sshd2
sshd2 — Secure Shell server daemon on z/OS
Synopsis
sshd2
[-d
debug_level_spec
] [-D
debug_level_spec
] [-f
config_file
] [-h
host_key_file
] [-o
options
] [-4|-6
] [-p
port
] [-F
] [-v
] [-V
] [-g
login_grace_time
] [-i
] [-q
]
Description
sshd2 (Secure Shell Daemon) is the server counterpart of sshg3. Together, these two programs replace and extend the services rlogin and rsh, and provide secure encrypted communication channels between two hosts connected over an unsecured network. They are intended to be as easy to install and use as possible.
sshd2 can be started either using a started task or manually from USS. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange.
sshd2 can be configured using command-line options or a configuration file. Command-line options override values specified in the configuration file. sshd2 reads configuration data from /opt/tectia/etc/sshd2_config
(or the file specified with -f
on the command line).
Subconfiguration files can also be specified in the main configuration file.
Start sshd2 as a started task as follows:
===> s SSHD2
The started task takes modify commands as follows:
===> f SSHD2,<command>
The following modify commands are supported:
- debug
debug_level
Set the debug level of the running server.
- stop
Stop the server. Existing connections are killed.
- restart
Restart the server. Existing connections will stay open until they are disconnected. If you have made configuration changes, existing connections will continue to use the old configuration settings while new connections will use the reconfigured settings.
Options:
force
Kill all existing connections and restart the server.
- version
Query the version of the server.
The sshd2 command-line options (described in detail in the following section) can be given as an OPTS parameter on the sshd2 "start". For example, configuration file options are entered in the following format (where keyword
is a configuration file keyword):
===> S SSHD2,OPTS='-o<keyword>
=<value>
'
Under USS you can start sshd2 manually as the SSHD2
user with the following command:
> /opt/tectia/sbin/sshd2
Options
The following options are available:
-d
debug_level_spec
Runs the server in one-shot debug mode. The server process accepts only one connection and exits after the connection has disconnected. The server sends verbose debug output to
STDERR
. The debugging level is either a number, or a comma-separated list of assignments of the formatModulePattern=debug_level
, for example"*=10,sshd2=2"
. This should be the first argument on the command line.-D
debug_level_spec
Runs the server in continuous debug mode. As
-d
, but the server accepts several connections and needs to be stopped manually when you want to finish the debugging.-f
configuration_file
Specifies the name of the configuration file. The default is
/opt/tectia/etc/sshd2_config
.Note If this option is specified, the default configuration file is not read at all.
-h
host_key_file
Specifies the file from which the host key is read (default
/opt/tectia/etc/hostkey
).-o
'option'
Can be used to give options in the format used in the configuration files. This is useful for specifying options for which there is no separate command-line flag. The option has the same format as a line in the configuration file. Comment lines are not accepted. Where applicable, the egrep regex format is used.
-4
Specifies that sshd2 will only use IPv4 addresses. IPv6 addresses from
ListenAddress
configuration statements, name resolution and port forwarding will be ignored.-6
Specifies that sshd2 will only use IPv6 addresses. IPv4 addresses from
ListenAddress
configuration statements, name resolution and port forwarding will be ignored.-p
port
Specifies the port on which the server listens for connections. Note that when
-p
is specified, the server will ignore any definedListenAddress
andAddressFamily
configuration statements and listen on all available IPv4 and IPv6 interfaces. The-p
option is intended for testing - for greater control use thesshd2_config
configuration file. The value of thePort
configuration variable can be specified on the command line with the-o
option. However, explicit port numbers onListenAddress
statements will override-oPort
.-F
Disables daemon mode. The server does not spawn a new process to the background.
-v
Enables verbose mode. Displays verbose debugging messages. Equivalent to
-d 2
. This option can also be specified in the configuration file with the keywordVerboseMode
.-V
Displays version string.
-q
Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged. This option can also be specified in the configuration file with the keyword
QuietMode
.-g
login_grace_time
Gives the grace time for clients to authenticate themselves (the default is 600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. The value zero indicates no limit.
-i
Specifies that sshd2 is invoked via inetd.
Configuration File
sshd2 reads configuration data from /opt/tectia/etc/sshd2_config
(or the file specified with -f
on the command line). The file contains keyword-value pairs, one per line. Lines starting with '#'
and empty lines are interpreted as comments.
For the format of sshd2_config, see sshd2_config(5).
Login Process
When a user logs in successfully, sshd2 does the following:
Changes process to run with normal user privileges.
Sets up the basic environment.
Changes to the user's home directory.
Runs the user's shell or command.
Files
/opt/tectia/etc/sshd2_config
Contains configuration data for sshd2. This file should be writable by
root
only, but it is recommended (though not necessary) that it be world-readable./opt/tectia/etc/hostkey
Contains the private part of the host key. This file is normally created automatically by
"make install"
, but can also be created manually using ssh-keygen-g3. This file contains vital cryptographic information and may only be read or modified byroot
./opt/tectia/etc/hostkey.pub
Contains the public part of the host key. This file is normally created automatically by
"make install"
, but can also be created manually. This file should be world-readable but must not be writable by anyone butroot
. If it does not match the private counterpart, clients probably get confused about the server's identity./opt/tectia/etc/random_seed
This file contains a seed for the random number generator. This file must not be accessible by anyone but
root
.$HOME/.ssh2/authorization
Contains information on how the server will verify the identity of a user. For more information, see Using the Authorization File.
$HOME/.hushlogin
If this file exists, sshd2 will not print information during login. (This is normally the user's last login time, message of the day and mail check.)
/etc/nologin
If this file exists, sshd2 refuses to let anyone except
root
log in. The contents of the file are displayed to anyone trying to log in. The file should be world-readable./etc/nologin_
<hostname>
As above, but the file name is constructed from the name of the host. Check the output of hostname to see which name you should use in the file name. This functionality is supposed to be used by clustered machines (which share
/etc
).$HOME/.rhosts
This file contains host-username pairs, separated by a white space, one per line. The given user is permitted to log in from the given host without a password. The same file is used by rlogind and rshd. sshd2 differs from rlogind and rshd in that it requires public host-key authentication from the ssh2 server running on this host in addition to validating the host name retrieved from domain name servers. The file must be writable only by the user; it is recommended that it is not accessible by others.
It is also possible to use netgroups in the file. Either host or user name may be of the form
+@groupname
to specify all hosts or all users in the group.$HOME/.shosts
For sshg3, this file is exactly the same as for
.rhosts
. However, this file is not used by rlogin and rshd, so using this permits access using sshg3 only./etc/hosts.equiv
This file is used during
.rhosts
authentication. In its simplest form, this file contains host names, one per line. Users on those hosts are permitted to log in without a password, provided they have the same user name on both machines. The host name may also be followed by a user name; such users are permitted to log in as any user on this machine (exceptroot
). Additionally, the syntax+@group
can be used to specify netgroups. Negated entries start with'-'
.If the client host/user is successfully matched in this file, login is automatically permitted provided the client and server user names are the same. Additionally, successful host-based authentication is normally required. This file must be writable only by
root
; it is recommended that it be world-readable.Caution It is almost never a good idea to use user names in
hosts.equiv
. Note that it really means that the named user(s) can log in as anybody, including bin, daemon, adm, and other accounts that own critical binaries and directories. Using a user name practically grants the user root access. The only valid use for user names should be in negative entries. Note that this warning also applies to rsh/rlogin./etc/shosts.equiv
This is processed exactly as
/etc/hosts.equiv
. However, this file is not used by rlogin and rshd, so using this permits access using sshg3 only.$HOME/.ssh2/knownhosts/
xxxxyyyy
.pubThese are the public host keys of hosts that a user wants to log in from using host-based authentication (equivalent to
RhostsRSAAuthentication
in ssh1). Also, users have to set up their$HOME/.shosts
(only used by ssh) or$HOME/.rhosts
files (insecure, as it is used by the r* commands also). If the user name is the same on both hosts, it is adequate to put the public host key to/opt/tectia/etc/knownhosts
and add the host name to/etc/shosts.equiv
(or/etc/hosts.equiv
).xxxx
denotes the host name (FQDN) andyyyy
denotes the public-key algorithm of the key.For example, if zappa.foo.fi's host-key algorithm is ssh-dss, the host key is contained in the file
zappa.foo.fi.ssh-dss.pub
in theknownhosts
directory.Possible names for public-key algorithms are
ssh-dss
andssh-rsa
./opt/tectia/etc/knownhosts/
xxxxyyyy
.pubAs above, but system-wide. These settings can be overridden by the user by putting a file with the same name to the
$HOME/.ssh2/knownhosts
directory.