Skip to content

Files Used by the Server

The server uses configuration files in /opt/microfocus/rsit/etc for all connections. Files in user-specific directories (~/.ssh2 by default) apply to connections from individual client users.

System-wide server files

/opt/microfocus/rsit/etc/sshd2_config

The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.


/opt/microfocus/rsit/etc/hostkey

The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. This file must be limited to user-only read and write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.


/opt/microfocus/rsit/etc/hostkey.pub

The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.


/opt/microfocus/rsit/etc/subconfig

Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.

/opt/microfocus/rsit/etc/subconfig/subconfig_file

User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5).

  • /opt/microfocus/rsit/etc/environment If this file is present, it sets environment variable settings to use for all Secure Shell client connections to this server. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment. If the same environment variable is configured in this global file and also in a user-specific environment file (~/.ssh2/environment), the user-specific value overrides the global value. The pound sign (#) marks comment lines. The syntax is:

    environment_variable=value
    
  • /etc/nologin
    Limits login to root. If this file exists, only root is allowed to login. The text of nologin is displayed to anyone else who attempts to log in.

  • piddir/sshd2_22.pid
    Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword.

  • /etc/motd
    The message-of-the-day file. The text of this file is displayed when a user logs in. The PrintMotd keyword can be used to turn off this display.

  • /opt/microfocus/rsit/etc/radius_config A user-created file listing one or more RADIUS authentication servers. The file name suggested above is not required. After you create this file, use the RadiusFile keyword to specify your file name. For each RADIUS server, you need to enter the name, port, and shared secret. Recommended permissions = 600. The syntax is:

    server1:port1:shared_secret1
    server2:port2shared_secret2
    

User-specific server files

  • ~/.ssh2
    The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700.

  • ~/.ssh2/authorization
    The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. This file must be limited to user-only write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.

    The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:

    key

    Specifies keys the server will accept for this user. The format for key entries is "key" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory (~/.ssh2 by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.

    key mykey.pub
    key id_rsa_2048_a.pub
    

    options

    Use this optional keyword to specify options that apply to the preceding key. All options for a given key must be configured on a single line. White space is allowed. Options must be configured on the line immediately following the line containing the key. The format is:

    Options option_keyword="arg", [option_keyword="arg"],...
    

    Three Options keywords are supported: command, allow-from, and deny-from

    command command

    The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever mykey.pub is used for authentication.

    key mykey.pub
    options command="sh myscript"
    

    allow-from IP-address

    The key is allowed only for connections from the specified IP address. For example, the following configuration allows the specified key to be used only for connections from IP addresses starting with "150." and "10.10.".

    Key /home/joe/.ssh/mykey.pub
    

    options allow-from="150\..*,10\.10\..*"

    deny-from IP-address

    The key is not allowed for connections from the specified IP address.

    Note: To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).

  • ~/.hushlogin
    If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check.

  • ~/.ssh2/environment
    If this file is present, it sets environment variables to set for this user at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644.

Note

Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login and /etc/environment, and also override settings configured in the global file (/opt/microfocus/rsit/etc/environment). The pound sign (#) marks comment lines. The syntax is:

environment_variable=value

More information