.\" -*- nroff -*- .\" .\" sshd2_subconfig.5 .\" .\" Author: Sami Lehtinen .\" .\" Created: Sat Mar 30 05:21:25 2002 .\" .\" Copyright (C) 2002 SSH Communications Security, Finland .\" All rights reserved .\" .TH SSHD2_SUBCONFIG 5 "May 16, 2002" "SSH2" "SSH2" .SH NAME sshd2_subconfig \- advanced configuration of sshd2 .SH DESCRIPTION .LP You can also specify configuration options in so-called subconfiguration files, which have the same basic format as the main configuration file. The process forked to handle the user's connection reads these files. They are read at run-time, so if they are modified, it is not necessary to restart the server process. If parsing of the subconfiguration files fails, connection is terminated (for host-specific subconfig) or access denied (for the user-specific subconfig) by the server. Most of the configuration options that work in the main file work also in these, but some do not, where it either does not make sense to set them (e.g. .B ListenAddress and .BR Port , which only affect the daemon process listening to the port, and would not affect that behaviour in any way in a subconfiguration file) or it would be confusing (e.g. .BR AllowUsers in user-specific subconfiguration, and .B AllowHosts in host-specific subconfiguration.). The value for .B {Host,User}SpecificConfig keywords is a pattern-filename pair, separated by whitespace. With .BR UserSpecificConfig , the pattern is of format "\fIuser\fB[\fI%group\fB][\fI@host\fB]\fR", where the pattern .I user is matched with the user name and UID, .I group is matched with the user's primary and any secondary groups, both group name and GID, and .I host is matched as described under option .BR AllowHosts . With .BR HostSpecificConfig , the pattern is "\fIhost\fR" (as in .BR UserSpecificConfig ). Unlike .IR sshd2_config , the subconfig files may have configuration blocks, or stanzas, in them (In .BR ssh2_config (5) they are used per-host, but the matching is done as a straight regex-match against what was given on the command line). The subconfiguration heading is interpreted identically to what is described above, i.e. with .B UserSpecificConfig the pattern is of the format "\fIuser\fB[\fI%group\fB][\fI@host\fB]\fR", and with .B HostSpecificConfig the format is "\fIhost\fR". The subconfiguration files are divided into two categories: user-specific and host-specific. User-specific subconfiguration files are read when the client has stated the user name it is trying to log in with. At this point, the server will obtain additional information about the user: does the user exist, what is the user's UID, and what groups does the user belong to. With this information, the server can read the user-specific configuration files specified by .B UserSpecificConfig in the main sshd2 configuration file. The other category is host-specific configuration files, which are configured with the HostSpecificConfig variable. These files are read immediately after the daemon has forked a new process to handle the connection. Thus most configuration options can be set in these. Note that it is possible to mix these configuration files. This is not recommended, because any global settings in these files would be set multiple times (which would not do any harm per se, but might lead to behaviour not intended by the administrator). Subconfigurations are really flexible (and because of that, dangerous if the logic of the files is not carefully planned.). You can specify different authentication methods for different users, different banner messages for people coming from certain hosts, and set log messages of certain groups to go to different files. There are a \fIlot\fR of possibilities here. .SH OPTIONS .LP Configuration variables that work everywhere, i.e. in the main file, the user-specific, and the host-specific configuration files: .RS .LP .PD 0 .B AllowShosts .LP .B AllowTcpForwarding .LP .B AllowedAuthentications .LP .B AuthInteractiveFailureTimeout .LP .B AuthKbdInt.NumOptional .LP .B AuthKbdInt.Optional .LP .B AuthKbdInt.Plugin .LP .B AuthKbdInt.Required .LP .B AuthKbdInt.Retries .LP .B AuthorizationFile .LP .B AuthPublicKey.MaxSize .LP .B AuthPublicKey.MinSize .LP .B Cert.RSA.Compat.HashScheme .LP .B CheckMail .LP .B DenyShosts .LP .B FascistLogging .LP .B ForwardAgent .LP .B ForwardX11 .LP .B HostbasedAuthForceClientHostnameDNSMatch .LP .B IdleTimeout .LP .B IgnoreRhosts .LP .B IgnoreRootRhosts .LP .B PasswdPath .LP .B PasswordGuesses .LP .B PermitEmptyPasswords .LP .B PrintMOTD .LP .B QuietMode .LP .B RekeyIntervalSeconds .LP .B RequiredAuthentications .LP .B SecurIdGuesses .LP .B SettableEnvironmentVars .LP .B SftpSysLogFacility .LP .B StrictModes .LP .B SysLogFacility .LP .B UserConfigDirectory .LP .B UserKnownHosts .LP .B VerboseMode .RE .PD .LP Variables that work in the host-specific configuration file and the main file: .RS .LP .PD 0 .B AllowGroups .LP .B AllowTcpForwardingForGroups .LP .B AllowTcpForwardingForUsers .LP .B AllowUsers .LP .B BannerMessageFile .LP .B ChrootGroups .LP .B ChrootUsers .LP .B Ciphers .LP .B DenyGroups .LP .B DenyTcpForwardingForGroups .LP .B DenyTcpForwardingForUsers .LP .B DenyUsers .LP .B DisableVersionFallback .LP .B ExternalAuthorizationProgram .LP .B ForwardACL .LP .B LoginGraceTime .LP .B MACs .LP .B PermitRootLogin .LP .B SSH1Compatibility .LP .B Sshd1ConfigFile .LP .B Sshd1Path .RE .PD .LP There will also be configuration variables specific to subconfigurations that will not be valid in the main file. Watch this space. .\" .SH EXAMPLES .\" .LP .\" XXX .SH AUTHORS .LP SSH Communications Security Corp. For more information, see http://www.ssh.com. .SH SEE ALSO .BR sshd2_config (5), .BR sshd2 (8), .BR sshd-check-conf (5), .BR sshregex (1)