previous
next
User-specific configuration file. The format is the same as the system-wide configuration file. Recommended permissions = 644.
System-wide configuration file. This file is installed when you install Reflection for Secure IT. The installed file shows default values as commented out lines. Edit this file to change system-wide settings. For information about keywords and supported values, see ssh2_config(5). Recommended permissions = 644.
This directory contains the public keys of hosts trusted by the current user. By default, keys are added automatically to this location when the user answers 'yes' in response to an unknown host prompt. (This behavior can be changed using the StrictHostKeyChecking keyword in the configuration file.) Starting with version 7.0, host keys use the following file name format:
key_port_,IP.pub
Where port is the port used for the ssh connection, host is the host name, and IP is the host IP address. (Earlier versions used key_port_host.pub, and this format is still supported.)
Note: By default the keys added to this directory have group and public read access (644). To improve security, set permissions on these files to make them readable only by the owner (600).
System-wide known hosts. Hosts with keys in this list are trusted for all users of the computer. No keys are installed to this location automatically. To add a system-wide trusted host, create this directory and put a copy of the host public key in it. Use the file name format described above for $HOME/.ssh2/hostkeys/key_*.pub.
An identification file is required if you use public keys or certificates for user authentication. (This is the default file name and location. You can redefine the name and/or location of the identification file on the ssh command line using -i or in the configuration file using the IdentificationFile keyword.) The identification file contains a list of one or more private keys held by a client user. Any listed key can be used by the client for user authentication. If more than one key is listed, the client tries the first key in the list, then continues trying the other keys in order. If no path information is provided, the client looks for listed keys in $HOME/.ssh2/. This file should have user-only write access (permissions = 600 or 644).
For standard keys use the following syntax to add keys to the list:
IdKey keyname
For example:
IdKey id_dsa_2048_a
For keys associated with n X.509 certificate use the following syntax.
CertKey keyname
The associated certificate must be in the same directory as the specified key and use the same base name with a .crt file extension.
NOTE:
For public key authentication, you also need to configure the server. For certificate authentication, you need to install and configure Reflection PKI Services Manager and also configure the server.
When ChrootSftpUsers or ChrootSftpGroups is enabled, connected users see additional subdirectories (etc on all platforms and dev on AIX) added to their home directory. These directories contain required files and cannot be moved or deleted. The etc directory contains the rsit.conf file, which identifies the installation location of files required by Reflection for Secure IT. A localtime file may also be present. It is needed so that processes such as logging can get the current time. The system localtime file is in a location that cannot be accessed by a chrooted user. If the TZ environment variable set on the system, the localtime file is not created. Users running on AIX also require /dev/null, which is needed for correct logging to syslog.