The parameter file holds the static configuration settings that govern many aspects of of server operation. It is read when the ssh_server.exe initializes. The system administrator edits this file to do things like restrict the ciphers the server will support or change the location of the host key and server key files. File Format Each line of the parameters file is either a comment line (first non-space character #) or a parameter-name/value pair. Line formats: parameter-name value parameter-name "quoted value" parameter-name 'symbol-name' where: parameter-name is parameter name keyword. value is value string to assign to the parameter. quoted value is character string containing whitespace. symbol-name is DCL symbol name, value of the parameter is the value of the DCL symbol. Examples: # This is a comment port 22 Initiator "run ssh_home_dir:initiator.exe" host_key 'key_location' Notes: + Parameter names may not be abbreviated. + Parameter names are not case sensitive, parameter values may or not be case sensitive. + Only specifiy one value per line. + You cannot embed DCL symbol substitution within parameter values, i. e. @'my_dir'sshexec.com is NOT a valid value specification. Parameter Types Each parameter has a data type associated with it: integer, string, list, or mlist. The data type affects how the value in the name/value pair is interpreted. For the integer type the value must be a decimal integer (e.g. 22),the 3 other types take character strings as their values. If a string value contains space characters, surround the entire string with double quotes ("). Parameters with the list data type take multiple string values as the parameter's data. Each value in the list is specified with a separate name/value pair (i.e. NOT a comma-delimited list). The mlist data type is a multi-level form of the list type, each value is of the form keyword=value. Parameter Names administrator (list) Specifies usernames that are allowed to connect to the server's administrator interface. allow_authtype (list) Specifies SSH authentication types the server is permitted to accept. The value is one of the keywords: password, RSA. allow_cipher (list) Specifies the cipher types the server will permit the client to use for the connection. Cipher types supported are: none, idea, des, 3des, rc4, and blowfish. If the value "all" is specified, all supported ciphers except "none" are allowed. cmd_task (string) Specifies the wrapper procedure or DECnet task specification for command mode execution, default value is "@sylogin-dirSSHEXEC.COM", where sylogin-dir is directory containing sys$sylogin procedure. decnet_cmd (integer) Flag value to indicate operating mode for 'command mode' (non-PTY) connections. If value is zero (the default), client processes are created as detached processes using mailboxes. A non-zero will execute the requested commands via DECnet netserver processes using task specified by cmd_task parameter. event_formatter (string) Reserved. event_log (string) File specification of server's log file. Log file notes connections, disconnections, logins, and other miscellaneous events. host_key (string) File specification of the SSH host key. The host key is an RSA private key, stored in a PEM (privacy enhanced mail) file format, that the client uses to authenticate the host. Note that the file cannot be password protected and therefore must be carefully protected against access by non-privileged users. initiator (string) Specifies the DCL command to be executed by the initiator helper process. The initiator process handles creation of the client processes under the correct username. key_generator (string) Specifies the DCL command to be executed by the key generator process. The key generator handles the periodic creation of new server keys. Since RSA key generation is CPU intensive, a separate process allows this background task to run at lower priority. The server_key file get overwritten each time a new key is generated. The current key generator takes the refresh time as a command line argument. login_info_table (string) Specifies the name of the logical name table used to store protected login information (default table name is SSH_LOGIN_INFO). The protected information includes last login times, newmail counts and X11 server assignment data. login_table (string) Specifies the name of the logical name table used to store non-protected login information (default table name is SSH_LOGIN_MAP). The non-protected data includes the terminal name and remote connection info (accpornam data). login_timeout (integer) Maximum number of seconds the server will wait for a new connection to complete login. max_clients (integer) Maximum number of clients, this number may be reduced by available process quotas and/or system-wide resource limits. multi-user (list) Specifies the IP addresses of client hosts that the server is to consider multi-user hosts for breaking detection puposes. Normally, a login failure will be added to the intrusion database using a source of the form ip-address::SSH_CLIENT. If the ip address in on the multi-user list, the server will instead use ip-address::username as the source. port (list) TCP/IP port number server is to listen on for SSH connections. port_forward (integer) Flags for setting port forwarding options, integer value is interpreted as a bit mask. The default value is 3. Bits <0> - Allow SSH_MSG_PORT_OPEN by client. <1> - Allow client SSH_CMSG_PORT_FORWARD_REQUEST by client. pty_map_table (string) Specifies name of logical name table to store PTY mapping information. The logical names are the pseudo-terminal names with the values being the remote host/port information and the authenticated username. pty_mode (integer) Specifies type of pseudo-terminal (PTY) login to perform. A value of 0 disables creation of PTYs. A value of 1 (the default) logs in the user using the same authentication information provided to setup the SSH connection. A value of 2 causes the PTY to prompt for a username/password independant of the SSH authentication information. required_id (list) Specifies VMS rightslist identifiers that allow/disallow access to the the server via SSH. Each identifier may be negated or non-negated (precede identifier name with a minus sign(-)). If the required_id list is not empty, a user must be granted at least one of the non-negated identifiers on the list and none of the negated identifiers. rsa_engine (string) Specifies the DCL command to be executed by the RSA helper process. The RSA helper process handles the RSA decryption of the session keys, off-loading the server process of this CPU intensive task. This parameter is optional, if not present the server will handle the RSA decryption internally. server_key (string) File specification of the current SSH server key. The server key is an RSA private key, stored in PEM (privacy enhanced mail) file format, that is used for secure key exchange during connection setup. The server key changes relatively frequently (see key_generator) to limit the window for known plaintext attacks on the server. Note that the file cannot be password protected and therefore must be carefully protected against access by non-privileged users. tt_char (mlist) Defines terminal characteristics. The keyword portion of each value is the TERM type supplied by the client for the remote terminal and the value is a keyword is a VMS terminal characteristic to set/reset. To reset a characteristic, precede the value with a minus sign (e.g. vt52=-form). The value keywords follow the definitions in the ttdef, the SET TERMINAL command. The null TERM type defines the default settings for all terminals. tt_type (mlist) Defines terminal types. The keyword portion of the value is the TERM type supplied by the client and the value is the corresponding VMS terminal type (set term/device_type=...) for that terminal type. The only VMS types currently recognized are UNKNOWN, VT100, VT200_series, VT300_series, VT400_series, and PRO_series. user_keyfile (string) Specifies the relative location and name of the per-user authorized keys file for RSA authentication. The authorized keys file contains the public keys for clients that are allowed to perform RSA logins to that user account. The target user's login directory is converted to Unix syntax and prepended to the user_keyfile string, therefore the string must be in Unix file specification syntax (e.g. ssh/authorized_keys.dat). The user keyfile must be owned by the target user. The format of the keyfile matches that used by the Unix ssh clients (size exp key comment). x11_server_number (integer) Specifies the starting X11 server number for X11 pseudo-servers, must be a number greater than 0 x11_servers (integer) Specifies the maximum number of X11 pseudo-servers to create in response to client forwarding requests. x11_table_size (integer) Specifies the maximum number of channels each pseudo-server can open. This number includes the link back to the SSH client as well as the TCP listen socket, so should be a minimum of 3. ------------------------------------------------------------------------ David Jones, Ohio State Univeristy