Index of Section 5 Manual Pages
| Interix / SUA | sshd.user.conf.5 | Interix / SUA |
SSHD.USER.CONF(5) System File Formats Manual SSHD.USER.CONF(5)
NAME
sshd.user.conf - configuration for for Interop Secure Shell's (ISSH)
additional controls
SYNOPSIS
/usr/local/etc/sshd.user.conf
DESCRIPTION
The sshd.user.conf file is used to provide controls for per user and per
group access to the Interop Secure Shell (ISSH) server. While global
policies such as the time of day a user or group can connect is governed
by information in the user database (i.e. Active Directory), specific
ISSH behavior can be governed with the sshd.user.conf file.
A brief description of these settings are contained with the
sshd.user.conf file for quick reference as well.
As you will observe in the installed file you may have comment lines in
the file by starting the line in the leftmost column with a "#" charac-
ter. Otherwise it is expected that the first datum on a line will be
either a username or a groupname.
Usernames and groupnames can be specified in short form (just the name)
or as a Fully Qualified User Name (FQUN). A FQUN is the username or
groupname prefixed with the domainname and a "+". For example, "WIZ-
ARD+harry" specifies the user "harry" in the domain "WIZARD". For match-
ing purposes domainnames are almost always in capitals while usernames
and groupnames are as entered into the user database (i.e. Active Direc-
tory (AD)). The user name is followed by a whitespace of a "blank" or
tab, and then the specific options selected for this user or group.
Options are specified as options are specified to a utility at a shell
command prompt. In fact the getopt(3) function is used to do the parsing.
This means that options do not have to appear in any special order, the
notation method is familiar and that some options can appear more than
once (as noted specifically).
If a selected option is not being enforced for a particular user or group
check the spelling of the username or groupname matches the output from
the id(1) command with the '-D' option and remember this is case sensi-
tive. Also check that an option and/or its operands are correctly speci-
fied.
Options are obeyed in a leftmost to rightmost order. If an option forces
a selection of "allow" or "refuse" access then the first to match will
win. For example, mixing the '-a' and '-d' options should be carefully
crafted. You may specify a username or group on a line with no options
at all following the whitespace after the name.
Username and groupname matching happens in a top to bottom order through
the file. If a user belongs to a listed group and the user's username is
also listed then the first match will be used. A special name of "*"
indicates a line with options for any user that does not match any other
line with a username or groupname. The special name will be processed
last, regardless of it's position in the file.
The options are as follows:
-a -IPmask
This option may be specified one or more times. This option spec-
ifies the Internet address mask that the user or group can con-
nect from. If the machine that the user is connecting from
matches the IPmask mask then the user is allowed to connect. For
example, the mask 198.1.1.255 allows all machines from the subnet
198.1.1.
-c Disallow the user for scp(1) access. This does not prevent access
by sftp(1) or ssh(1).
-C -chroot_path
Change the user's root directory to chroot_path when the user
connects with scp. The administrator must create the chroot
environment beforehand correctly so that it will function cor-
rectly for the user. If you are unsure of the procedures for cor-
rectly setting up a chroot environment you should consult a good
Unix administration book as this beyond the scope of this manual
page.
-d -IPmask
This option may be specified one or more times. This option spec-
ifies the Internet address mask that the user or group cannot
connect from. If the machine that the user is connecting from
matches the IPmask mask then the user is not allowed to connect.
For example, the mask 198.1.1.255 disallows all machines from the
subnet 198.1.1.
-D The user is disallowed from connecting. This option is useful as
it allows others forms of access to the system (i.e. by console)
but disallows remote access by ssh(1), sftp(1), and scp(1).
-e -address
This option may be specified one or more times. The address is a
standard e-mail address. E-mail will be sent to address after a
user has successfully logged in. This can be used to track user
access in addition to the logs.
-E -address
This option may be specified one or more times. The address is a
standard e-mail address. E-mail will be sent to address for each
access attempt before the user is authenticated. This can be use-
ful when determining various attack methods on exisiting user or
group accounts.
-F -chroot_path
Change the user's root directory to chroot_path when the user
connects with sftp. The administrator must create the chroot
environment beforehand correctly so that it will function cor-
rectly for the user. If you are unsure of the procedures for cor-
rectly setting up a chroot environment you should consult a good
Unix administration book as this beyond the scope of this manual
page.
-f Disallow the user for sftp(1) access. This does not prevent
access by scp(1) or ssh(1).
-h -homepath
This allows the specification of an alternate home directory for
a user when the user database does not have a home directory
specifically assigned tot he user. If a home directory is already
assigned to the users then this setting will be quietly ignored.
The path should be absolute.
-p This user is not allowed to use port forwarding.
-P -count
Once the user has been authenticated pause for count seconds
before starting the login processes. This is intended for use
when doing security tracking and not as a general BOFH option.
-S -chroot_path
Change the user's root directory to chroot_path when the user
logs in. The administrator must create the chroot environment
beforehand correctly so that it will function correctly for the
user. If you are unsure of the procedures for correctly setting
up a chroot environment you should consult a good Unix adminis-
tration book as this beyond the scope of this manual page.
-s -shellpath
Specifies an alternative shell for the user. It is only used when
the user has no default shell specified in the user database.
When a shell is specified in the user database this option is
quietly ignored.
EXAMPLES
To disallow the user "harry" in the domain "WIZARD" from doing port for-
warding the line entry will appear as:
WIZARD+harry -p
To allow the same user to connect only from the subnet 192.3.4 and be
denied access by sftp and scp the line entry will appear as:
WIZARD+harry -a 192.3.4.255 -f -c
Some options may be specified more than once. Extending the above example
so that user "harry" can connect from two additional subnets the line
entry will appear as:
WIZARD+harry -a 192.3.4.255 -f -c -a 192.1.1.255 -a 192.0.1.255
NOTES
The sshd.user.conf file is re-read each time a connection attempt is
made. This means that the sshd.user.conf file can be updated and the
changes are used immediately without the server needing to be restarted
or signaled. The changes do not affect a user that has already estab-
lished a connection.
SEE ALSO
id(1), getopt(3), groups(1), mailx(1), sendmail(1), syslog(3), chroot(1),
chroot(3), chdir(3), ssh(1), scp(1), sftp(1)
HISTORY
The sshd.user.conf file appeared in Interop Secure Shell version 4.0.
Interix July 13, 2005 Interix