Managing Secure Shell Access in Oracle^® Solaris 11.3

How to Create User and Host Exceptions to Secure Shell Defaults

This procedure adds a conditional Match block after the global section of the /etc/ssh/sshd_config file. Keyword-value pairs that follow the Match block specify exceptions for the user, group, host, or address that is specified as the match.

Before You Begin

You must become an administrator who is assigned the solaris.admin.edit/etc/ssh/sshd_config authorization. By default, the root role has this authorization. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

1. Open the /etc/ssh/sshd_config file for editing.

   # pfedit /etc/ssh/sshd_config

2. Configure a user, group, host, or address to use different Secure Shell settings from the default settings.

   Place the Match blocks after the global settings.

   ---

   Note -  The global section of the file might not always list the default settings. For the defaults, see the sshd_config (4) man page.

   ---

   For example, you might have users who should not be allowed to use TCP forwarding. In this configuration, any user in the group public and any user whose name begins with test cannot use TCP forwarding:

   ## sshd_config file
   ## Global settings
   
   # Example (default SunSSH values):
   #
   # Host *
   #   ForwardAgent no
   #   ForwardX11 no
   #   PubkeyAuthentication yes
   #   PasswordAuthentication yes
   #   FallBackToRsh no
   #   UseRsh no
   #   BatchMode no
   #   CheckHostIP yes
   #   StrictHostKeyChecking ask
   #   EscapeChar ~
   Match Group public
   AllowTcpForwarding no
   Match User test*
   AllowTcpForwarding no

   For information about the syntax of the Match keyword, see the sshd_config (4) man page.