# SSH CONFIGURATION FILE FORMAT VERSION 1.1 # REGEX-SYNTAX egrep # end of metaconfig # (do not change above lines!) # # File name: SSHD2_CONFIG. # Product: HP TCP/IP Services for OpenVMS # Version: V5.7-ECO1 # # © Copyright 1976, 2009 Hewlett-Packard Development Company, L.P. # # # ssh 3.2 server configuration file # ## General HostKeyFile hostkey PublicHostKeyFile hostkey.pub RandomSeedFile random_seed # BannerMessageFile /etc/ssh2/ssh_banner_message # BannerMessageFile /etc/issue.net PrintSysAnnounce yes PrintSysWelcome yes # SftpSyslogFacility LOCAL7 SyslogFacility AUTH # SyslogFacility LOCAL7 # QuietMode no VerboseMode no ## Network Port 22 ListenAddress any RequireReverseMapping no # ResolveClientHostName yes MaxBroadcastsPerSecond 0 # MaxBroadcastsPerSecond 1 # NoDelay no # KeepAlive yes # MaxConnections 50 # MaxConnections 0 # 0 == number of connections not limited ## Crypto Ciphers AnyCipher # Ciphers AnyStdCipher # Ciphers 3des # Following includes "none" 'cipher': # Ciphers AnyStd MACs AnyMAC # MACs AnyStdMAC # Following includes "none" 'mac': # MACs AnyStd # RekeyIntervalSeconds 3600 ## User CheckMail yes PrintMotd yes # StrictModes yes # Specifies 1 hour # (you can also use 'w' for week, 'd' for day, 'm' for minute, 's' for seconds) # IdleTimeOut 1h # without specifier, the default number is in seconds # IdleTimeOut 3600 UserConfigDirectory "%Dssh2" # UserConfigDirectory "/etc/ssh2/auth/%U" AuthorizationFile authorization # This variable is set here, because by default it's empty, and so no # variables can be set. Because of that, we set a few common ones here. SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUME RIC|TIME),PATH,TERM,TZ ## Tunneling AllowX11Forwarding yes AllowTcpForwarding yes # AllowTcpForwardingForUsers sjl, cowboyneal@slashdot\.org # DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo # AllowTcpForwardingForGroups privileged_tcp_forwarders # DenyTcpForwardingForGroups coming_from_outside # Local port forwardings to host 10.1.0.25 ports 143 and 25 are # allowed for all users in group users. # Note that forwardings using the name of this host will be allowed (if # it can be resolved from the DNS). # ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25) # Local port forwardings requested exactly to host proxy.company.com # port 8080 are allowed for users that have 's' as first character # and belong to the group with group id 10: # ForwardACL allow local s.*%10 proxy\.company\.com%8080 # Remote port forwarding is denied for all users to all hosts: # ForwardACL deny remote .* .* ## Authentication ## V5.5-03 ## publickey and password are allowed by default ## (least interactive method should be usually attempted first) # Valid options for all fields that take authentication method names # or lists of them are: # # hostbased # publickey # password # kerberos-2@ssh.com # kerberos-tgt-2@ssh.com # gssapi-with-mic # AllowedAuthentications publickey, password # AllowedAuthentications hostbased, publickey, password # RequiredAuthentications publickey, password # LoginGraceTime 600 # AuthInteractiveFailureTimeout 2 # HostbasedAuthForceClientHostnameDNSMatch no # UserKnownHosts yes # # AuthPublicKey.MaxSize 0 # AuthPublicKey.MinSize 0 AllowAgentForwarding yes # AuthKbdInt.NumOptional 0 # AuthKbdInt.Optional pam, password # AuthKbdInt.Required password # AuthKbdInt.Retries 3 # PermitEmptyPasswords no PasswordGuesses 3 ## Host restrictions AllowHosts localhost, * ## Next one matches with, for example, taulu.foobar.com, tuoli.com, but ## not tuoli1.com. Note that you have to input string "\." when you want it ## to match only a literal dot. You also have to escape "," when you ## want to use it in the pattern, because otherwise it is considered a list ## separator. ## AllowHosts t..l.\..* ## The following matches any numerical IP-address (yes, it is cumbersome) ## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3 } ## Same thing is achieved with using the special prefix "\i" in a ## pattern. This means that the pattern is only used to match # IP-addresses. Using the above example: # # AllowHosts \i.* # # You can probably see the difference between the two. # # Also, you can use subnet masks, by using prefix "\m" # # AllowHosts \m127.0/8 # # AllowHosts \m127.0.0.0/24 # # would match localhost ("127.0.0.1"). # # DenyHosts evil\.org, aol\.com # AllowSHosts trusted\.host\.org # DenySHosts not\.quite\.trusted\.org # IgnoreRhosts no # IgnoreRootRHosts no # # (the above, if not set, is defaulted to the value of IgnoreRHosts) ## User restrictions # AllowUsers sj.*,s[[:digit:]]*,s(jl|amza) # DenyUsers skuuppa,warezdude,31373 # DenyUsers don@untrusted\.org # AllowGroups staff,users # DenyGroups guest,anonymous PermitRootLogin yes # PermitRootLogin nopwd ## Chrooted environment # ChRootGroups sftp,guest # ChRootUsers anonymous,ftp,guest ## SSH1 compatibility # Ssh1Compatibility no # Sshd1Path # This is given as argument to sshd1 with "-f" if sshd2 is invoked # with "-f", otherwise the default configuration for sshd1 is used. # Sshd1ConfigFile /etc/sshd_config_alternate ## Subsystem definitions # Subsystems don't have defaults, so this is needed here (uncommented). subsystem-sftp /sys$system/tcpip$ssh_sftp-server2 # Also internal sftp-server subsystem can be used. # subsystem-sftp internal://tcpip$ssh_sftp-server2 ## Subconfiguration # There are no default subconfiguration files. When specified the last # obtained keyword value will prevail. Note that the host specific files # are read before the user specific files. # Following matches (from) any host # # HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example # # Following matches to subnet mask: # # HostSpecificConfig \m192.168.0.0/16 /etc/ssh2/subconfig/host_int.example # # Following matches to users from ssh.com that have two character long # username or is sjl and belong to group wheel or wheel[0-9] # UserSpecificConfig (..|sjl)%wheel[[:digit:]]?@ssh\.com /etc/ssh2/subconfig/u ser.example # Following matches to the user anonymous from any host # UserSpecificConfig anonymous@.* /etc/ssh2/subconfig/anonymous.example ## OpenVMS backward compatibility V5.5-04 # Uncomment this line if needed to ensure compatibility of server # with OpenVMS ssh clients (V5.4 ECO 4 and earlier) # ProtocolVersionString "2.4.1 SSH Secure Shell OpenVMS V1.0" ## OpenVMS auditing and access control # V5.5-04: Correct default for AllowVmsLoginWithExpiredPw # AllowVmsLoginWithExpiredPw yes # AllowNonvmsLoginWithExpiredPw no # UserLoginLimit -1 # # V5.5-02 Change pubkey to publickey # AccountingAuthentications publickey,password,hostbased # IntrusionAuthentications publickey,password,hostbased # IntrusionIdentMethod publickey,password,hostbased # IntrusionIdentSsh publickey,password,hostbased # LogfailAuthentications publickey,password,hostbased # # V5.5-05 # Valid options are: # none: no special action (default) # This option is also in effect if there is no value specified, or if # the variable is commented out. # break: break lock (xauth -b) # ignore: ignore lock (xauth -i) # file: use alternate xauth filename (xauth -f {filename}) # # DecwXauthLockAction none # # V5.5-06 # If "yes" then the local user name is used in the intrusion record in place of # SSH_xxxxxxxx where 'xxxxxxxx' is HEX IP address of remote host. This makes for # more unique intrusion records and prevents the case of one intruder on a # remote host locking out all users from that host. This field is especially # useful in environments where multiple client hosts appear to be from the same # remote IP address. # # If "no" then SSH_xxxxxxxx is used in the intrusion record. # # Default is "yes". # # This field is experimental. It may not work for public key and host based # authentication. # # This field is not currently used for SSH logins from the TCP/IP Services for # OpenVMS SSH client. # # IntrusionIdentLocalUser yes # TryKerberosPassword is a boolean that tells the SSH server, for password # authentication, to try to validate the password with Kerberos before trying it # against the SYSAUF. # # Default is "no". # # TryKerberosPassword no # GssapiSendError is a Boolean that tells the SSH server, when a GSSAPI call # incurs an error, to send to the client a textual message with information as # to the cause of an error. This message is typically displayed to the SSH # client user. # # Default is "no". # # GssapiSendError no # GssapiSendErrtok is a Boolean that tells the SSH server to send a # SSH_MSG_USERAUTH_GSSAPI_ERRTOK message to the client when a # GSSAPI call incurs an error. # # Default is "no". # # GssapiSendErrtok no # PTR 70-5-2911: Control access to sftp-server2 # This one restricts all access; no granularity at user level # DisallowSftpServer no # This one allows specification by user; use of regular expressions is # as with DenyUsers. Restriction by groups not yet implemented. # SftpDenyUsers username1.*,username2 # Note that control of access through the identifier # TCPIP$SSH_FILECOPY_DISALLOWED granted to the user is not controlled by # either of these configuration variables. DenyUsers skuuppa,warezdude,31373