|
Server Configuration Parameters
Some of the server configuration parameters that you can modify are
as follows: AccountingAuthentications Allowed values: password, publickey, hostbased, all, none. The keyword all is equivalent to publickey,
password, hostbased. The keyword none explicitly
disables all SSH authentication methods. | Default: publickey, password, hostbased | Description: Specifies the authentication methods for which accounting
data is updated. | The following command displays the contents of the intrusion database: ACCOUNTING |
AllowedAuthentications Specifies the authentication methods the server will allow. Allowed values: password, publickey, hostbased, gssapi-with-mic, kerberos-2@ssh.com, kerberos-tgt-2@ssh.com Default: hostbased,password,publickey Description: Specifies the authentication methods the server will accept. The keyword all is equivalent to publickey,
password, hostbased. The keyword none explicitly
disables all SSH authentication methods. AllowGroups The groups in the AllowGroups list are specified
by the decimal representation that is the group portion of the UIC. That is,
if a user's UIC is [777,42], the following syntax allows the user and all
other users with UIC [777,*]: AllowNonvmsLoginWithExpiredPw Allowed values: yes, no | Default: no | Description: Controls behavior when a different SSH client implemention
attempts to establish an SSH connection to an OpenVMS server account with
an expired password. The password change option is implemented for OpenVMS-to-OpenVMS
connections only. The value yes allows clients to connect
with the following warning message and sets the pwd_expired flag
in the user's SYSUAF record: WARNING - Your password has expired;
update immediately with SET PASSWORD! The value no rejects
the login. The SSH client implementation must support the CHANGEREQ mechanism
(message type 60) to update passwords. |
AllowVmsLoginWithExpiredPw Allows OpenVMS users to change expired passwords, if required. If the
value is No, the login is rejected. For a user to be allowed to make a connection (from either an OpenVMS
client or from a different SSH implementation) with an expired password, the
OpenVMS account must set the DISFORCE_PWD_CHANGE flag. To set this flag,
enter the following command: $ MCR AUTHORIZE MODIFY USERNAME /FLAG=DISFORCE_PWD_CHANGE
|
When you log in to an account with an expired password, the following
message is displayed: WARNING - Your password has expired; update immediately with SET PASSWORD!
|
AllowX11Forwarding Enables X11 port forwarding. DenyGroups The groups in the DenyGroups list are specified by
the decimal representation that is the group portion of the UIC. That is,
if a user's UIC is [777,42], the following syntax denies the user and all
other users with UIC [777,*]: IntrusionAuthentications Allowed values: password, publickey, hostbased, all, none | Default: password | Description: Specifies the methods for which the server intrusion
database is updated for the user in case of login failure. | The following command displays the contents of the intrusion database: SHOW
INTRUSION |
IntrusionIdentLocalUser Allowed values: yes, no | Default: yes | Description: Controls whether intrusion identification records are
identified by IP address or user name. Set to yes,then the server uses the
lcal user name in intrusion records. If this parameter is set to no, uses
SSH_xxxxxxxx, where xxxxxxxx is
the intruder's IP address. |
IntrusionIdentMethod Allowed values: password, publickey, hostbased, all, none. The keyword all is equivalent to publickey,
password, hostbased. The keyword none explicitly
disables all SSH authentication methods. | Default: publickey, password, hostbased | Description: For entries in the intrusion database, this option controls
whether the authentication method is included in the text of the intrusion
Source (as displayed by the SHOW INTRUSION command). The value of this option
is ignored if IntrusionAuthentications and IntrusionIdentSsh are
not both active for the specified method. | The following command displays the contents of the intrusion database: $
SHOW INTRUSION |
IntrusionIdentSSH Allowed values: password, publickey, hostbased, all, none. The keyword all is equivalent to publickey,
password, hostbased. The keyword none explicitly
disables all SSH authentication methods. | Default: publickey, password, hostbased | Description: For entries in the intrusion database, this option controls
whether the string SSH_ is included in the text of the intrusion "Source"
(as displayed by the SHOW INTRUSION command). The value of this option is
ignored if the IntrusionAuthentications is not active for
the specified method. | The following command displays thecontents of intrusion database: $
SHOW INTRUSION |
LogfailAuthentications Allowed values: password, publickey, hostbased, all, none. The keyword all is equivalent to publickey,
password, hostbased. The keyword none explicitly
disables all SSH authentication methods. | Default: password | Description: Specifies the authentication methods for which the SYSUAF
login failure count is updated for the user. The following command displays
the number of login failures: MCR AUTHORIZE SHOW username. |
PasswordGuesses Specifies the number of times the user can enter an incorrect password. IntrusionIdentLocalUser Uses the local user name in the intrusion record. If set to No, uses SSH_xxxxxxxx (where xxxxxxx is the IP address of the remote host, in hexadecimal
format). The default is Yes. IgnoreRhosts Specifies that the SHOSTS.EQUIV file be used to allow a user from one
system to log in as a different user from another host. If this parameter
is set to No, the user-specific SHOSTS. file is used. PubkeyPassphraseGuesses Allowed values: Integers greater than 0 | Default: 3 | Description: Specifies the number of times the client user is allowed
to enter the passphrase associated with public/private key pair. Used for
public key authentication method only. In the server configuration file, this
value affects all clients, including those on OpenVMS systems. | When the value is different on an OpenVMS client and the associated
OpenVMS server, the lower value takes precedence. | Each prompt for passphrase is of the following format: Passphrase
for key "ssh2/KAREN-SELFDBOB_SQA_UCX_ABC_ACME_COM"with comment "1024-bit dsa,
karen@dbob.sqa.ucx.abc.acme.com,Wed May 21 2003 12:42:14": |
UserLoginLimit Allowed values: integers from -1 to 8192 | Default: -1 | Description: Controls the number of times individual users can be
logged in. If the value is -1, the system-wide limit on interactive logins
(SYSGEN parameter IJOBLIM) applies. If the value is greater than zero, the
number specifies the maximum number of times that an individual user can log
in. | -1 = no limit on specific users | 0 = disable all users | 1 - 8192 = number of logins permitted for individual
users | To display details on login processes for USER, enter the following
command:$ SHOW USER /FULL /NODE=serverhost |
|
|