openSolaris 2008 - Keywords in Solaris Secure Shell - System Administration Guide: Security Services

Keywords in Solaris Secure Shell

The following tables list the keywords and their default values, if any. The keywords are in alphabetical order. The location of keywords on the client is the ssh_config file. Keywords that apply to the server are in the sshd_config file. Some keywords are set in both files. If the keyword applies to only one protocol version, the version is listed.

Table 20-1 Keywords in Solaris Secure Shell Configuration Files (A to Escape)

Keyword	Default Value	Location	Protocol
`AllowGroups`	No default.	Server
`AllowTcpForwarding`	`no`	Server
`AllowUsers`	No default.	Server
`AuthorizedKeysFile`	`~/.ssh/authorized_keys`	Server
`Banner`	`/etc/issue`	Server
`Batchmode`	`no`	Client
`BindAddress`	No default.	Client
`CheckHostIP`	`yes`	Client
`Cipher`	`blowfish`, `3des`	Client	v1
`Ciphers`	`aes128-ctr, aes128-cbc, 3des-cbc, blowfish-cbc, arcfour`	Both	v2
`ClearAllForwardings`	No default.	Client
`ClientAliveInterval`	`0`	Server	v2
`ClientAliveCountMax`	`3`	Server	v2
`Compression`	`yes`	Both
`CompressionLevel`	No default.	Client
`ConnectionAttempts`	`1`	Client
`DenyGroups`	No default.	Server
`DenyUsers`	No default.	Server
`DynamicForward`	No default.	Client
`EscapeChar`	`~`	Client

Table 20-2 Keywords in Solaris Secure Shell Configuration Files (Fall to Local)

Keyword	Default Value	Location	Protocol
`FallBackToRsh`	`no`	Client
`ForwardAgent`	`no`	Client
`ForwardX11`	`no`	Client
`GatewayPorts`	`no`	Both
`GlobalKnownHostsFile`	`/etc/ssh/ssh_known_hosts`	Client
`GSSAPIAuthentication`	`yes`	Both	v2
`GSSAPIDelegateCredentials`	`no`	Client	v2
`GSSAPIKeyExchange`	`yes`	Both	v2
`GSSAPIStoreDelegateCredentials`	`no`	Client	v2
`Host`	`*` For more information, see Host-Specific Parameters in Solaris Secure Shell.	Client
`HostbasedAuthentication`	`no`	Both	v2
`HostbasedUsesNamesFromPacketOnly`	`no`	Server	v2
`HostKey`	`/etc/ssh/ssh_host_key`	Server	v1
`HostKey`	`/etc/ssh/host_rsa_key`, `/etc/ssh/host_dsa_key`	Server	v2
`HostKeyAlgorithms`	`ssh-rsa, ssh-dss`	Client	v2
`HostKeyAlias`	No default.	Client	v2
`IdentityFile`	`~/.ssh/identity`	Client	v1
`IdentityFile`	`~/.ssh/id_dsa, ~/.ssh/id_rsa`	Client	v2
`IgnoreRhosts`	`yes`	Server
`IgnoreUserKnownHosts`	`yes`	Server
`KbdInteractiveAuthentication`	`yes`	Both
`KeepAlive`	`yes`	Both
`KeyRegenerationInterval`	`3600` (seconds)	Server
`ListenAddress`	No default.	Server
`LocalForward`	No default.	Client

Table 20-3 Keywords in Solaris Secure Shell Configuration Files (Login to R)

Keyword	Default Value	Location	Protocol
`LoginGraceTime`	`600` (seconds)	Server
`LogLevel`	`info`	Both
`LookupClientHostname`	`yes`	Server
`MACs`	`hmac-sha1,hmac-md5`	Both	v2
`MaxAuthTries`	`6`	Server
`MaxAuthTriesLog`	No default.	Server
`MaxStartups`	`10:30:60`	Server
`NoHostAuthenticationForLocalHost`	`no`	Client
`NumberOfPasswordPrompts`	`3`	Client
`PAMAuthenticationViaKBDInt`	`yes`	Server	v2
`PasswordAuthentication`	`yes`	Both
`PermitEmptyPasswords`	`no`	Server
`PermitRootLogin`	`no`	Server
`PermitUserEnvironment`	`no`	Server
`PreferredAuthentications`	`gssapi-keyex, gssapi-with-mic, hostbased, publickey, keyboard-interactive, password`	Client	v2
`Port`	`22`	Both
`PrintMotd`	`no`	Server
`Protocol`	`2`	Both
`ProxyCommand`	No default.	Client
`PubkeyAuthentication`	`yes`	Both	v2
`RemoteForward`	No default.	Client
`RhostsAuthentication`	`no`	Both	v1
`RhostsRSAAuthentication`	`no`	Both	v1
`RSAAuthentication`	`no`	Both	v1

Table 20-4 Keywords in Solaris Secure Shell Configuration Files (S to X)

Keyword	Default Value	Location
`ServerKeyBits`	`768`	Server
`StrictHostKeyChecking`	`ask`	Client
`StrictModes`	`yes`	Server
`Subsystem`	`sftp /usr/lib/ssh/sftp-server`	Server
`SyslogFacility`	`auth`	Server
`UseLogin`	`no` Deprecated and ignored.	Server
`User`	No default.	Client
`UserKnownHostsFile`	`~/.ssh/known_hosts`	Client
`VerifyReverseMapping`	`no`	Server
`X11Forwarding`	`yes`	Server
`X11DisplayOffset`	`10`	Server
`X11UseLocalHost`	`yes`	Server
`XAuthLocation`	No default.	Both

Host-Specific Parameters in Solaris Secure Shell

If it is useful to have different Solaris Secure Shell characteristics for different local hosts, the administrator can define separate sets of parameters in the /etc/ssh/ssh_config file to be applied according to host or regular expression. This task is done by grouping entries in the file by Host keyword. If the Host keyword is not used, the entries in the client configuration file apply to whichever local host a user is working on.

Solaris Secure Shell and Login Environment Variables

When the following Solaris Secure Shell keywords are not set in the sshd_config file, they get their value from equivalent entries in the /etc/default/login file:

Entry in `/etc/default/login`	Keyword and Value in `sshd_config`
`CONSOLE=*`	`PermitRootLogin=without-password`
`#CONSOLE=*`	`PermitRootLogin=yes`
`PASSREQ=YES`	`PermitEmptyPasswords=no`
`PASSREQ=NO`	`PermitEmptyPasswords=yes`
`#PASSREQ`	`PermitEmptyPasswords=no`
`TIMEOUT=`secs	`LoginGraceTime=`secs
`#TIMEOUT`	`LoginGraceTime=300`
`RETRIES` and `SYSLOG_FAILED_LOGINS`	Apply only to `password` and `keyboard-interactive` authentication methods.

When the following variables are set by the login command, the sshd daemon uses those values. When the variables are not set, the daemon uses the default value.

TIMEZONE: Controls the setting of the TZ environment variable. When not set, the sshd daemon uses value of TZ when the daemon was started.
ALTSHELL: Controls the setting of the SHELL environment variable. The default is ALTSHELL=YES, where the sshd daemon uses the value of the user's shell. When ALTSHELL=NO, the SHELL value is not set.
PATH: Controls the setting of the PATH environment variable. When the value is not set, the default path is /usr/bin.
SUPATH: Controls the setting of the PATH environment variable for root. When the value is not set, the default path is /usr/sbin:/usr/bin.

For more information, see the login(1) and sshd(1M) man pages.