sshd2_subconfig(4)sshd2_subconfig(4)NAMEsshd2_subconfig - Describes the subconfiguration that can be used for
the sshd2 daemon
DESCRIPTION
You can specify configuration options in subconfiguration files that
have the same format as the main configuration file. They are read
after the daemon forks a new process to handle the connection. If they
are modified, it is not necessary to restart the server process.
If parsing of the subconfiguration files fails, the server terminates
the connection for the host-specific subconfiguration or denies access
for the user-specific subconfiguration.
Most of the configuration options that work in the main file work in
the subconfiguration files.
The value for {Host,User}SpecificConfig keywords is a pattern-filename
pair. The pattern user is matched with the user name and user ID.
Group is matched with the user's primary and secondary groups, both
group name and group ID, and host is matched as described for
AllowHosts.
With HostSpecificConfig, the pattern is host. Unlike sshd2_config, the
sshd2_subconfig files can have configuration blocks, or stanzas. With
the UserSpecificConfig subconfiguration, the format is
user[%group][@host], and with HostSpecificConfig the format is host.
The subconfiguration files are divided into two categories: user-spe‐
cific host-specific
The user-specific subconfiguration files are read when the client
enters a user name. At this point, the server obtains additional infor‐
mation about the user, such as the user's ID and user groups. With this
information, the server can read the user-specific configuration files
in the main sshd2 configuration file.
The host-specific configuration files are configured with the Host‐
SpecificConfig variable. They are read after the daemon forks a new
process to handle the connection. Most configuration options can be set
here.
It is possible to mix the configuration files, but not recommended.
Mixing the files might cause unexpected behavior because the global
settings in these files would be set multiple times.
Subconfigurations are very flexible. You can specify different authen‐
tication methods for different users, different banner messages for
people coming from certain hosts, and set log messages of certain
groups to go to different files.
NOTES
The following configuration variables work in the main file, the user-
specific file, and the host-specific configuration files: AllowShosts
AllowTcpForwarding AllowedAuthentications AuthInteractiveFailureTimeout
AuthKbdInt.NumOptional AuthKbdInt.Optional AuthKbdInt.Plugin AuthKb‐
dInt.Required AuthKbdInt.Retries AuthorizationFile AuthPublicKey.Max‐
Size AuthPublicKey.MinSize CheckMail DenyShosts FascistLogging For‐
wardAgent ForwardX11 HostbasedAuthForceClientHostnameDNSMatch IdleTime‐
out IgnoreRhosts IgnoreRootRhosts PasswdPath PasswordGuesses PermitEmp‐
tyPasswords PrintMOTD QuietMode RekeyIntervalSeconds RequiredAuthenti‐
cations SecurIdGuesses SettableEnvironmentVars SftpSysLogFacility
StrictModes SysLogFacility UserConfigDirectory UserKnownHosts Verbose‐
Mode
The following variables work in the host-specific configuration file
and in the main file: AllowGroups AllowTcpForwardingForGroups AllowTcp‐
ForwardingForUsers AllowUsers BannerMessageFile ChrootGroups Chroo‐
tUsers Ciphers DenyGroups DenyTcpForwardingForGroups DenyTcpForwarding‐
ForUsers DenyUsers ExternalAuthorizationProgram ForwardACL LoginGrace‐
Time MACs PermitRootLogin SSH1Compatibility Sshd1ConfigFile Sshd1Path
LEGAL NOTICES
SSH is a registered trademark of SSH Communication Security Ltd.
SEE ALSO
Commands: sshd2(8), sshd-check-conf(8)
Files: sshd2_config(4)
Other: sshregex(5)sshd2_subconfig(4)
