The characteristics of a Secure Shell session are controlled by configuration files. Some keyword values in the configuration files can be overridden by options on the command line.
In most cases, the client-side characteristics of a Secure Shell session are governed by the system-wide configuration file, /etc/ssh/ssh_config. The settings in the ssh_config file can be overridden by the user's configuration file, ~/.ssh/config. In addition, the user can override both configuration files on the command line.
The settings in the server's /etc/ssh/sshd_config file determine which client requests are permitted by the server. For a list of server configuration settings, see the sshd_config (4) man page.
The keywords in the client configuration file are described in detail in the ssh (1) , scp (1) , sftp (1) , and ssh_config (4) man pages.
Sometimes, having different Secure Shell characteristics for different local hosts is useful. The administrator can define separate sets of parameters in the /etc/ssh/ssh_config file to be applied according to host or regular expression by grouping entries in the file by Host keyword. If the Host keyword is not used, the entries in the client configuration file apply to the local system.
The server-side characteristics of a Secure Shell session are governed by the /etc/ssh/sshd_config file. For a full description of the keywords, see the sshd_config (4) man page.
Each host that needs to communicate securely with another host must have the server's public key stored in the local host's /etc/ssh/ssh_known_hosts file. Although a script could be used to update the /etc/ssh/ssh_known_hosts files, such a practice is heavily discouraged because a script opens a major security vulnerability.
The /etc/ssh/ssh_known_hosts file should be distributed only by a secure mechanism as follows:
Over a secure connection, such as Secure Shell, IPsec, or Kerberized ftp from a known and trusted system
At system install time
To avoid the possibility of an intruder gaining access by inserting bogus public keys into a known_hosts file, you should use a known and trusted source of the ssh_known_hosts file. The ssh_known_hosts file can be distributed during installation. Later, scripts that use the scp command can be used to copy the latest version.
SunSSH supports login environment variables from the /etc/default/login entries for unset keyword values and uses the environment variables that users set in their login shell. OpenSSH can use only the PATH variable from a user's login shell.
In SunSSH, when the following keywords are not set in the sshd_config file, they obtain their value from equivalent entries in the /etc/default/login file. In the sshd_config file, you can modify values for the keywords pertaining to logins in the following table.
|
To see a full list of optional values for these keywords, see the sshd_config(4) man page.
When the following variables are set by the initialization scripts from the user's login shell, the sshd daemon uses those values. When the variables are not set, the daemon uses the default value.
Controls the setting of the TZ environment variable. When not set, the sshd daemon uses value of TZ when the daemon was started.
Controls the setting of the SHELL environment variable. The default is ALTSHELL=YES, where the sshd daemon uses the value of the user's shell. When ALTSHELL=NO, the SHELL value is not set.
Controls the setting of the PATH environment variable. When the value is not set, the default path is /usr/bin.
Controls the setting of the PATH environment variable for root. When the value is not set, the default path is /usr/sbin:/usr/bin.
For more information, see the login(1) and sshd(1M) man pages.