Document Information
Preface
Part I Security Overview
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
11. Privileges (Tasks)
12. Privileges (Reference)
Part IV Solaris Cryptographic Services
13. Solaris Cryptographic Framework (Overview)
14. Solaris Cryptographic Framework (Tasks)
15. Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
17. Using PAM
18. Using SASL
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
A Typical Solaris Secure Shell Session
Client and Server Configuration in Solaris Secure Shell
Maintaining Known Hosts in Solaris Secure Shell
Solaris Secure Shell Packages and Initialization
Solaris Secure Shell Files
Solaris Secure Shell Commands
Part VI Kerberos Service
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Solaris Auditing
28. Solaris Auditing (Overview)
29. Planning for Solaris Auditing
30. Managing Solaris Auditing (Tasks)
31. Solaris Auditing (Reference)
Glossary
Index
|
Keywords in Solaris Secure Shell
The following tables list the keywords and their default values, if any. The
keywords are in alphabetical order. The location of keywords on the client is
the ssh_config file. Keywords that apply to the server are in the sshd_config
file. Some keywords are set in both files. If the keyword applies to
only one protocol version, the version is listed. Table 20-1 Keywords in Solaris Secure Shell Configuration Files (A to Escape)Keyword |
Default Value |
Location |
Protocol |
AllowGroups |
No default. |
Server |
|
AllowTcpForwarding |
no |
Server |
|
AllowUsers |
No default. |
Server |
|
AuthorizedKeysFile |
~/.ssh/authorized_keys |
Server |
|
Banner |
/etc/issue |
Server |
|
Batchmode |
no |
Client |
|
BindAddress |
No default. |
Client |
|
CheckHostIP |
yes |
Client |
|
Cipher |
blowfish, 3des |
Client |
v1 |
Ciphers |
aes128-ctr, aes128-cbc, 3des-cbc, blowfish-cbc, arcfour |
Both |
v2 |
ClearAllForwardings |
No
default. |
Client |
|
ClientAliveInterval |
0 |
Server |
v2 |
ClientAliveCountMax |
3 |
Server |
v2 |
Compression |
yes |
Both |
|
CompressionLevel |
No default. |
Client |
|
ConnectionAttempts |
1 |
Client |
|
DenyGroups |
No default. |
Server |
|
DenyUsers |
No default. |
Server |
|
DynamicForward |
No default. |
Client |
|
EscapeChar |
~ |
Client |
|
Table 20-2 Keywords in Solaris Secure Shell Configuration Files (Fall to Local)Keyword |
Default Value |
Location |
Protocol |
FallBackToRsh |
no |
Client |
|
ForwardAgent |
no |
Client |
|
ForwardX11 |
no |
Client |
|
GatewayPorts |
no |
Both |
|
GlobalKnownHostsFile |
/etc/ssh/ssh_known_hosts |
Client |
|
GSSAPIAuthentication |
yes |
Both |
v2 |
GSSAPIDelegateCredentials |
no |
Client |
v2 |
GSSAPIKeyExchange |
yes |
Both |
v2 |
GSSAPIStoreDelegateCredentials |
no |
Client |
v2 |
Host |
* For more information, see Host-Specific Parameters in Solaris Secure Shell. |
Client |
|
HostbasedAuthentication |
no |
Both |
v2 |
HostbasedUsesNamesFromPacketOnly |
no |
Server |
v2 |
HostKey |
/etc/ssh/ssh_host_key |
Server |
v1 |
HostKey |
/etc/ssh/host_rsa_key,
/etc/ssh/host_dsa_key |
Server |
v2 |
HostKeyAlgorithms |
ssh-rsa, ssh-dss |
Client |
v2 |
HostKeyAlias |
No default. |
Client |
v2 |
IdentityFile |
~/.ssh/identity |
Client |
v1 |
IdentityFile |
~/.ssh/id_dsa, ~/.ssh/id_rsa |
Client |
v2 |
IgnoreRhosts |
yes |
Server |
|
IgnoreUserKnownHosts |
yes |
Server |
|
KbdInteractiveAuthentication |
yes |
Both |
|
KeepAlive |
yes |
Both |
|
KeyRegenerationInterval |
3600 (seconds) |
Server |
|
ListenAddress |
No default. |
Server |
|
LocalForward |
No default. |
Client |
|
Table 20-3 Keywords in Solaris Secure Shell Configuration Files (Login to R)Keyword |
Default Value |
Location |
Protocol |
LoginGraceTime |
600 (seconds) |
Server |
|
LogLevel |
info |
Both |
|
LookupClientHostname |
yes |
Server |
|
MACs |
hmac-sha1,hmac-md5 |
Both |
v2 |
MaxAuthTries |
6 |
Server |
|
MaxAuthTriesLog |
No default. |
Server |
|
MaxStartups |
10:30:60 |
Server |
|
NoHostAuthenticationForLocalHost |
no |
Client |
|
NumberOfPasswordPrompts |
3 |
Client |
|
PAMAuthenticationViaKBDInt |
yes |
Server |
v2 |
PasswordAuthentication |
yes |
Both |
|
PermitEmptyPasswords |
no |
Server |
|
PermitRootLogin |
no |
Server |
|
PermitUserEnvironment |
no |
Server |
|
PreferredAuthentications |
gssapi-keyex, gssapi-with-mic, hostbased, publickey, keyboard-interactive, password |
Client |
v2 |
Port |
22 |
Both |
|
PrintMotd |
no |
Server |
|
Protocol |
2 |
Both |
|
ProxyCommand |
No default. |
Client |
|
PubkeyAuthentication |
yes |
Both |
v2 |
RemoteForward |
No default. |
Client |
|
RhostsAuthentication |
no |
Both |
v1 |
RhostsRSAAuthentication |
no |
Both |
v1 |
RSAAuthentication |
no |
Both |
v1 |
Table 20-4 Keywords in Solaris Secure Shell Configuration Files (S to X)Keyword |
Default Value |
Location |
Protocol |
ServerKeyBits |
768 |
Server |
|
StrictHostKeyChecking |
ask |
Client |
|
StrictModes |
yes |
Server |
|
Subsystem |
sftp /usr/lib/ssh/sftp-server |
Server |
|
SyslogFacility |
auth |
Server |
|
UseLogin |
no Deprecated
and ignored. |
Server |
|
User |
No default. |
Client |
|
UserKnownHostsFile |
~/.ssh/known_hosts |
Client |
|
VerifyReverseMapping |
no |
Server |
|
X11Forwarding |
yes |
Server |
|
X11DisplayOffset |
10 |
Server |
|
X11UseLocalHost |
yes |
Server |
|
XAuthLocation |
No default. |
Both |
|
Host-Specific Parameters in Solaris Secure Shell
If it is useful to have different Solaris Secure Shell characteristics for
different local hosts, the administrator can define separate sets of parameters in the
/etc/ssh/ssh_config file to be applied according to host or regular expression. This task
is done by grouping entries in the file by Host keyword. If the
Host keyword is not used, the entries in the client configuration file apply
to whichever local host a user is working on.
Solaris Secure Shell and Login Environment Variables
When the following Solaris Secure Shell keywords are not set in the
sshd_config file, they get their value from equivalent entries in the /etc/default/login file: Entry
in /etc/default/login |
Keyword and Value in sshd_config |
CONSOLE=* |
PermitRootLogin=without-password |
#CONSOLE=* |
PermitRootLogin=yes |
PASSREQ=YES |
PermitEmptyPasswords=no |
PASSREQ=NO |
PermitEmptyPasswords=yes |
#PASSREQ |
PermitEmptyPasswords=no |
TIMEOUT=secs |
LoginGraceTime=secs |
#TIMEOUT |
LoginGraceTime=300 |
RETRIES and SYSLOG_FAILED_LOGINS |
Apply only to password and
keyboard-interactive authentication methods. |
When the following variables are set by the login command, the sshd daemon
uses those values. When the variables are not set, the daemon uses the
default value. - TIMEZONE
Controls the setting of the TZ environment variable. When not set, the sshd daemon uses value of TZ when the daemon was started.
- ALTSHELL
Controls the setting of the SHELL environment variable. The default is ALTSHELL=YES, where the sshd daemon uses the value of the user's shell. When ALTSHELL=NO, the SHELL value is not set.
- PATH
Controls the setting of the PATH environment variable. When the value is not set, the default path is /usr/bin.
- SUPATH
Controls the setting of the PATH environment variable for root. When the value is not set, the default path is /usr/sbin:/usr/bin.
For more information, see the login(1) and sshd(1M) man pages.
|