File format

The sshd_config configuration file views empty lines and lines starting with # as comments.

Keywords are not case sensitive and arguments are case sensitive. Following are possible keywords:

AcceptEnv

Specifies which environment variables sent by the client will be copied into the session's environment. See the description of the ssh_config keyword SendEnv for information about configuring clients. Variables are specified by name, which can contain the wildcard characters '*' and '?'. However, the name cannot contain the equal (=) character. Multiple environment variables can be separated by white spaces or spread across multiple AcceptEnv options for a maximum of 256 environment variable specifications. The default is not to accept any environment variables.

Guideline: Be careful when using the AcceptEnv option because some environment variables can be used to bypass restricted user environments.

The accepted environment variables are processed after authentication but before general environment variable setup and handling of the sshd_config keyword PermitUserEnvironment. Therefore, the values of accepted environment variables might be overwritten as a result of this subsequent processing.

The TERM environment variable is always sent whenever the client requests a pseudo-terminal as it is required by the protocol.

AddressFamily

Specifies the address family to be used by sshd. Valid arguments are "any", "inet" (use IPv4 only), or "inet6" (use IPv6 only). The default is "any".

AllowAgentForwarding

Specifies whether ssh-agent(1) forwarding is permitted. The default is “yes”. Disabling agent forwarding does not improve general z/OS security unless users are also denied shell access, because they can install their own forwarders.

AllowGroups

This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow and deny options are processed in the following order to determine if the user should be disallowed from login: DenyUsers, AllowUsers, DenyGroups, and then AllowGroups. To be allowed to login, you must pass all the tests for the specified keywords.

That is, if you want userx who is in groupy and groupz to be allowed to login, and you plan to specify all four keywords, then:

• userx must not be in DenyUsers, and
• userx must be in AllowUsers, and
• both groupy and groupz must not be in DenyGroups, and
• either groupy or groupz must be in AllowGroups

Note: To be allowed to login, the user must have a group if AllowGroups or DenyGroups is specified.

See Patterns in ssh_config for more information about patterns.

Refer to the sshd_config keyword Match for more information about matching z/OS user and group names.

Restriction: The maximum number of AllowGroups specifications is 256.

AllowStreamLocalForwarding

Specifies whether StreamLocal (UNIX-domain socket) forwarding is permitted. The available options are 'yes' (the default) or 'all' to allow StreamLocal forwarding, 'no' to prevent all StreamLocal forwarding, 'local' to allow local (from the perspective of ssh) forwarding only or 'remote' to allow remote forwarding only.

Note: Disabling StreamLocal forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.

AllowTcpForwarding

Specifies whether TCP forwarding is permitted. The available options are “yes” or “all” to allow TCP forwarding, “no” to prevent all TCP forwarding, “local” to allow local (from the perspective of ssh ) forwarding only or “remote” to allow remote forwarding only. Disabling TCP forwarding does not improve general z/OS security unless users are also denied shell access, because they can install their own forwarders. The default is "no".

AllowUsers

This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. If the pattern takes the form user@host, then user and host are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The default is to allow login for all users. The allow and deny options are processed in the following order to determine if the user should be disallowed from login: DenyUsers, AllowUsers, DenyGroups, and then AllowGroups. To be allowed to login, you must pass all the tests for the specified keywords.

That is, if you want userx who is in groupy and groupz to be allowed to login, and you plan to specify all four keywords, then:

• userx must not be in DenyUsers, and
• userx must be in AllowUsers, and
• both groupy and groupz must not be in DenyGroups, and
• either groupy or groupz must be in AllowGroups

Note: To be allowed to login, the user must have a group if AllowGroups or DenyGroups is specified.

See Patterns in ssh_config for more information about patterns.

Refer to the sshd_config keyword Match for more information about matching z/OS user and group names.

Restriction: The maximum number of AllowUsers specifications is 256.

AuthenticationMethods

Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names, or by the single string any to indicate the default behaviour of accepting any single authentication method.

For example, an argument of “publickey,password publickey,keyboardinteractive” would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard interactive authentication before public key.

For keyboard interactive authentication it is also possible to restrict authentication to a specific device by appending a colon followed by the device identifier “bsdauth”, “pam”, or “skey”, depending on the server configuration. For example, “keyboard-interactive:bsdauth” would restrict keyboard interactive authentication to the bsdauth device. Keyboard interactive authentication is not supported on z/OS UNIX.

Note: Each authentication method listed should also be explicitly enabled in the configuration.

The default is not to require multiple authentication; successful completion of a single authentication method is sufficient.

The available authentication methods are as follows: "gssapi-with-mic", "hostbased", "keyboard-interactive", "none" (used for access to password-less accounts when PermitEmptyPassword is enabled), "password" and "publickey".

AuthorizedKeysCommand

Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others and specified by an absolute path. Arguments to AuthorizedKeysCommand accept the tokens described in Tokens. If no arguments are specified, then the username of the target user is used. The program should produce on standard output zero or more lines of authorized_keys output (see authorized_keys in sshd - OpenSSH daemon). If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user, then public key authentication continues using the usual AuthorizedKeysFile files. By default, no AuthorizedKeysCommand is run.

If running in FIPSMODE, the plain text keys in AuthorizedKeysFile files will be ignored. Only zos-key-ring-label takes effect. The option revokes the public keys for the public key authentication.

AuthorizedKeysCommandUser

Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands.

AuthorizedKeysFile

Specifies the file that contains the public keys that can be used for user authentication. The format is described in the Format of the authorized_keys file section of sshd . Arguments to AuthorizedKeysFile accept the tokens described in the Tokens section. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory (if no absolute path is given). Multiple file names may be listed, separated by whitespace. Alternately, this option may be set to none to skip checking for user keys in files. The default is ".ssh/authorized_keys, .ssh/authorized_keys2" - (these files are anchored off the user's home directory).

If running in FIPSMODE, the plain text keys in AuthorizedKeysFile files will be ignored. Only zos-key-ring-label takes effect.

Restriction: The maximum path length is 1023 bytes.

AuthorizedPrincipalsCommand

Specifies a program to be used to generate the list of allowed certificate principals as per AuthorizedPrincipalsFile. The program must be owned by root, not writable by group or others and specified by an absolute path. Arguments to AuthorizedPrincipalsCommand accept the tokens described in Tokens. If no arguments are specified, then the username of the target user is used.

The program should produce on standard output zero or more lines of AuthorizedPrincipalsFile output. If either AuthorizedPrincipalsCommand or AuthorizedPrincipalsFile is specified, then certificates offered by the client for authentication must contain a principal that is listed. By default, no AuthorizedPrincipalsCommand is run.

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

AuthorizedPrincipalsCommandUser

Specifies the user under whose account the AuthorizedPrincipalsCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized principals commands. If AuthorizedPrincipalsCommand is specified but AuthorizedPrincipalsCommandUser is not, then sshd will refuse to start.

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

AuthorizedPrincipalsFile

Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in Format of the authorized_keys file). Empty lines and comments starting with “#” are ignored.

Arguments to AuthorizedPrincipalsFile accept the tokens described in Tokens. After expansion, AuthorizedPrincipalsFile is taken to be an absolute path or one relative to the user's home directory.

The default is “none”, that is, not to use a principals file – in this case, the username of the user must appear in a certificate's principals list for it to be accepted.

Note: AuthorizedPrincipalsFile is only used when authentication proceeds using a CA listed in TrustedUserCAKeys and is not consulted for certification authorities trusted by way of ~/.ssh/authorized_keys, though the principals=key option offers a similar facility (see sshd - OpenSSH daemon for details).

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

Banner

The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is "none", then no banner is displayed. The default is no banner is displayed.

Restriction: This option applies to protocol version 2 only.

ChallengeResponseAuthentication

Not supported on z/OS® UNIX. Specifies whether challenge-response authentication is allowed. The default is "no".

ChrootDirectory

Specifies a path to chroot to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. This path also affects the files used during the login process. The default is not to chroot. For more information, see Login process in the sshd section.

Arguments to ChrootDirectory accept the tokens described in Tokens.

The ChrootDirectory must contain the necessary files and directories to support the users' session. For interactive sessions, a shell (typically, sh) is required as well as basic /dev nodes such as null, zero, stdin, stdout, stderr, random and tty devices. For file transfer sessions using sftp, no additional configuration of the environment is necessary if the in-process sftp server is used (see Subsystem for details).

Rule: If the syslog daemon (syslogd) is used to debug the users' session, such as a file transfer session using sftp, then the ChrootDirectory must contain the datagram socket in use by syslogd (for example, /dev/log).

Restriction: The maximum path length is 1023 bytes.

The default is none, indicating not to chroot.

Ciphers

Specifies the ciphers to use for encrypting the session in protocol version 2. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. Multiple ciphers must be comma-separated. Valid ciphers include:

3des-cbc

Triple-DES (3DES) algorithm

aes128-cbc

Advanced Encryption Standard (AES) CBC mode with 128-bit key

aes128-ctr

Advanced Encryption Standard (AES) CTR mode with 128-bit key

aes192-cbc

Advanced Encryption Standard (AES) CBC mode with 192-bit key

aes192-ctr

Advanced Encryption Standard (AES) CTR mode with 192-bit key

aes256-cbc

Advanced Encryption Standard (AES) CBC mode with 256-bit key

aes128-gcm@openssh.com

Advanced Encryption Standard (AES) GCM mode with 128-bit key

aes256-gcm@openssh.com

Advanced Encryption Standard (AES) GCM mode with 256-bit key

aes256-ctr

Advanced Encryption Standard (AES) CTR mode with 256-bit key

chacha20-poly1305@openssh.com

ChaCha20 cipher with Poly1305 authenticator.

The ciphers list is typically one long unbroken line; however due to space limitations, the default ciphers list is not shown as one unbroken line. The default is:

chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com

Note: See /samples/sshd_config for recommended Ciphers configuration on z/OS.

Restriction: If running in FIPS mode, the following options are not supported:

aes128-gcm@openssh.com, aes256-gcm@openssh.com, 
chacha20-poly1305@openssh.com    

The ciphers list might need to be modified based on the ciphers source used. For more information, see the zos_sshd_config keyword CiphersSource.

ClientAliveInterval

Sets a timeout interval in seconds after which if no data has been received from the client, sshd sends a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.

ClientAliveCountMax

Sets the number of client alive messages that can be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd disconnects the client, thus terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. Because the client alive messages are sent through the encrypted channel, they will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.

If ClientAliveInterval is set to 15 and ClientAliveCountMax is left at the default value of 3, unresponsive SSH clients are disconnected after approximately 45 seconds.

Compression

Specifies whether compression is enabled after the user has authenticated successfully. The argument must be “yes”, “delayed” (a legacy synonym for yes) or “no”. The default is yes.

DenyGroups

This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. The default is to allow login for all groups. The allow and deny options are processed in the following order to determine if the user should be disallowed from login: DenyUsers, AllowUsers, DenyGroups, and then AllowGroups. To be allowed to login, you must pass all the tests for the specified keywords.

That is, if you want userx who is in groupy and groupz to be allowed to login, and you plan to specify all four keywords, then:

• userx must not be in DenyUsers, and
• userx must be in AllowUsers, and
• both groupy and groupz must not be in DenyGroups, and
• either groupy or groupz must be in AllowGroups

Note: To be allowed to login, the user must have a group if AllowGroups or DenyGroups is specified.

See Patterns in ssh_config for more information about patterns.

Refer to the sshd_config keyword Match for more information about matching z/OS user and group names.

Restriction: The maximum number of DenyGroups specifications is 256.

DenyUsers

This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. The default is to allow login for all users. If the pattern takes the form user@host then user and host are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The allow and deny options are processed in the following order to determine if the user should be disallowed from login: DenyUsers, AllowUsers, DenyGroups, and then AllowGroups. To be allowed to login, you must pass all the tests for the specified keywords.

That is, if you want userx who is in groupy and groupz to be allowed to login, and you plan to specify all four keywords, then:

• userx must not be in DenyUsers, and
• userx must be in AllowUsers, and
• both groupy and groupz must not be in DenyGroups, and
• either groupy or groupz must be in AllowGroups

Note: To be allowed to login, the user must have a group if AllowGroups or DenyGroups is specified.

See Patterns in ssh_config for more information about patterns.

Refer to the sshd_config keyword Match for more information about matching z/OS user and group names.

Restriction: The maximum number of DenyUsers specifications is 256.

DisableForwarding

Disables all forwarding features, including X11, ssh-agent, TCP and StreamLocal. This option overrides all other forwarding-related options and may simplify restricted configurations.

ExposeAuthInfo

If 'yes", sshd writes a temporary file containing a list of authentication methods and public credentials (for example, keys) used to authenticate the user. The location of the file is exposed to the user session through the SSH_USER_AUTH environment variable. The default is 'no'.

FingerprintHash

Specifies the hash algorithm used when logging key fingerprints. Valid options are as follows: md5 and sha256. The default is sha256.

ForceCommand

Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable.

Specifying a command of "internal-sftp" forces the use of an in-process sftp server that requires no support files when used with ChrootDirectory.

Tip: sftp-server options can be specified with the "internal-sftp" command by separating the options with blank spaces.

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded by the client. By default, sshd binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd is to allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument can be set to one of the following selections:

• "no" to force remote port forwardings to be available to the local host only.
• "yes" to force remote port forwardings to bind to the wildcard address.
• "clientspecified" to allow the client to select the address to which the forwarding is bound.

The default is "no".

GSSAPIAuthentication

Specifies whether user authentication based on GSS-API is allowed. The default is "no".

If running in FIPSMODE, this option is not supported even if its value is specified.

GSS-API stands for Generic Security Services Application Programming Interface. It is a generic API for handling client-server authentication. Because it provides security services to callers in a generic way, supportable with a range of underlying mechanisms and technologies, it allows for source-level portability of applications to different environments. For more details, check IETF standard RFC 2743.

GSSAPICleanupCredentials

Specifies whether to automatically destroy the user's credentials cache on logout. The default is "yes".

GSS-API stands for Generic Security Services Application Programming Interface. It is a generic API for handling client-server authentication. Because it provides security services to callers in a generic way, supportable with a range of underlying mechanisms and technologies, it allows for source-level portability of applications to different environments. For more details, check IETF standard RFC 2743.

GSSAPIKeyExchange

Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange does no rely on ssh keys to verify host identity. The default is “no”.

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

GSS-API stands for Generic Security Services Application Programming Interface. It is a generic API for handling client-server authentication. Because it provides security services to callers in a generic way, supportable with a range of underlying mechanisms and technologies, it allows for source-level portability of applications to different environments. For more details, check IETF standard RFC 2743.

GSSAPIStoreCredentialsOnRekey

Controls whether the user's GSSAPI credentials should be updated following a successful connection rekeying. This option can be used to accepted renewed or updated credentials from a compatible client. The default is no.

GSS-API stands for Generic Security Services Application Programming Interface. It is a generic API for handling client-server authentication. Because it provides security services to callers in a generic way, supportable with a range of underlying mechanisms and technologies, it allows for source-level portability of applications to different environments. For more details, check IETF standard RFC 2743.

GSSAPIStrictAcceptorCheck

Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. If yes, then the client must authenticate against the host/default_hostname service, using the current default hostname. If no, then the client may authenticate against any host/some_hostname service key stored in the machine's default store and available for use by the sshd server. This facility is provided to assist with operation on multi homed machines. The default is yes.

GSS-API stands for Generic Security Services Application Programming Interface. It is a generic API for handling client-server authentication. Because it provides security services to callers in a generic way, supportable with a range of underlying mechanisms and technologies, it allows for source-level portability of applications to different environments. For more details, check IETF standard RFC 2743.

HostbasedAcceptedKeyTypes

Specifies the key types that will be accepted for hostbased authentication as a comma-separated pattern list. Alternately, if the specified value begins with a ‘+’ character, then the specified key types will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. The default for this option is as follows:

ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,ssh-rsa

The list of available key types may also be obtained using ssh -Q key.

HostbasedAuthentication

Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). The default is "no".

HostbasedUsesNameFromPacketOnly

Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during HostbasedAuthentication. A setting of "yes" means that sshd uses the name supplied by the client instead of attempting to resolve the name from the TCP connection itself. The default is "no".

HostCertificate

Specifies a file containing a public host certificate. The certificate's public key must match a private host key already specified by HostKey. The default behaviour of sshd is not to load any certificates.

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

HostKey

Specifies a file containing a private host key used by OpenSSH. The default host key is /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_ed25519_key. sshd will refuse to use a file if it is group/world-accessible.

It is possible to have multiple host key files and key ring certificates (as configured by the HostKeyRingLabel option in the zos_sshd_config file) in configuration files. If both host key files and key ring certificates are listed, the key ring certificates will be tried first. Only the first key found of each key type (for example, RSA, DSA, ECDSA, or Ed25519) is used.

The maximum combined number of host key files and key ring certificates that can be specified is 256.

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

HostKeyAgent

Identifies the UNIX-domain socket used to communicate with an agent that has access to the private host keys. If “SSH_AUTH_SOCK” is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable.

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

HostKeyAlgorithms

Specifies the host key algorithms that the client wants to use in order of preference. Alternately, if the specified value begins with a ‘+’ character, then the specified key types will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. The default for this option is as follows:

ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,ssh-rsa

If hostkeys are known for the destination host, then this default is modified to prefer their algorithms.

The list of available key types may also be obtained using ssh -Q key.

IgnoreRhosts

Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.

The /etc/hosts.equiv and /etc/ssh/shosts.equiv files are still used. The default is "yes".

IgnoreUserKnownHosts

Specifies whether sshd should ignore the user's ~/.ssh/known_hosts during HostbasedAuthentication. The default is "no".

IPQoS

This option is currently ignored in z/OS UNIX. Specifies the IPv4 type-ofservice or DSCP class for the connection. Accepted values are "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is "lowdelay" for interactive sessions and "throughput" for noninteractive sessions.

KbdInteractiveAuthentication

Not supported on z/OS UNIX. Specifies whether to use keyboard-interactive authentication. The argument to this keyword must be "yes" or "no".

KerberosAuthentication

Not supported on z/OS UNIX. Specifies whether Kerberos authentication is allowed. The authentication can be in the form of a Kerberos ticket, or if PasswordAuthentication is "yes", the password provided by the user will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. The default is "no".

KerberosGetAFSToken

Not supported on z/OS UNIX. If AFS® is active and the user has a Kerberos 5 TGT, attempts to acquire an AFS token before accessing the user's home directory. The default is "no".

KerberosOrLocalPasswd

Not supported on z/OS UNIX. Validates the password by means of the security product's normal password checking if password authentication through Kerberos fails. The default is "yes".

KerberosTgtPassing

Not supported on z/OS UNIX. Specifies whether a Kerberos TGT is to be forwarded to the server. This will work only if the Kerberos server is actually an AFS kaserver. The default is "no".

KerberosTicketCleanup

Not supported on z/OS UNIX. Specifies whether to automatically erase the user's ticket cache file on logout. The default is "yes".

KexAlgorithms

Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. Alternately, if the specified value begins with a ‘+’ character, then the specified methods will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. The supported algorithms are as follows:

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org

The default is as follows:

curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha256,
diffie-hellman-group14-sha1

The Key Exchange algorithms list might need to be modified based on the Exchange algorithms source used. For more information, see the KexAlgorithmsSource keyword in the z/OS-specific OpenSSH daemon configuration file zos_sshd_config. All KEX algorithms are supported in FIPS mode.

Note: This keyword will not be supported in a match block.

The list of available key exchange algorithms may also be obtained using ssh -Q kex.

ListenAddress

Specifies the local addresses sshd should listen on. The following forms can be used:

ListenAddress host|IPv4addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port

If port is not specified, sshd listens on the address and all prior Port options specified. Multiple ListenAddress options are permitted. Additionally, any Port options must precede this option for non-port qualified addresses. The default is to listen on all local addresses.

LoginGraceTime

The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 (seconds).

LogLevel

Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output.

Guideline: Do not log with a DEBUG level because doing so violates the privacy of users.

For more information about these logging levels, also referred to as priority codes, see the syslog daemon chapter in z/OS Communications Server: IP Configuration Reference.

MACs

Specifies the available MAC (message authentication code) algorithms . The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. The supported MACs are as follows:

hmac-md5
hmac-md5-96
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
umac-64@openssh.com
umac-128@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

The MAC algorithms list is typically one long unbroken line; however due to space limitations, the default MAC algorithms list is not shown as one unbroken line. The default is as follows:

hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-sha1
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
umac-64@openssh.com,umac-128@openssh.com,

.

The algorithms that contain “-etm” calculate the MAC after encryption (encrypt-then-mac). The MAC algorithms list might need to be modified based on the MAC algorithms source used. For more information, see the zos_sshd_config keyword MACsSource.

Restrictions: If running in FIPS mode, the following options are not supported:

hmac-md5,
hmac-md5-96,
hmac-md5-etm@openssh.com,
hmac-md5-96-etm@openssh.com,
umac-64@openssh.com,
umac-64-etm@openssh.com,
umac-128-etm@openssh.com,
umac-128@openssh.com

The list of available MAC algorithms may also be obtained using ssh -Q mac.

Match

Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.

Rule: Global settings must be placed before the first Match block.

The arguments to Match are one or more criteria-pattern pairs. The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address. The match patterns can consist of single entries or comma-separated lists and can use the wildcard and negation operators described in the ssh_config section Patterns.

The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as 192.0.2.0/24 or 2001:db8::/32. The mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. Restrictions: Some restrictions apply.

• Only a subset of keywords can be used on the lines following a Match keyword. Those keywords are AcceptEnv, AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, AllowTcpForwarding, AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile, AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, Banner, ChrootDirectory, ClientAliveCountMax, ClientAliveInterval, DenyGroups, DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, PubkeyAuthentication, RekeyLimit, RevokedKeys, StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, X11DisplayOffset, X11Forwarding and X11UseLocalHost..

Guideline: User and group names are typically not case sensitive on z/OS systems. However, when matching user and group names for this keyword and for related keywords (such as the sshd_config keywords AllowGroups, AllowUsers, DenyGroups and DenyUsers), the user and group names must be in the same alphabetical case as is stored in the user database, group database and user ID alias table (for example, USERIDALIASTABLE).

Example:

AllowTcpForwarding no

Match Address 192.168.32.*,127.0.0.1
        AllowTcpForwarding yes
        GatewayPorts no

Match User bar,baz
        AllowTcpForwarding yes

Match Host t*
        AllowTcpForwarding yes

MaxAuthTries

Specifies the maximum number of authentication attempts permitted per connection. When the number of failures reaches half this value, additional failures are logged. The default is 6.

Password authentication failures are always logged.

MaxSessions

Specifies the maximum number of open shell, login or subsystem (for example, sftp) sessions permitted per network connection. Multiple sessions may be established by clients that support connection multiplexing. Setting MaxSessions to 1 will effectively disable session multiplexing, whereas setting it to 0 will prevent all shell, login and subsystem sessions while still permitting forwarding. The default is 10.

MaxStartups

Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10:30:100.

Alternately, random early drop can be enabled by specifying the three colon separated values "start:rate:full" (for example, "10:30:100"). sshd will refuse connection attempts with a probability of "rate/100" (30%, in the example) if there are currently "start" (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches "full" (100).

PasswordAuthentication

Specifies whether password authentication is allowed. The argument must be set to "yes" or "no". The default is "yes". Password authentication checks a user-supplied password or password phrase.

PermitEmptyPasswords

Specifies whether the server allows login to accounts with empty password strings when password authentication is allowed. The default is "no".

Guideline: Set this keyword to "no" for security reasons. However, empty passwords can be allowed by setting up a SURROGAT class. The MVS™ identity running sshd requires READ access to the SURROGAT class profile, BPX.SRV.uuuuuuuu (where uuuuuuuu is the MVS userid for each user who is permitted to log in with an empty password.) This allows any user to login to user ID uuuuuuuu without a password.

PermitOpen

Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:

PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port

Multiple forwards can be specified by separating them with white space. An argument of "any" can be used to remove all restrictions and permit any forwarding requests. An argument of "none" can be used to prohibit all forwarding requests. The wildcard ‘*’ can be used for host or port to allow all hosts or ports, respectively. By default, all port forwarding requests are permitted.

PermitRootLogin

Specifies whether a superuser (root) can login using ssh. The argument must be "yes" , "prohibit-password" (default), "forced-commands-only", or "no".

If this option is set to "prohibit-password", password authentication is disabled for superusers.

If this option is set to "forced-commands-only", superuser login with public key authentication will be allowed, but only if the Authorized Keys File "command=" option has been specified (which may be useful for taking remote backups even if superuser login is normally not allowed). All other authentication methods are disabled for superusers.

If this option is set to "no", a superuser is not allowed to login.

PermitTTY

Specifies whether pty allocation is permitted. The default is 'yes'.

PermitTunnel

Not supported on z/OS UNIX. Specifies whether tunnel device forwarding is allowed. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" permits both "point-to-point" and "ethernet". The default is "no".

PermitUserEnvironment

Specifies whether the ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. The default is "no". Enabling environment processing might enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.

The user's environment variables are processed after authentication and after the sshd_config keyword AcceptEnv is processed. As a result, the values of the user's environment variables might overwrite the results of the previous environment variable processing.

PermitUserRC

Specifies whether any ~/.ssh/rc file is executed. The default is yes.

PidFile

Specifies the file that contains the process ID of the sshd daemon. The default is /var/run/sshd.pid.

Port

Specifies the port number that sshd listens on. The default is 22. Multiple options of this type are permitted. See also ListenAddress.

PrintLastLog

Not supported on z/OS UNIX. Specifies whether sshd should print the date and time of the last user login when a user logs in interactively. The default is "no". This option only returns information if your system supports lastlog data, such as with a wtmp or wtmpx file.

PrintMotd

Specifies whether sshd should print /etc/motd when a user logs in interactively. (On some systems, the shell, /etc/profile, or equivalent also prints /etc/motd.) The default is "yes". For more information about the use of /etc/motd during the login process, see Login process.

PubkeyAcceptedKeyTypes

Specifies the key types that will be accepted for public key authentication as a comma-separated pattern list. Alternately, if the specified value begins with a ‘+’ character, then the specified key types will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. The default for this option is as follows:

ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-ed25519,ssh-rsa

The list of available key types may also be obtained using ssh -Q key.

PubkeyAuthentication

Specifies whether public key authentication is allowed. The default is "yes".

RekeyLimit

Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated. The first argument is specified in bytes and may have a suffix of “K”, “M”, or “G” to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between “1G” and “4G”, depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in Time formats. The default value for RekeyLimit is “default none”, which means that rekeying is performed after the cipher's default amount of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only.

RevokedKeys

Specifies revoked public keys file, or none to not use one. Keys listed in this file will be refused for public key authentication.

Note: If this file is not readable, then public key authentication will be refused for all users.

Keys may be specified as a text file, listing one public key per line, or as an OpenSSH key revocation list (KRL) as generated by ssh-keygen(1). For more information on KRLs, see Key revocation lists.

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

RhostsAuthentication

Specifies whether authentication using rhosts or /etc/hosts.equiv files is sufficient. Normally, this method should not be permitted, because it is insecure.

This option was removed from OpenSSH open source base distribution release 3.7 and is no longer supported on z/OS UNIX.

RhostsRSAAuthentication

Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is "no".

Restriction: This option applies to protocol version 1 only.

RSAAuthentication

Specifies whether pure RSA authentication is allowed.

Restriction: This option applies to protocol version 1 only.

ServerKeyBits

Determines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512 and the default is 768.

StreamLocalBindMask

Sets the octal file creation mode mask (umask) used when creating a UNIX-domain socket file for local or remote port forwarding. This option is only used for port forwarding to a UNIX-domain socket file.

The default value is 0177, which creates a UNIX-domain socket file that is readable and writable only by the owner.

Note: Not all operating systems honor the file mode on UNIX-domain socket files.

StreamLocalBindUnlink

Specifies whether to remove an existing UNIX-domain socket file for local or remote port forwarding before creating a new one. If the socket file already exists and StreamLocalBindUnlink is not enabled, sshd will be unable to forward the port to the UNIX-domain socket file. This option is only used for port forwarding to a UNIX-domain socket file.

The argument must be 'yes' or 'no'. The default is 'no'.

StrictModes

Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable in case users inadvertently leave their directory or files world-writable. The default is "yes".

Specifically, StrictModes checks that the following files, directories, and component path names are owned by the current user or superuser and that they are not group or world-writable:

• User's home directory
• User's .rhosts and .shosts files
• User's authorized keys file
• User's known hosts file

This setting does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally.

Subsystem

Configures an external subsystem (such as file transfer daemon). Arguments should be a subsystem name and a command with optional arguments to execute upon subsystem request.

The command /usr/lib/ssh/sftp-server implements the sftp file transfer subsystem. Alternatively, the name "internal-sftp" implements an in-process sftp server. Using the in-process sftp-server might simplify configurations that use the ChrootDirectory keyword to force a different file system root on clients. You can specify sftp-server options with the "internal-sftp" command by separating the options with blank spaces.

By default, no subsystems are defined. User-defined (non-builtin) subsystems are only supported between z/OS and z/OS. See Limitations for more information.

SyslogFacility

Gives the facility code that is used when logging messages from sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. If sshd is run in debug mode (invoked with –d), logging goes to stderr instead of the syslog. The default is AUTH.

For more information about these log facilities, see the syslog daemon section in z/OS Communications Server: IP Configuration Reference.

TCPKeepAlive

Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, a lost network connection or stopping of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if keepalives are not sent, sessions may hang indefinitely on the server, leaving ghost users and consuming server resources. The default is "yes" (to send TCP keepalive messages), and the server will notice if the network goes down or the client host crashes. This option avoids infinitely hanging sessions. To disable TCP keepalive messages, set the value to "no".

TrustedUserCAKeys

Specifies a file containing public keys of certificate authorities that are trusted to sign user certificates for authentication, or none to not use one. Keys are listed one per line; empty lines and comments starting with “#” are allowed. If a certificate is presented for authentication and has its signing CA key listed in this file, then it may be used for authentication for any user listed in the certificate's principals list.

Note: Certificates that lack a list of principals will not be permitted for authentication using TrustedUserCAKeys.

For more details on certificates, see Certificates.

If running in FIPSMODE, this option will not be supported. Even though it's value is specified in the configuration file, it will be ignored.

UseDNS

Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the same IP address. The default is "no".

If this option is set to no (the default), then only addresses and not host names may be used in ~/.ssh/authorized_keys from sshd_config Match Host directives.

UsePAM

Not supported on z/OS UNIX. Enables PAM authentication (via challenge-response) and session set up. The default is "no".

VersionAddendum

Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is “none”.

X11DisplayOffset

Specifies the first display number available for sshd's X11 forwarding. This prevents sshd from interfering with real X11 servers. The default is "10".

X11Forwarding

Specifies whether X11 forwarding is permitted. Disabling X11 forwarding does not improve general z/OS security, because users can install their own forwarders. X11 forwarding is automatically disabled if UseLogin is enabled. The default is "no".

X11UseLocalhost

Specifies whether sshd should bind the X11 forwarding server to the loopback address or to the wildcard address. By default sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the fake display. However, some X11 clients may not function with this configuration. X11UseLocalhost can be set to "no" to specify that the forwarding server should be bound to the wildcard address. The argument must be "yes" (default) or "no".

XAuthLocation

Specifies the location of the xauth program, or none to not use one. The default is /usr/X11R6/bin/xauth.