Files Used by the Server
The server uses configuration files in /opt/microfocus/rsit/etc
for all connections.
Files in user-specific directories (~/.ssh2
by default) apply to connections from individual client users.
System-wide server files
/opt/microfocus/rsit/etc/sshd2_config
The global server configuration file. This file must not be writable by group or other. For file format and supported settings see sshd2_config(5). Recommended permissions = 644.
/opt/microfocus/rsit/etc/hostkey
The default private key of the public/private key pair used to identify the server to clients. This file should be readable and writable only by root. This file must be limited to user-only read and write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.
/opt/microfocus/rsit/etc/hostkey.pub
The default public key of the public/private key pair used to authenticate the server to clients. Recommended permissions = 644.
/opt/microfocus/rsit/etc/subconfig
Directory for optional user-specific and host-specific subconfiguration files. Recommended permissions = 700.
/opt/microfocus/rsit/etc/subconfig/subconfig_file
User-specific and host-specific subconfiguration files. For details see SUBCONFIGURATION FILES in sshd2_config(5).
-
/opt/microfocus/rsit/etc/environment
If this file is present, it sets environment variable settings to use for all Secure Shell client connections to this server. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644. Note: Environment variable settings specified in this file override any values configured in standard system files such as/etc/default/login
and/etc/environment
. If the same environment variable is configured in this global file and also in a user-specific environment file (~/.ssh2/environment
), the user-specific value overrides the global value. The pound sign (#) marks comment lines. The syntax is:environment_variable=value
-
/etc/nologin
Limits login to root. If this file exists, only root is allowed to login. The text ofnologin
is displayed to anyone else who attempts to log in. -
piddir/sshd2_22.pid
Contains the PID of the process listening for incoming connections. The PID directory is determined by your operating system. The port number (22 by default) encoded in this name is determined by the value of the Port keyword. You can specify a different name or location using the PidFile keyword. -
/etc/motd
The message-of-the-day file. The text of this file is displayed when a user logs in. The PrintMotd keyword can be used to turn off this display. -
/opt/microfocus/rsit/etc/radius_config
A user-created file listing one or more RADIUS authentication servers. The file name suggested above is not required. After you create this file, use the RadiusFile keyword to specify your file name. For each RADIUS server, you need to enter the name, port, and shared secret. Recommended permissions = 600. The syntax is:server1:port1:shared_secret1 server2:port2shared_secret2
User-specific server files
-
~/.ssh2
The default directory for user-specific files on the server. (You can specify a different location with the UserConfigDirectory keyword.) Recommended permissions = 700. -
~/.ssh2/authorization
The default client authorization file. (You can specify a different file with the AuthorizationFile keyword.) This file is required for Secure Shell public key authentication of client users. Each user must have an authorization file in that user's directory. This file must be limited to user-only write access. If permissions are not sufficiently restricted, public key authentication will fail. Recommended permissions = 600.The file contains a list of key files that the server will use during public key authentication. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails. Keywords are not case sensitive and the pound sign (#) marks comment lines. The supported keywords are:
key
Specifies keys the server will accept for this user. The format for key entries is "
key
" followed by the name of a file that contains a public key. Keys are assumed to be in the user-specific configuration directory (~/.ssh2
by default) unless you specify an absolute path. For example, the following lines authorize the user to authenticate using either of the specified keys.key mykey.pub key id_rsa_2048_a.pub
options
Use this optional keyword to specify options that apply to the preceding key. All options for a given key must be configured on a single line. White space is allowed. Options must be configured on the line immediately following the line containing the key. The format is:
Options option_keyword="arg", [option_keyword="arg"],...
Three Options keywords are supported: command, allow-from, and deny-from
command command
The specified command is executed on the remote host, then the connection is closed. For example, with this configuration, the script "myscript" runs whenever mykey.pub is used for authentication.
key mykey.pub options command="sh myscript"
allow-from IP-address
The key is allowed only for connections from the specified IP address. For example, the following configuration allows the specified key to be used only for connections from IP addresses starting with "150." and "10.10.".
Key /home/joe/.ssh/mykey.pub
options allow-from="150\..*,10\.10\..*"
deny-from IP-address
The key is not allowed for connections from the specified IP address.
Note: To configure addresses in any allow or deny list, both IPv4 and IPv6 addresses must be specified. This is particularly important if you are configuring a deny list to ensure that access is blocked. To configure localhost in any allow or deny list, include IP addresses for all external interfaces and also the local loopback address (127.0.0.1 and 0:0:0:0:0:0:0:1).
-
~/.hushlogin
If this file is present, it suppresses display of the user's last login, the message of the day, and the mail check. -
~/.ssh2/environment
If this file is present, it sets environment variables to set for this user at login. (The keyword SettableEnvironmentVars controls which environment variables can be set.) Recommended permissions = 644.
Note
Environment variable settings specified in this file override any values configured in standard system files such as /etc/default/login
and /etc/environment
, and also override settings configured in the global file (/opt/microfocus/rsit/etc/environment
). The pound sign (#) marks comment lines. The syntax is:
environment_variable=value
More information