JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

A Typical Secure Shell Session

Session Characteristics in Secure Shell

Authentication and Key Exchange in Secure Shell

Acquiring GSS Credentials in Secure Shell

Command Execution and Data Forwarding in Secure Shell

Client and Server Configuration in Secure Shell

Client Configuration in Secure Shell

Server Configuration in Secure Shell

Keywords in Secure Shell

Host-Specific Parameters in Secure Shell

Secure Shell and Login Environment Variables

Maintaining Known Hosts in Secure Shell

Secure Shell Files

Secure Shell Commands

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Keywords in Secure Shell

The following tables list the keywords and their default values, if any. The keywords are in alphabetical order. Keywords that apply to the client are in the ssh_config file. Keywords that apply to the server are in the sshd_config file. Some keywords are set in both files. Keywords for a Secure Shell server that is running the v1 protocol are marked.

Table 16-1 Keywords in Secure Shell Configuration Files (A to Escape)

Keyword
Default Value
Location
AllowGroups
No default.
Server
AllowTcpForwarding
yes
Server
AllowUsers
No default.
Server
AuthorizedKeysFile
~/.ssh/authorized_keys
Server
Banner
/etc/issue
Server
Batchmode
no
Client
BindAddress
No default.
Client
CheckHostIP
yes
Client
ChrootDirectory
no
Server
Cipher
blowfish, 3des
Client
Ciphers
aes128-ctr, aes128-cbc, 3des-cbc, blowfish-cbc, arcfour
Both
ClearAllForwardings
no
Client
ClientAliveCountMax
3
Server
ClientAliveInterval
0
Server
Compression
no
Both
CompressionLevel
No default.
Client
ConnectionAttempts
1
Client
ConnectTimeout
System TCP timeout
Client
DenyGroups
No default
Server
DenyUsers
No default
Server
DisableBanner
no
Client
DynamicForward
No default.
Client
EscapeChar
~
Client

Table 16-2 Keywords in Secure Shell Configuration Files (Fall to Local)

Keyword
Default Value
Location
FallBackToRsh
no
Client
ForwardAgent
no
Client
ForwardX11
no
Client
ForwardX11Trusted
yes
Client
GatewayPorts
no
Both
GlobalKnownHostsFile
/etc/ssh/ssh_known_hosts
Client
GSSAPIAuthentication
yes
Both
GSSAPIDelegateCredentials
no
Client
GSSAPIKeyExchange
yes
Both
GSSAPIStoreDelegateCredentials
yes
Server
HashKnownHosts
no
Client
Host
* For more information, see Host-Specific Parameters in Secure Shell.
Client
HostbasedAuthentication
no
Both
HostbasedUsesNameFromPacketOnly
no
Server
HostKey
/etc/ssh/ssh_host_key
Server, v1
HostKey
/etc/ssh/host_rsa_key, /etc/ssh/host_dsa_key
Server
HostKeyAlgorithms
ssh-rsa, ssh-dss
Client
HostKeyAlias
No default.
Client
HostName
No default.
Client
IdentityFile
~/.ssh/id_dsa, ~/.ssh/id_rsa
Client
IgnoreIfUnknown
No default
Client
IgnoreRhosts
yes
Server
IgnoreUserKnownHosts
yes
Server
KbdInteractiveAuthentication
yes
Both
KeepAlive
yes
Both
KeyRegenerationInterval
3600 (seconds)
Server
ListenAddress
No default.
Server
LocalForward
No default.
Client

Table 16-3 Keywords in Secure Shell Configuration Files (Login to R)

Keyword
Default Value
Location
LoginGraceTime
120 (seconds)
Server
LogLevel
info
Both
LookupClientHostnames
yes
Server
MACs
hmac-sha1,hmac-md5
Both
Match
No default
Server
MaxStartups
10:30:60
Server
NoHostAuthenticationForLocalHost
no
Client
NumberOfPasswordPrompts
3
Client
PAMServiceName
No default
Server
PAMServicePrefix
No default
Server
PasswordAuthentication
yes
Both
PermitEmptyPasswords
no
Server
PermitRootLogin
no
Server
PermitUserEnvironment
no
Server
PidFile
/system/volatile/sshd.pid
Server
Port
22
Both
PreferredAuthentications
hostbased,publickey,keyboard- interactive,passwor
Client
PreUserauthHook
No default
Server
PrintLastLog
yes
Server
PrintMotd
no
Server
Protocol
2,1
Both
ProxyCommand
No default.
Client
PubkeyAuthentication
yes
Both
RekeyLimit
1G to 4G
Client
RemoteForward
No default.
Client
RhostsAuthentication
no
Server, v1
RhostsRSAAuthentication
no
Server, v1
RSAAuthentication
no
Server, v1

Table 16-4 Keywords in Secure Shell Configuration Files (S to X)

Keyword
Default Value
Location
ServerAliveCountMax
3
Client
ServerAliveInterval
0
Client
ServerKeyBits
512 to 768
Server, v1
StrictHostKeyChecking
ask
Client
StrictModes
yes
Server
Subsystem
sftp /usr/lib/ssh/sftp-server
Server
SyslogFacility
auth
Server
UseFIPS140
no
Both
UseOpenSSLEngine
yes
Both
UsePrivilegedPort
no
Both
User
No default
Client
UserKnownHostsFile
~/.ssh/known_hosts
Client
UseRsh
no
Client
VerifyReverseMapping
no
Server
X11DisplayOffset
10
Server
X11Forwarding
yes
Server
X11UseLocalHost
yes
Server
XAuthLocation
/usr/bin/xauth
Both

Host-Specific Parameters in Secure Shell

If it is useful to have different Secure Shell characteristics for different local hosts, the administrator can define separate sets of parameters in the /etc/ssh/ssh_config file to be applied according to host or regular expression. This task is done by grouping entries in the file by Host keyword. If the Host keyword is not used, the entries in the client configuration file apply to whichever local host a user is working on.

Secure Shell and Login Environment Variables

When the following Secure Shell keywords are not set in the sshd_config file, they obtain their value from equivalent entries in the /etc/default/login file.

Entry in /etc/default/login
Keyword and Value in sshd_config
CONSOLE=*
PermitRootLogin=without-password
#CONSOLE=*
PermitRootLogin=yes
PASSREQ=YES
PermitEmptyPasswords=no
PASSREQ=NO
PermitEmptyPasswords=yes
#PASSREQ
PermitEmptyPasswords=no
TIMEOUT=secs
LoginGraceTime=secs
#TIMEOUT
LoginGraceTime=120
RETRIES and SYSLOG_FAILED_LOGINS
Apply only to password and keyboard-interactive authentication methods.

When the following variables are set by the initialization scripts from the user's login shell, the sshd daemon uses those values. When the variables are not set, the daemon uses the default value.

TIMEZONE

Controls the setting of the TZ environment variable. When not set, the sshd daemon uses value of TZ when the daemon was started.

ALTSHELL

Controls the setting of the SHELL environment variable. The default is ALTSHELL=YES, where the sshd daemon uses the value of the user's shell. When ALTSHELL=NO, the SHELL value is not set.

PATH

Controls the setting of the PATH environment variable. When the value is not set, the default path is /usr/bin.

SUPATH

Controls the setting of the PATH environment variable for root. When the value is not set, the default path is /usr/sbin:/usr/bin.

For more information, see the login(1) and sshd(1M) man pages.

Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next