SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
Tectia Server for IBM z/OS requires an authorization file that lists the user public keys that are authorized for login.
The default location for the authorization file is
$HOME/.ssh2/authorization. The file location can
be changed with the
keyword in the
The authorization file contains a list of public key file names each
preceded by the keyword
Key. If there is more than one
Key, they are all authorized for login.
It is possible to define different settings in the authorization file
depending on which key is used in public-key authentication. The
authorization file has the same general syntax as the
sshd2_config configuration file. The following keywords may
This is followed by the file name of a public key in the user
configuration directory (by default,
$HOME/.ssh2) that is used for identification
when contacting the host. If there is more than one key defined, they are
all acceptable for login.
This keyword, if used, must follow the
above. The various options are specified as a comma-separated list.
Options can be used:
In addition to public-key authentication, the canonical name of the
remote host must match the given pattern(s). These parameters follow the
logic of the
DenyHosts keywords of
sshd2_config. Specify one pattern per keyword; multiple
keywords can be used.
This is used to specify a "forced command" that will be executed
on the server side instead of anything else when the user is authenticated.
The command supplied by the user (if any) is put in the environment
SSH2_ORIGINAL_COMMAND. The command is run on a pty
if the connection requests a pty; otherwise it is run without a tty.
Quotes may be used in the command if escaped with backslashes.
This option might be useful for restricting certain public keys to
perform just a specific operation. An example might be a key that permits
remote backups but nothing else. Note that the client may specify TCP/IP
and/or X11 forwarding, unless they are explicitly prohibited (see
Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. Multiple options of this type are permitted.
Sets idle timeout limit to time either in seconds (s or nothing after the number), in minutes (m), in hours (h), in days (d), or in weeks (w). If the connection has been idle (all channels) this long, the connection is closed.
Forbids TCP/IP forwarding when this key is used for authentication.
Any port forward requests by the client will return an error.
This is useful in combination with the
Forbids authentication agent forwarding when this key is used for authentication.
Prevents tty allocation (a request to allocate a pty will fail).
authorization file could, for example,
contain the following:
Key master.pub Key maid.pub Options allow-from=".*\.example\.org" Key butler.pub Options deny-from=".*\.evil\.example",no-pty
When someone now logs in using the
master key, the
connection is not limited in any way by the
authorization file. However, if the
maid key is used, only connections from certain hosts will
be allowed. And if the
butler key is used, connections are
denied from certain hosts, and additionally the allocation of tty is