Options

sshd can be configured using command-line options or a sshd_config configuration file (the default is /etc/ssh/sshd_config); command-line options override values specified in the configuration file. sshd can also obtain z/OS-specific configuration data from a system-wide /etc/ssh/sshd_config configuration file.

sshd rereads its configuration files, including z/OS-specific files, when it receives a hang up signal, SIGHUP, by executing itself with the name and options it was started with; for example, /usr/sbin/sshd.

For more information about the configuration files, see sshd_config and zos_sshd_config.

–4

Forces sshd to use IPv4 addresses only. If both –4 and –6 are specified, sshd uses the option that appears last on the command line.

–6

Forces sshd to use IPv6 addresses only. If both –4 and –6 are specified, sshd uses the option that appears last on the command line.

–b bits

Specifies the number of bits in the ephemeral protocol version 1 server key (default 1024).

–c host_certificate_file

Specifies a path to a certificate file to identify sshd during key exchange. The certificate file must match a host key file specified using the -h option or the HostKey configuration directive.

–C connection-spec

Specify the connection parameters to use for the -T extended test mode. If provided, any Match directives in the configuration file that would apply to the specified user, host, and address will be set before the configuration is written to standard output. The connection parameters are supplied as keyword=value pairs. The keywords are “user”, “host”, “laddr”, “lport”, and “addr”. All are required and may be supplied in any order, either with multiple -C options or as a comma-separated list.

–d

Debug mode. The server sends verbose debug output to the system log (if sshd is invoked with –i) or stderr, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. Multiple –d options increase the debugging level. You can specify up to three -v options.

–D

sshd does not fork and does not become a daemon. This allows for easy monitoring of sshd.

–e

sshd sends the output to standard error instead of the system log. This option is only useful when sshd is not running as a daemon (for example, when sshd is started with the –D option).

–E log_file

Append debug logs to log_file instead of the UNIX system log (syslogd).

–f config_file

Specifies the name of the sshd_config configuration file. The default is /etc/ssh/sshd_config. sshd will not start if there is no sshd_config configuration file. This option has no effect on the z/OS-specific configuration file.

–g login_grace_time

Gives the grace time for clients to authenticate themselves (default 120 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit.

–h host_key_file

Specifies a file from which a host key is read.

If sshd is not run as UID(0), a host key must often be provided by another method because the default host key files are normally not readable by anyone but a superuser. Host keys can be provided by either using this option or by specifying a host key with either the HostKey or HostKeyRingLabel configuration options. For full details of the options and their values, see sshd_config and zos_sshd_config.

The default host key file is /etc/ssh/ssh_host_key for protocol version 1. For protocol version 2, the default host key files are /etc/ssh/ssh_host_rsa_key , /etc/ssh/ssh_host_dsa_key, and /etc/ssh/ssh_host_ecdsa_key. It is possible to have multiple host keys for the different protocol versions and host key algorithms.

Start of change Restriction: This option is not supported if running in FIPS mode. End of change

–i

Specifies that sshd is being run from inetd. sshd is normally not run from inetd because it needs to generate the server key before it can respond to the client and this might decrease performance. Clients would have to wait too long if the key was regenerated every time. However, with small key sizes (such as 512), using sshd from inetd might be feasible.

–k key_gen_time

Specifies how often the ephemeral protocol version 1 server key is regenerated (default 3600 seconds or one hour). The motivation for regenerating the key fairly often is that the key is not stored anywhere, and after about an hour, it becomes impossible to recover the key for decrypting intercepted communications even if the machine is cracked into or physically seized. A value of zero indicates that the key will never be regenerated. The key will only be regenerated if it has been used.

–o option

Can be used to give options in the format used in the sshd_config and zos_sshd_config configuration files. This is useful for specifying options for which there is no separate command-line flag. For full details of the options and their values, see sshd_config and zos_sshd_config.

–p port

Specifies the port on which the server listens for connections (default 22). Multiple port options are permitted. Ports specified in the sshd_config configuration file with the Port option are ignored when a command-line port is specified. Ports specified using the ListenAddress option override command-line ports. More information about those options can be found in Port and ListenAddress.

–q

Quiet mode. Nothing is sent to the system log. Typically, the beginning, authentication, and termination of each connection is logged.

–t

Test mode. Only checks the validity of the sshd_config configuration file and sanity of the keys. This option is useful for updating sshd reliably because configuration options might change.

–T

Extended test mode. Check the validity of the configuration file, output the effective configuration to stdout and then exit. Optionally, Match rules may be applied by specifying the connection parameters using one or more -C options.

–u len

This option is used to specify the size of the field in the utmpx structure that holds the remote host name. If the resolved host name is longer than len, the dotted decimal value will be used instead. This allows hosts with very long host names that overflow this field to still be uniquely identified. Specifying –u0 indicates that only dotted decimal addresses should be put into the utmpx file. –u0 can also be used to prevent sshd from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that might require DNS include RhostsRSAAuthentication, HostbasedAuthentication, and using a from="pattern-list" option in a key file. Configuration options that require DNS include using a user@host pattern in AllowUsers or DenyUsers.