[an error occurred while processing this directive]

HP OpenVMS Systems Documentation

Content starts here

Server Configuration File

 » Table of Contents

 » Glossary

 » Index

The following is an example of a typical SSH server configuration file.

# SSH CONFIGURATION FILE FORMAT VERSION 1.1
# REGEX-SYNTAX egrep
# end of metaconfig
# (do not change above lines!)
#
# File name:      SSHD2_CONFIG.
# Product:        HP TCP/IP Services for OpenVMS
# Version:        T5.6-3D
#
#  Copyright 1976, 2005 Hewlett-Packard Development Company, L.P.
#
#
# ssh 3.2 server configuration file
#
## General
    HostKeyFile                         hostkey
    PublicHostKeyFile                   hostkey.pub
    RandomSeedFile                      random_seed
#   BannerMessageFile                   /etc/ssh2/ssh_banner_message
#   BannerMessageFile                   /etc/issue.net
#   SftpSyslogFacility                  LOCAL7
    SyslogFacility                      AUTH
#   SyslogFacility                      LOCAL7
#   QuietMode                           no
    VerboseMode                         no
## Network

    Port                                22
    ListenAddress                       any
    RequireReverseMapping               no
#   ResolveClientHostName               yes
    MaxBroadcastsPerSecond              0
#   MaxBroadcastsPerSecond              1
#   NoDelay                             no
#   KeepAlive                           yes
#   MaxConnections                      50
#   MaxConnections                      0
# 0 == number of connections not limited


## Crypto

    Ciphers                             AnyCipher
#   Ciphers                             AnyStdCipher
#   Ciphers                             3des
# Following includes "none" 'cipher':
#   Ciphers                             AnyStd

    MACs                                AnyMAC
#   MACs                                AnyStdMAC
# Following includes "none" 'mac':
#   MACs                                AnyStd

#   RekeyIntervalSeconds                3600


## User

    CheckMail                           yes
    PrintMotd                           yes
#   StrictModes                         yes
# Specifies 1 hour
# (you can also use 'w' for week, 'd' for day, 'm' for minute, 's' for seconds)
#   IdleTimeOut                         1h
# without specifier, the default number is in seconds
#   IdleTimeOut                         3600

    UserConfigDirectory                 "%Dssh2"
#   UserConfigDirectory                 "/etc/ssh2/auth/%U"
    AuthorizationFile                   authorization

# This variable is set here, because by default it's empty, and so no
# variables can be set. Because of that, we set a few common ones here.
    SettableEnvironmentVars             LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ


## Tunneling

    AllowX11Forwarding                  yes
    AllowTcpForwarding                  yes

#   AllowTcpForwardingForUsers          sjl, cowboyneal@slashdot\.org
#   DenyTcpForwardingForUsers           2[[:digit:]]*4,peelo

#   AllowTcpForwardingForGroups         privileged_tcp_forwarders
#   DenyTcpForwardingForGroups          coming_from_outside

# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).

#   ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)

# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group id 10:

#   ForwardACL allow local s.*%10 proxy\.company\.com%8080

# Remote port forwarding is denied for all users to all hosts:
#   ForwardACL                          deny remote .* .*


## Authentication
## hostbased, publickey and password are allowed by default

#   AllowedAuthentications              hostbased, publickey, password
#   AllowedAuthentications              publickey
   AllowedAuthentications       gssapi-with-mic, kerberos-tgt-2@ssh.com, kerberos-2@ssh.com, publickey, password

#   Requireduthentications              publickey, password
#   LoginGraceTime                      600
#   AuthInteractiveFailureTimeout       2

#   HostbasedAuthForceClientHostnameDNSMatch no
#   UserKnownHosts                      yes
#
#   AuthPublicKey.MaxSize               0
#   AuthPublicKey.MinSize               0
    AllowAgentForwarding                yes

#   AuthKbdInt.NumOptional              0
#   AuthKbdInt.Optional                 pam, password
#   AuthKbdInt.Required                 password
#   AuthKbdInt.Retries                          3

#   PermitEmptyPasswords                no
    PasswordGuesses                     3


## Host restrictions

    AllowHosts                          localhost, *

## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.

##  AllowHosts                          t..l.\..*

## The following matches any numerical IP-address (yes, it is cumbersome)

##  AllowHosts                          ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}

## Same thing is achieved with using the special prefix "\i" in a
## pattern. This means that the pattern is only used to match
 # IP-addresses.   Using the above example:
#
#   AllowHosts                          \i.*
#
# You can probably see the difference between the two.
#
# Also, you can use subnet masks, by using prefix "\m"
#
#   AllowHosts                          \m127.0/8
#
#   AllowHosts                          \m127.0.0.0/24
#
# would match localhost ("127.0.0.1").
#
#   DenyHosts                           evil\.org, aol\.com
#   AllowSHosts                         trusted\.host\.org
#   DenySHosts                          not\.quite\.trusted\.org
#   IgnoreRhosts                        no
#   IgnoreRootRHosts                    no
#
# (the above, if not set, is defaulted to the value of IgnoreRHosts)


## User restrictions

#   AllowUsers                          sj.*,s[[:digit:]]*,s(jl|amza)
#   DenyUsers                           skuuppa,warezdude,31373
#   DenyUsers                           don@untrusted\.org
#   AllowGroups                         staff,users
#   DenyGroups                          guest,anonymous
    PermitRootLogin                     yes
#   PermitRootLogin                     nopwd


## Chrooted environment

#   ChRootGroups                        sftp,guest
#   ChRootUsers                         anonymous,ftp,guest


## SSH1 compatibility

#   Ssh1Compatibility                   no
#   Sshd1Path                           <set by configure by default>

# This is given as argument to sshd1 with "-f" if sshd2 is invoked
# with "-f", otherwise the default configuration for sshd1 is used.

#   Sshd1ConfigFile                     /etc/sshd_config_alternate


## Subsystem definitions

# Subsystems don't have defaults, so this is needed here (uncommented).

    subsystem-sftp                      /sys$system/tcpip$ssh_sftp-server2
# Also internal sftp-server subsystem can be used.

#   subsystem-sftp                      internal://tcpip$ssh_sftp-server2


## Subconfiguration

# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host specific files
# are read before the user specific files.

# Following matches (from) any host
#
#   HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
#   HostSpecificConfig \m192.168.0.0/16 /etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character long
# username or is sjl and belong to group wheel or wheel[0-9]

#   UserSpecificConfig (..|sjl)%wheel[[:digit:]]?@ssh\.com /etc/ssh2/subconfig/user.example

# Following matches to the user anonymous from any host

#   UserSpecificConfig anonymous@.* /etc/ssh2/subconfig/anonymous.example


## OpenVMS auditing and access control

#   AllowVmsLoginWithExpiredPw          no
#   AllowNonvmsLoginWithExpiredPw       no
#   UserLoginLimit                      -1
#
#   V5.5-02 Change pubkey to publickey
   AccountingAuthentications           kerberos-tgt-2@ssh.com, kerberos-2@ssh.com, publickey, password ,hostbased
   IntrusionAuthentications            kerberos-tgt-2@ssh.com, kerberos-2@ssh.com, publickey, password ,hostbased
#   IntrusionIdentMethod                publickey,password,hostbased
#   IntrusionIdentSsh                   publickey,password,hostbased
   LogfailAuthentications              kerberos-tgt-2@ssh.com, kerberos-2@ssh.com, publickey, password ,hostbased
#   PubkeyPassphraseGuesses             3
GssapiSendError yes
GssapiSendErrtok yes