Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.3

Exit Print View

Updated: June 2019
 
 

Secure Shell Configuration

The characteristics of a Secure Shell session are controlled by configuration files. Some keyword values in the configuration files can be overridden by options on the command line.

Client and Server Configuration in Secure Shell

Client configuration

In most cases, the client-side characteristics of a Secure Shell session are governed by the system-wide configuration file, /etc/ssh/ssh_config. The settings in the ssh_config file can be overridden by the user's configuration file, ~/.ssh/config. In addition, the user can override both configuration files on the command line.

The settings in the server's /etc/ssh/sshd_config file determine which client requests are permitted by the server. For a list of server configuration settings, see the sshd_config (4) man page.

The keywords in the client configuration file are described in detail in the ssh (1) , scp (1) , sftp (1) , and ssh_config (4) man pages.

Host-specific client configuration

Sometimes, having different Secure Shell characteristics for different local hosts is useful. The administrator can define separate sets of parameters in the /etc/ssh/ssh_config file to be applied according to host or regular expression by grouping entries in the file by Host keyword. If the Host keyword is not used, the entries in the client configuration file apply to the local system.

Server configuration

The server-side characteristics of a Secure Shell session are governed by the /etc/ssh/sshd_config file. For a full description of the keywords, see the sshd_config (4) man page.

Protecting the Secure Shell Configuration

Each host that needs to communicate securely with another host must have the server's public key stored in the local host's /etc/ssh/ssh_known_hosts file. Although a script could be used to update the /etc/ssh/ssh_known_hosts files, such a practice is heavily discouraged because a script opens a major security vulnerability.

    The /etc/ssh/ssh_known_hosts file should be distributed only by a secure mechanism as follows:

  • Over a secure connection, such as Secure Shell, IPsec, or Kerberized ftp from a known and trusted system

  • At system install time

To avoid the possibility of an intruder gaining access by inserting bogus public keys into a known_hosts file, you should use a known and trusted source of the ssh_known_hosts file. The ssh_known_hosts file can be distributed during installation. Later, scripts that use the scp command can be used to copy the latest version.

Login Environment Variables and Secure Shell Implementations

SunSSH supports login environment variables from the /etc/default/login entries for unset keyword values and uses the environment variables that users set in their login shell. OpenSSH can use only the PATH variable from a user's login shell.

In SunSSH, when the following keywords are not set in the sshd_config file, they obtain their value from equivalent entries in the /etc/default/login file. In the sshd_config file, you can modify values for the keywords pertaining to logins in the following table.


Note -  OpenSSH does not use the values from this file.
Entry in /etc/default/login
Keyword and Value in sshd_config
CONSOLE=*
PermitRootLogin=without-password
#CONSOLE=*
PermitRootLogin=yes
PASSREQ=YES
PermitEmptyPasswords=no
PASSREQ=NO
PermitEmptyPasswords=yes
#PASSREQ
PermitEmptyPasswords=no
TIMEOUT=seconds
LoginGraceTime=seconds
#TIMEOUT
LoginGraceTime=120
RETRIES and SYSLOG_FAILED_LOGINS
Apply only to password and keyboard-interactive authentication methods

To see a full list of optional values for these keywords, see the sshd_config(4) man page.

When the following variables are set by the initialization scripts from the user's login shell, the sshd daemon uses those values. When the variables are not set, the daemon uses the default value.

TIMEZONE

Controls the setting of the TZ environment variable. When not set, the sshd daemon uses value of TZ when the daemon was started.

ALTSHELL

Controls the setting of the SHELL environment variable. The default is ALTSHELL=YES, where the sshd daemon uses the value of the user's shell. When ALTSHELL=NO, the SHELL value is not set.

PATH

Controls the setting of the PATH environment variable. When the value is not set, the default path is /usr/bin.


Note -  The OpenSSH sshd daemon uses this variable. It does not support other initialization variables from a user's login shell.
SUPATH

Controls the setting of the PATH environment variable for root. When the value is not set, the default path is /usr/sbin:/usr/bin.

For more information, see the login(1) and sshd(1M) man pages.