You can configure the following settings in the server configuration file. The default file is /etc/ssh2/sshd2_config.
Configures the account management system that sshd uses to validate a user account. Account management services determine if an account is active, and whether or not a password is still valid. The allowed values are 'password', 'pam', 'aix', and 'none'. The default is 'pam,password', which requires the user account to pass validation by both systems.
pam - Use PAM for account management. PAM account management applies to all sessions, regardless of the authentication method (or methods) used. If an account is locked, the connection is refused.
password - Use the password database to validate the account.
aix - For use on AIX systems. If a user authenticates successfully using public key authentication, the server ignores password accounting restrictions such as the requirement to update an expired password. If the account is locked using the AIX account_locked flag, the user will not be allowed to log in even if public key authentication is successful. Note: On non AIX systems, this value is equivalent to 'none'.
none - Use no account validation. Use this only for troubleshooting.
This setting is used by the server when it creates a listening, session, or forwarding TCP socket. The allowed values are 'any' (allow the system to decide which address family to use), 'inet' (accept only IPv4), and 'inet6' (accept only IPv6). The default is 'inet'. Note: The current value of ListenAddress may also affect whether or not the server accepts connections using IPv4 or IPv6 addresses.
Specifies whether agent forwarding is allowed. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies which authentication methods the server supports. The client and server agree on one or more authentication methods during the initial connection process, based on both client and server configuration. (Use RequiredAuthentications to require one or more authentication methods. RequiredAuthentications overrides AllowedAuthentications.)
The supported authentication methods are 'gssapi-keyex', 'gssapi-with-mic', 'publickey', 'keyboard-interactive', and 'password'. The default is 'gssapi-with-mic, publickey, keyboard-interactive, password'.
This keyword is no longer supported. If you used it in previous versions, you need to manually migrate your setting. Refer to the following keywords: AllowedAuthentications, RequiredAuthentications, and AuthKbdInt.Required.
Use this keyword to allow login only for users who are members of a specified group. Regular expressions are supported. For details, see Configuring User and Group Access. If this keyword is not configured, all groups are allowed to log in.
Use this keyword to allow login only for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not configured, all client hosts are allowed.
Notes:
If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to 'yes'. When ResolveClientHostName is 'yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is 'yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.
To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).
Controls what kinds of operations users can perform using sftp and scp commands from Reflection for Secure IT clients. This keyword supports a comma-separated list of one or more of the following: 'all', 'none', 'browse', 'download', 'upload', 'delete', 'rename'. The upload option enables users to modify files, create files, create directories, or modify file attributes on the server. The download option enables users to read file contents. The default is 'all'.
Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. The SessionRestricted keyword also affects access to file transfers. The default value for SessionRestricted is 'shell, exec, subsystem'. For Reflection for Secure IT clients, the 'subsystem' session type is required for both sftp and scp transfers. For OpenSSH-style clients 'subsystem' is required for sftp transfers; 'exec' is required for scp transfers.
Use this keyword to allow or deny port forwarding to all client users. The allowed values are 'yes' and 'no'. The default is 'yes'. This keyword controls both local (client to server) and remote (server to client forwarding). Use ForwardAcl for more fine-grained control.
Use this keyword to allow port forwarding only for users who are members of a specified group. Regular expressions are supported.
Use this keyword to allow port forwarding only for specified users. Regular expressions are supported.
Use this keyword to allow login only for specified users. Regular expressions are supported. For details, see Configuring User and Group Access.
Specifies whether X11 forwarding is allowed. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies whether or not an audit log is created. When 'sftp' is specified, a comma-delimited log file containing a detailed record of file transfer activity is created in the location specified by AuditLog.Directory. The first line of the audit log file, shown here, identifies the logged content: UserID, ClientIP, Action, ServerFilename, StartTime, EndTime, ServerFileModificationTime, ServerFileSize, BytesTransferred, Result, Reason, ServerFileHash. The default is 'none'.
The output location for audit logs. A new log is created each day using this name format: sshd2-audit-YYYYMMDD.log, where YYYYMMDD indicates the date. When AuditLog = sftp, this file is created the first time a client user transfers a file, or when you restart the server. The default is /etc/ssh2/logs.
Note: If users have been limited to a home directory for sftp protocol connections (using ChrootSftpUsers or ChrootSftpGroups), the audit log directory must be located in the home directory. Because of this limitation, audit logging only works for chrooted users if they share the same home directory.
Specifies whether or not sftp log entries include a file hash. The hash value can be used to identify multiple records identifying transfer of the same file. Each time an unchanged file is transferred, the hash value in the log is identical. If a file is changed, the hash value is different. The allowed values are 'yes' and 'no'. The default is 'yes'.
The allowed values are 'yes' and 'no'. The default is 'no'. When set to 'no', no information about authentication failures is sent to the client. This complies with SSH convention. To enable this setting, you must also enable AuthImmediateDisconnect. When both AuthFailureErrorMessages and AuthImmediateDisconnect are set to 'yes' the client user receives information about the reason for the failure. Note: Messages sent to the client report failures that occur regardless of which authentication method is used. For example, information is sent to the client if the user account is disabled or unknown on the server host, or if a user is on the denied user list. No information is provided about failures that are specific to the authentication method used (such as an incorrect password, missing public key, or invalid certificate).
Caution: Enabling this setting increases your security risk by providing clients with information about valid account names.
The allowed values are 'yes' and 'no'. The default is 'no'. When this setting is 'no', the server responds identically to all failed authentication attempts. This complies with SSH convention. When this setting is 'yes', users with blocked accounts are disconnected as soon as possible, which means they might not see any authentication prompts. If a user is denied access because of Reflection for Secure IT server settings (for example AllowUsers or DenyUsers), the disconnection always happens immediately. If a user is denied access because of operating system configuration, the timing of the disconnection is affected by the AccountManagement setting. When AccountManagement=pam, denied users see PAM authentication prompts before being disconnected. This is because PAM authentication happens before PAM account management. If you prefer to have users be disconnected without seeing PAM authentication prompts, set AccountManagement=pam,password (the default). In most cases, enabling password account management provides the server with enough information about the user account to reject the connection before PAM authentication starts.
Caution: Enabling this setting increases your security risk by providing clients with information about valid account names.
Specifies which authentication method to use for keyboard-interactive authentication. The specified authentication method must succeed for the user to be successfully authenticated. The allowed values are 'pam', 'password', and 'radius'. The default is 'pam', which specifies that PAM modules are used for authentication and password management. When 'password' is specified, the user response is handled as a standard login password. When 'radius' is specified, one or more RADIUS authentication servers are used for authentication.
Sets the maximum number of attempts allowed for keyboard interactive authentication. The default is 3.
Specifies whether the server uses verbose keyboard interactive prompts. The allowed values are 'yes' and 'no'. The default is 'no'.
Specifies the name of the file used for configuring user keys for public key authentication. For public key authentication to succeed, a key presented by a client user for authentication must be correctly identified in this file. For file syntax, see the FILES section.
The file is assumed to be relative to ~/.ssh2 (or whatever location is set for UserConfigDirectory) unless you specify an absolute path. The following macros are recognized: %U = user log-in name, %D = user's home directory, %IU = UID for user, %IG = GID for user. The default file is %D/.ssh2/authorization.
Sets the largest public key size allowed for user authentication. The default is 32768, and values larger than this are not allowed. The range of accepted values is 512-32769. Using zero (0) is equivalent to using the default.
Sets the smallest public key size allowed for user authentication. The default is 512, and values smaller than this are not allowed. Using zero (0) is equivalent to using the default.
Specifies the maximum number of attempts the server accepts for public key authentication. Once this number is reached, further attempts to authenticate using a public key are rejected, but the connection is not broken. This allows the client to attempt authentication using the next allowed method. The default is 100.
Identifies a file that contains text for a banner message. The server sends this text to the client before the client authenticates. Note: Some clients do not support banner display. If you configure a banner, you should ensure that your Secure Shell client supports this feature. The default is /etc/ssh2/ssh_banner_message.
Specifies groups whose users are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against group names, not GID's.
Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. The SessionRestricted keyword also affects access to file transfers. The default value for SessionRestricted is 'shell, exec, subsystem'. For Reflection for Secure IT clients, the 'subsystem' session type is required for both sftp and scp transfers. For OpenSSH-style clients 'subsystem' is required for sftp transfers; 'exec' is required for scp transfers.
When ChrootSftpUsers or ChrootSftpGroups is enabled, connected users see additional subdirectories (etc on all platforms and dev on AIX) added to their home directory. These directories contain required files and cannot be moved or deleted. The etc directory contains the rsit.conf file, which identifies the installation location of files required by Reflection for Secure IT. A localtime file may also be present. It is needed so that processes such as logging can get the current time. The system localtime file is in a location that cannot be accessed by a chrooted user. If the TZ environment variable set on the system, the localtime file is not created. Users running on AIX also require /dev/null, which is needed for correct logging to syslog.
Specifies users who are restricted to their home directory for sftp protocol connections. Any sftp protocol request that operates on a file or directory is checked to ensure it is not outside of the confined directory or any of its child directories. Regular expressions are supported. Patterns match against user names, not UID's.
Note: This setting affects both sftp and scp connections from Reflection for Secure IT clients. The SessionRestricted keyword also affects access to file transfers. The default value for SessionRestricted is 'shell, exec, subsystem'. For Reflection for Secure IT clients, the 'subsystem' session type is required for both sftp and scp transfers. For OpenSSH-style clients 'subsystem' is required for sftp transfers; 'exec' is required for scp transfers.
When ChrootSftpUsers or ChrootSftpGroups is enabled, connected users see additional subdirectories (etc on all platforms and dev on AIX) added to their home directory. These directories contain required files and cannot be moved or deleted. The etc directory contains the rsit.conf file, which identifies the installation location of files required by Reflection for Secure IT. A localtime file may also be present. It is needed so that processes such as logging can get the current time. The system localtime file is in a location that cannot be accessed by a chrooted user. If the TZ environment variable set on the system, the localtime file is not created. Users running on AIX also require /dev/null, which is needed for correct logging to syslog.
Specifies one or more (comma separated) encryption algorithms the server supports. The default is AnyStdCipher.
The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. Allowed values are 'aes128-ctr', 'aes128-cbc', 'aes192-ctr', 'aes192-cbc', 'aes256-ctr', 'aes256-cbc', 'blowfish-cbc', 'arcfour', 'arcfour128', 'arcfour256', 'cast128-cbc', and '3des-cbc'.
You can also set this value to 'none'. When 'none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.
The following values are provided for convenience: 'aes' (all supported aes ciphers), 'blowfish' (equivalent to 'blowfish-cbc'), 'cast' (equivalent to 'cast128-cbc'), '3des' (equivalent to '3des-cbc'), 'Any' or 'AnyStd' (all available ciphers plus 'none'), and 'AnyCipher' or 'AnyStdCipher' (all available ciphers).
The client alive mechanism enables the server to determine when the client has become inactive. ClientAliveCountMax sets the maximum number of client alive messages the server sends through the encrypted channel to request a response from the client. If this number is reached with no response from the client, the server ends the session and disconnects the client. Specify the message interval using ClientAliveInterval. The default is 3.
Note: These settings affect the SSH connection and messages are sent through the SSH tunnel.
Sets the interval, in seconds, for sending client alive messages to the client. If the client is unresponsive for this interval, the server sends a message through the encrypted channel to request a response from the client. Use ClientAliveCountMax to specify how many messages the server sends without response before it ends the session and disconnects the client. The default is 0 (disabled).
This keyword is no longer used. Prior to version 7.2 SP1, you needed to set this keyword to 'yes' to enable verification of digital signatures using the MD5 hash. The server now always attempts verification using both SHA-1 and MD5, and allows authentication if either hash matches. This is equivalent to setting Compat.RSA.HashScheme to 'yes' in earlier versions. If Compat.RSA.HashScheme is present in a configuration file and set to 'no', the server now ignores this setting.
Specifies the level of compression. You can specify compression values 0-9. Increasing the value increases the amount of compression. Using higher values results in the use of less network bandwidth, but at the cost of more CPU cycles. Level 6 is equivalent to 'yes'. Level 0 is equivalent to 'no'. The default is 'yes' (6).
Use this keyword to deny login for specified user groups. Regular expressions are supported. For details, see Configuring User and Group Access. If this keyword is not configured, all groups are allowed to log in.
Use this keyword to deny login for specified client hosts. Regular expressions are supported. For details, see Configuring Client Host Access. If this keyword is not used, all client hosts are allowed.
Notes:
If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to 'yes'. You should also set RequireReverseMapping to 'yes' to prevent access from hosts whose domain name could not be resolved. When ResolveClientHostName is 'yes', the resolved name is the fully qualified domain name. This means that when RequireReverseMapping is 'yes', you must specify a fully qualified domain name or use a regular expression for the host name to ensure that connections from an IP address are handled correctly.
To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).
Use this keyword to deny port forwarding for specified user groups. Regular expressions are supported. For details, see Configuring User and Group Access.
Use this keyword to deny port forwarding for specified users. Regular expressions are supported. For details, see Configuring User and Group Access.
Use this keyword to deny login for specified users. Regular expressions are supported. For details, see Configuring User and Group Access. If this keyword is not configured, all users are allowed to log in.
Specifies whether all connections will be made using security protocols and algorithms that meet FIPS 140-2 standards. The allowed values are 'yes' and 'no'. The default is 'no'.
Sets specified file permissions on all files uploaded to the server using sftp or scp and overrides all other permission setting actions. Use a three-digit permission mode value. For example, if you set ForceSftpFilePermissions to 600, all uploaded files are set to 600 (-rw-------). In addition, if a user attempts to change the permissions on an existing file, that file is also set to 600, regardless of the permission value requested by the client user. This setting does not affect directory permissions.
When ForceSftpFilePermissions is configured:
All uploaded files are set to the specified value regardless of whether or not a file is newly created or overwrites an existing file.
The system UMASK setting is ignored.
Any chmod command executed by an sftp user ignores the user-specified value and changes the file's permissions to the value set by ForceSftpFilePermissions.
The -p option is ignored if it is used on the sftp or scp command line.
Use this keyword for detailed control over client access to port forwarding. Regular expressions are supported. The syntax is:
ForwardACL allow|deny local|remote user_ex forward_ex [origin_ex]
user_ex is a regular expression that determines which users are allowed or denied access to port forwarding. For details, see Configuring User and Group Access."
forward_ex is a regular expression in the form host%port. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the target host and port. If you are configuring remote forwarding control, the host is the server computer and the port is the port that server is forwarding to the client.
origin_ex is a regular expression that identifies an IP address. Its meaning depends on whether you are configuring restrictions on local or remote forwards. If you are configuring local forwarding control, it specifies the client machine making the forward request. If you are configuring remote forwarding control, it specifies the computer that is connecting to the forwarded port on the server.
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The allowed values are 'yes' and 'no'. The default is 'no'.
Specifies an X.509 certificate to be used for server authentication. Specify the associated private key using HostKeyFile.
Specifies the filename and location of the private key used to authenticate the server. The default is /etc/ssh2/hostkey.
Specifies a host-specific subconfiguration file. The syntax is:
HostSpecificConfig host_expression subconfig_file
If the host expression matches the client host, the server uses the specified subconfiguration file.
If you configure a host expression using the domain name (rather than IP address), you must also set ResolveClientHostName to 'yes'.
Specifies whether Reflection for Secure IT uses HPN dynamic TCP window features to enhance performance. When HPNDisabled = 'no' (the default), Reflection for Secure IT adjusts the TCP window and TCP receive buffers to optimize performance. When HPNDisabled is 'yes', the receive buffer is set to 64 KB.
Specifies how long a connection can remain inactive before the server terminates the connection. To set the time in seconds use an s or nothing after the number. You can also specify a time in minutes (m), hours (h), days (d), or weeks (w). Use zero (0) to set no limit. The default is 0.
This keyword applies only to AIX systems. It specifies whether the 'rlogin' attribute in /etc/security/user should be ignored or applied. The allowed values are 'yes' and 'no'. The default is 'no', which means that the server honors the current 'rlogin' value.
Notes:
The 'login' attribute in /etc/security/user has no effect on remote logins made using the Secure Shell client. This is true regardless of the value of IgnoreRlogin.
On AIX systems IgnoreRlogin is ignored if AccountManagement is set to 'none.'
Specifies whether the system should send TCP keep alive messages to the other side. The server uses the system-wide value for how often the message is sent. The allowed values are 'yes' and 'no'. The default is 'yes'. Note: ClientAliveCountMax and ClientAliveInterval affect the SSH connection and messages are sent through the SSH tunnel. The KeepAlive setting affects the TCP connection, and is more vulnerable to spoofing because TCP messages are not sent in the secure tunnel.
Specifies which key exchange algorithms the server supports. Supported values are 'diffie-hellman-group-exchange-sha256','diffie-hellman-group-exchange-sha1','diffie-hellman-group14-sha1'. Multiple algorithms can be specified as a comma-separated list. The default value is 'diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'.
Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libgssapi_krb5.so
Use this setting if you use GSSAPI (Kerberos 5) authentication. It specifies the fully-qualified path to the Kerberos library called libkrb5.so.
Note: The server requires a library named libkrb5.so (or .sl on HP-UX PARISC). If a library of this name is not present, you need to create a symbolic link named libkrb5.so pointing to the actual library.
This keyword provides dynamic support for TCP Wrappers. To enable TCP Wrapper support, specify the fully qualified path to the libwrap shared library (for example, LibWrap=/usr/lib/libwrap.so). The libwrap file must be a shared library and not a static one. By default, this keyword is empty and the TCP Wrappers feature is disabled.
Note: Before using this keyword, you should confirm that the specified file is a valid libwrap library. This is important to ensure that only allowed users can connect. If the specified file doesn't exist, the sshd server won't start. However, if the file exists, sshd starts, but does not confirm that the file is a valid library. For each connection, the sshd process tries to load the specified file, and, if the file is not a valid library, the server logs an error message and allows the user to connect.
Specifies the address of the interface to which the sshd server socket is bound. You can specify values using either IPv4 or IPv6 format, or use 'any' (the default). The value 'any' configures the server to listen to any available IPv4 or IPv6 address (equivalent to '[::],0.0.0.0'). If you specify only IPv4 addresses, the client must connect using an IPv4 address. If you specify only IPv6 format, most operating systems will still allow IPv4 clients to connect; this is controlled by the operating system, not the Secure Shell server. You can optionally include a port in the address by adding a colon or space followed by the port number. This port value overrides the Port keyword setting. If you are specifying an IPv6 address, you need to surround the address with square brackets. For example:
IPv4 syntax: ListenAddress=209.85.171.99:6666
IPv6 syntax: ListenAddress=[::D155:AB63]:6666
ListenAddress interacts with the AddressFamily setting. When AddressFamily=inet, the ListenAddress value 'any' is equivalent to '0.0.0.0'. When AddressFamily=inet6, the ListenAddress value 'any' is equivalent to '[::]'. If AddressFamily is set to either 'inet' or 'inet6' and ListenAddress specifies an address of a different family, sshd will fail to start because of a configuration file error. If you specify a host name for ListenAddress rather than an IP address, the AddressFamily restrictions require that the host name be associated with an address of the appropriate family; and the server will bind to that address.
Note: Values set with this keyword are cumulative; you can set multiple values by configuring this keyword multiple times in one or more configuration files.
Specifies whether the Serial Number and Subject of certificates used for authentication are logged to the system log. Messages are logged for both successful and failed attempts. The allowed values are 'yes' and 'no'. The default is 'yes'.
Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit. The default is 120.
Sets the verbosity level used for sshd messages logged to syslog. Allowed values are 'fatal', 'error', 'quiet', 'info', 'verbose', 'debug1' ('debug' and 1 are equivalent), 'debug2' (2 is equivalent), 'debug3' (3 is equivalent), and 'trace' ('debug99' and 99 are equivalent). The syslog level associated with these values is CRIT for fatal, ERROR for error and quiet, INFO for info and verbose, and DEBUG for debug1, debug2, debug3, and trace. The default is 'error'.
Note: Setting logging to 'trace' can increase your security risk. At this level, information leakage is a concern, as unencrypted protocol information may be written out. Also, the volume of information written may fill up disk space rapidly, potentially causing the host or Reflection for Secure IT to stop responding.
Specifies whether public key fingerprints used for authentication are logged to the system log. Messages are logged for both successful and failed attempts. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies, in order of preference, which MACs (hashed message authentication codes) the server allows for verifying data integrity. Allowed values are 'hmac-sha256', 'hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96', 'hmac-sha512', and 'hmac-ripemd160'. Use 'AnyMac' to support all of these. Use 'AnyStdMac' to specify 'hmac-sha256, hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96, hmac-sha512'. Specifying hmac-sha256 also enables hmac-sha2-256. Specifying hmac-sha512 also enables hmac-sha2-512. Multiple MACs can also be specified as a comma-separated list. Additional options are 'none', 'any' (equivalent to AnyMac plus 'none'), and 'AnyStd' (equivalent to 'AnyStdMac' plus 'none'). When 'none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include 'none' are not recommended. The default is 'AnyStdMac'.
Sets the maximum number of client connections allowed. Use zero (0) to set no limit. The default is 50.
Specifies the maximum number of multiplexed sessions supported over a single TCP connection. (Multiplexing can be enabled on Reflection for Secure IT clients using the ConnectionReuse keyword.) The range of values is 0-10. The default is 10. Setting this value to 1 disables connection reuse. Setting this keyword to 0 disables all connections.
Specifies the maximum number of concurrent unauthenticated connection attempts allowed. After this limit is reached additional connections are dropped until authentication succeeds or the LoginGraceTime limit is reached for a connection attempt. The default is 10.
Specifies the name of the PAM (Pluggable Authentication Modules) service used for authentication and sessions. The default is 'ssh'.
Specifies the name of an optional PAM service to be used for internal processes. You can use the specified service to provide additional account and session management. For example:
PamServiceNameForInternalProcesses ssh-shell
In this case, all users still go through the service specified by PamServiceName ("ssh" by default). Shell and exec users will also go through the “ssh-shell” service.
Note: The specified PAM service will always support PAM account and session management and may support authentication management on particular platforms (Linux and AIX, but not Solaris). Because authentication management may or may not be used depending on the platform, it should always be set to pam_permit.so so that access to the system can be configured using account and session management.
Specifies the name of an optional PAM service to be used for subsystems. You can use the specified service to provide additional account and session management. The syntax is:
PamServiceNameForSubsystems subsystem PAMservicename
For example, You could use the following to provide additional account and session management for SFTP connections:
PAMServiceNameforSubsystems sftp ssh-sftp
In this case, all users still go through the service specified by PamServiceName ("ssh" by default). SFTP users will also go through the "ssh-sftp" service.
Note: The specified PAM service will always support PAM account and session management and may support authentication management on particular platforms (Linux and AIX, but not Solaris). Because authentication management may or may not be used depending on the platform, it should always be set to pam_permit.so so that access to the system can be configured using account and session management.
Sets the maximum number of attempts the user is allowed for password authentication. The default is 3.
Specifies whether the server allows password authentication by users with empty (null) passwords. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies whether client users with root privileges can log in. The allowed values are 'yes', 'no', and 'without-password'. If you specify 'without-password', a user can log in with root privileges only if 'public key' or 'GSSAPI' authentication methods are used to authenticate the user. The default is 'yes', which allows root login for all authentication methods.
Specifies the file that contains the process ID of the sshd daemon. Use a fully qualified path. If the file name contains the string %s, the string will be replaced by the server port number.
Specifies the port used to connect to PKI Services Manager. Use the format host:port. The default is localhost:18081. If you specify a host and omit the port, the default PKI Services Manager port (18081) is used.
Specifies the name and location of the public key used by to confirm the identity of Reflection PKI Services Manager. The default is /install-directory/pkid/config/pki_key.pub.
Specifies the port on which the server listens. The default is 22, which is the standard port for Secure Shell connections.
Specifies whether the Reflection for Secure IT server displays the date and time of the last user login when a user logs in interactively. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies whether the server prints the message-of-the-day text from the file /etc/motd when a user logs into a terminal session. (This setting does not override the display of /etc/issue.) The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies the software version portion of the string that the server sends to clients during the initial connection protocol. (The first part of the string is always "SSH-2.0-", which indicates the SSH version supported by the server. This is required by the protocol RFC and cannot be edited.) Use double quotation marks if the string includes spaces. When ProtocolVersionString is an empty string (the default), the software version portion of the string is generated automatically, and includes the server's version and build number. This number will be updated automatically when you upgrade your server software.
Note: Many clients use the protocol string to identify the server type and enable compatible features. Changing the default value may cause public key authentication to fail, and may also affect the functionality of other features that vary between servers.
This keyword is deprecated. Use LogLevel.
Specifies the name of the file used for configuring RADIUS authentication. The file is assumed to be relative to /etc/ssh2 unless you specify an absolute path. For file syntax, see /etc/ssh2/radius_config in the FILES section. There is no default; this keyword can have no value.
Specify the interval (in seconds) after which the server initiates a new key exchange. Setting this value too low can make communication between the client and server impossible. To avoid this problem, it is recommended that you avoid specifying an interval of less than 200 seconds. Use 0 (zero) to turn off rekey requests initiated by the server. Using 0 does not prevent the client from requesting a rekey. The default is 3600.
Use this keyword to require one or more client authentication methods. All specified authentication methods must succeed before a user is considered authenticated. The supported authentication methods are 'gssapi-keyex', 'gssapi-with-mic', 'publickey', 'keyboard-interactive', and 'password'.
Note: RequiredAuthentications overrides AllowedAuthentications.
Specifies whether DNS lookup must succeed when checking whether connections from client hosts are allowed. To enable this feature you also need to set ResolveClientHostName to 'yes'. The allowed values are 'yes' and 'no'. The default is 'no'.
Specifies whether the server attempts to resolve the client IP address to a domain name. Setting this to 'yes' may slow down the connection time, but is required if you configure any keywords to match host names based on domain name, rather than IP address. (See AllowHosts, DenyHosts, UserSpecificConfig, and HostSpecificConfig.) Setting this keyword to 'yes' also means that DNS names appear in the log rather than IP addresses. The allowed values are 'yes' and 'no'. The default is 'yes'.
Note: When ResolveClientHostname is 'yes', the resolved name is always the fully qualified domain name. This means that you must use a fully qualified domain name with any keywords in which you specify a host name, or use a regular expression to ensure that host names are handled correctly.
Specifies what session types the server allows. The possible values are 'shell' (which allows terminal shell sessions), 'exec' (which allows the client to execute commands on the server), and 'subsystem' (which is required to support sftp and scp transfers from Reflection for Secure IT clients). The default is 'shell, exec, subsystem'.
Note: For OpenSSH-style clients 'subsystem' is required for sftp transfers; 'exec' is required for scp transfers.
Specifies which environment variables can be configured by the client. This value limits the scope of the client SetRemoteEnv keyword on the client and the user-specific environment file (~/.ssh2/environment). (Note: This setting does not affect variables configured in /etc/environment, /etc/ssh2/environment or other server files which can be controlled only by root.) The arguments must be uppercase. This keyword is enabled in the default configuration file and set to the following value: 'LANG, LC_ALL, LC_COLLATE, LC_CTYPE,LC_MONETARY, LC_NUMERIC, LC_TIME, PATH, TERM, TZ, UMASK'
Determines which categories of sftp server messages are sent to the facility specified by SftpSysLogFacility. Use a comma-separated list. The default is 'loginlogout,directorylistings,downloads,modifications,uploads', which configures logging of all categories. You can specify any of those options, plus 'all', or 'none'.
Specifies the facility code used for logging messages from the sftp-server subsystem. This value is empty by default. When this value is empty and LogLevel is not empty, logging goes to the AUTH facility. When SftpSysLogFacility and LogLevel are both empty, the server does no logging to syslog. When this value is 'none', Reflection for Secure IT disables logging to syslog (regardless of the LogLevel setting). Other valid values are platform-dependent. See syslog(3).Valid values are platform-dependent. See syslog(3). Setting this to "auth" puts the log messages in the same facility as the default for sshd.
Specifies the maximum SFTP protocol version supported by the server. Valid values are 3 and 4 (the default). If the client only supports an older version than what is specified in this setting, the version specified by the client is used.
Note: This keyword only affects connections when Subsystem-sftp is configured to use the default internal sftp-server (Subsystem-sftp internal://sftp-server). If you have configured an external sftp-server, use -v 3 or -v 4 to specify an SFTP version. For example, subsystem-sftp /usr/libexec/sftp-server -v 3.
Specifies whether the server performs checks for file equality before transferring data. When this keyword is 'yes' (the default), the server supports smart file copy (which enables skipping transfer of identical files) and checkpoint resume (which enables interrupted file transfers to resume at the point of interruption). When this keyword is 'no', Reflection for Secure IT always transfers the entire content of every file. Note: Smart file copy can be disabled on the client using SmartFileCopy. Checkpoint resume can be disabled on the client using CheckpointResume.
Specifies the directory permissions required for public key authentication. The allowed values are 'yes' and 'no'. The default is 'yes'. When set to 'yes', The user's directory (~/.ssh2) and all parent directories must be writable and executable only by the user (mode 744 is accepted). Recommended permissions for the user directory = 700. If these conditions aren't met, public key authentication fails. When set to 'no' these file permissions are not enforced and sensitive files and information could be compromised.
Note: Additional file permission requirements are enforced for each user's authorization file (~/.ssh2/authorization) regardless of the current StrictModes setting. This file must be configured to prevent group and public write access (600 is recommended, 644 is accepted). If the authorization file is not sufficiently restricted, public key authentication will always fail.
Specifies a subsystem to export to the client. The argument specifies the command to execute when the client requests the subsystem. The separator character following the keyword can be a dash, an equals sign, or a space.
To support sftp and scp transfers, the sftp-server subsystem must be specified. The default configuration shown below executes the sftp service internally in the child process.
Subsystem-sftp internal://sftp-server
Specifies the facility code used for logging messages from the server. The default is 'AUTH'. When this value is 'none', Reflection for Secure IT disables logging to syslog. Other valid values are platform-dependent. See syslog(3).
Note: Setting this value to 'none' is not recommended because it means you have no audit log of connection attempts or user logins. In the event of a denial-of-service attack, an audit log can help identify a set of IP addresses connecting excessively. An audit log can also provide important evidence if a user falsely claims to not have accessed your system (non-repudiation).
Note: The debugging level you specify for writing to this log can have security ramifications. For more information see LogLevel.
This keyword is no longer supported. Use Reflection PKI Services Manager to configure trust anchors.
Specifies whether login(1) is used for interactive login sessions. The allowed values are 'yes' and 'no'. The default is 'no'.
Notes:
login(1) is never used for remote command execution.
Enabling this setting disables X11Forwarding because login(1) does not know how to handle xauth(1) cookies.
Using login(1) disables privilege separation. By default, sshd creates a new process that has the privilege of the authenticated user after a successful authentication. This is done to prevent privilege escalation by containing any corruption within the unprivileged processes. Enabling UseLogin disables this functionality.
This setting provides an alternate way to configure the server to use PAM. The allowed values are 'yes' and 'no'. If UsePam is not configured, the server uses the current values of AuthKbdInt.Required, AccountManagement, and UsePamSessions. Setting this keyword to 'yes' is equivalent to setting AuthKbdInt.Required=pam, AccountManagement=pam, and UsePamSessions=yes. Setting this keyword to 'no' is equivalent to setting AuthKbdInt.Required=password, AccountManagement=password, and UsePamSessions=no.
Note: If you modify UsePAM, be sure that none of the related keywords are set after UsePAM in the configuration file. If AuthKbdInt.Required, AccountManagement, or UsePamSessions is set to a conflicting value after UsePAM, that value overrides the value configured by UsePAM because the last value read by the server is the one it uses.
This keyword is deprecated. Setting it to 'yes' is equivalent to setting AccountManagement=pam.
Specifies whether or not PAM is used for session management. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies the directory used for user-specific information. This directory contains the authentication file (required for key authentication) and other user-specific files listed in the FILES section. The following macros are recognized: %U = user log-in name, %D = user's home directory, %IU = UID for user, %IG = GID for user. The default is '%D/.ssh2'.
Specifies a user-specific configuration file. The syntax is:
UserSpecificConfig user_expression sub config_file
If the user expression matches the user attempting a connection, the server uses the specified subconfiguration file.
Note: If you configure the host portion of this expression to match based on host domain name (rather than IP address), you must also set ResolveClientHostName to 'yes'.
This keyword is deprecated. Use LogLevel.
Sets the first display number available for X11 forwarding by the server. The default is 10.
Specifies whether the server should bind X11 forwarding to the loopback address or to the wildcard address. The allowed values are 'yes' and 'no'. The default is 'yes'.
Specifies the location of the xauth(1) program. The default (for example /usr/X11R6/bin/xauth) is system-dependent.