System Administration Guide: Security Services

Keywords in Solaris Secure Shell

The following tables list the keywords and their default values, if any. The keywords are in alphabetical order. The location of keywords on the client is the ssh_config file. Keywords that apply to the server are in the sshd_config file. Some keywords are set in both files. If the keyword applies to only one protocol version, the version is listed.

Table 20–1 Keywords in Solaris Secure Shell Configuration Files (A to Escape)

Keyword 

Default Value 

Location 

Protocol 

AllowGroups

No default. 

Server 

 

AllowTcpForwarding

yes

Server 

 

AllowUsers

No default. 

Server 

 

AuthorizedKeysFile

~/.ssh/authorized_keys

Server 

 

Banner

/etc/issue

Server 

 

Batchmode

no

Client 

 

BindAddress

No default. 

Client 

 

CheckHostIP

yes

Client 

 

Cipher

blowfish, 3des

Client 

v1 

Ciphers

aes128-ctr, aes128-cbc, 3des-cbc, blowfish-cbc, arcfour

Both 

v2 

ClearAllForwardings

No default. 

Client 

 

ClientAliveInterval

0

Server 

v2 

ClientAliveCountMax

3

Server 

v2 

Compression

yes

Both 

 

CompressionLevel

No default. 

Client 

 

ConnectionAttempts

1

Client 

 

DenyGroups

No default. 

Server 

 

DenyUsers

No default. 

Server 

 

DynamicForward

No default. 

Client 

 

EscapeChar

~

Client 

 

Table 20–2 Keywords in Solaris Secure Shell Configuration Files (Fall to Local)

Keyword 

Default Value 

Location 

Protocol 

FallBackToRsh

no

Client 

 

ForwardAgent

no

Client 

 

ForwardX11

no

Client 

 

GatewayPorts

no

Both 

 

GlobalKnownHostsFile

/etc/ssh/ssh_known_hosts

Client 

 

GSSAPIAuthentication

yes

Both 

v2 

GSSAPIDelegateCredentials

no

Client 

v2 

GSSAPIKeyExchange

yes

Both 

v2 

GSSAPIStoreDelegateCredentials

no

Client 

v2 

Host

* For more information, see Host-Specific Parameters in Solaris Secure Shell.

Client 

 

HostbasedAuthentication

no

Both 

v2 

HostbasedUsesNamesFromPacketOnly

no

Server 

v2 

HostKey

/etc/ssh/ssh_host_key

Server 

v1 

HostKey

/etc/ssh/host_rsa_key, /etc/ssh/host_dsa_key

Server 

v2 

HostKeyAlgorithms

ssh-rsa, ssh-dss

Client 

v2 

HostKeyAlias

No default. 

Client 

v2 

IdentityFile

~/.ssh/identity

Client 

v1 

IdentityFile

~/.ssh/id_dsa, ~/.ssh/id_rsa

Client 

v2 

IgnoreRhosts

yes

Server 

 

IgnoreUserKnownHosts

yes

Server 

 

KbdInteractiveAuthentication

yes

Both 

 

KeepAlive

yes

Both 

 

KeyRegenerationInterval

3600 (seconds)

Server 

 

ListenAddress

No default. 

Server 

 

LocalForward

No default. 

Client 

 

Table 20–3 Keywords in Solaris Secure Shell Configuration Files (Login to R)

Keyword 

Default Value 

Location 

Protocol 

LoginGraceTime

600 (seconds)

Server 

 

LogLevel

info

Both 

 

LookupClientHostname

yes

Server 

 

MACs

hmac-sha1,hmac-md5

Both 

v2 

MaxAuthTries

6

Server 

 

MaxAuthTriesLog

Server 

 

MaxStartups

10:30:60

Server 

 

NoHostAuthenticationForLocalHost

no

Client 

 

NumberOfPasswordPrompts

3

Client 

 

PAMAuthenticationViaKBDInt

yes

Server 

v2 

PasswordAuthentication

yes

Both 

 

PermitEmptyPasswords

no

Server 

 

PermitRootLogin

no

Server 

 

PermitUserEnvironment

no

Server 

 

PreferredAuthentications

gssapi-keyex, gssapi-with-mic, hostbased, publickey, keyboard-interactive, password

Client 

v2 

Port

22

Both 

 

PrintMotd

no

Server 

 

Protocol

2

Both 

 

ProxyCommand

No default. 

Client 

 

PubkeyAuthentication

yes

Both 

v2 

RemoteForward

No default. 

Client 

 

RhostsAuthentication

no

Both 

v1 

RhostsRSAAuthentication

no

Both 

v1 

RSAAuthentication

no

Both 

v1 

Table 20–4 Keywords in Solaris Secure Shell Configuration Files (S to X)

Keyword 

Default Value 

Location 

Protocol 

ServerKeyBits

768

Server 

 

StrictHostKeyChecking

ask

Client 

 

StrictModes

yes

Server 

 

Subsystem

sftp /usr/lib/ssh/sftp-server

Server 

 

SyslogFacility

auth

Server 

 

UseLogin

no Deprecated and ignored.

Server 

 

UseOpenSSLEngine

yes

Both 

v2 

User

No default. 

Client 

 

UserKnownHostsFile

~/.ssh/known_hosts

Client 

 

VerifyReverseMapping

no

Server 

 

X11Forwarding

yes

Server 

 

X11DisplayOffset

10

Server 

 

X11UseLocalHost

yes

Server 

 

XAuthLocation

/usr/openwin/bin/xauth

Both 

 

Host-Specific Parameters in Solaris Secure Shell

If it is useful to have different Solaris Secure Shell characteristics for different local hosts, the administrator can define separate sets of parameters in the /etc/ssh/ssh_config file to be applied according to host or regular expression. This task is done by grouping entries in the file by Host keyword. If the Host keyword is not used, the entries in the client configuration file apply to whichever local host a user is working on.

Solaris Secure Shell and Login Environment Variables

When the following Solaris Secure Shell keywords are not set in the sshd_config file, they get their value from equivalent entries in the /etc/default/login file:

Entry in /etc/default/login

Keyword and Value in sshd_config

CONSOLE=*

PermitRootLogin=without-password

#CONSOLE=*

PermitRootLogin=yes

PASSREQ=YES

PermitEmptyPasswords=no

PASSREQ=NO

PermitEmptyPasswords=yes

#PASSREQ

PermitEmptyPasswords=no

TIMEOUT=secs

LoginGraceTime=secs

#TIMEOUT

LoginGraceTime=300

RETRIES and SYSLOG_FAILED_LOGINS

Apply only to password and keyboard-interactive authentication methods.

When the following variables are set by the initialization scripts from the user's login shell, the sshd daemon uses those values. When the variables are not set, the daemon uses the default value.

TIMEZONE

Controls the setting of the TZ environment variable. When not set, the sshd daemon uses value of TZ when the daemon was started.

ALTSHELL

Controls the setting of the SHELL environment variable. The default is ALTSHELL=YES, where the sshd daemon uses the value of the user's shell. When ALTSHELL=NO, the SHELL value is not set.

PATH

Controls the setting of the PATH environment variable. When the value is not set, the default path is /usr/bin.

SUPATH

Controls the setting of the PATH environment variable for root. When the value is not set, the default path is /usr/sbin:/usr/bin.

For more information, see the login(1) and sshd(1M) man pages.