HP OpenVMS Systems Documentation

Content starts here

Server Configuration Parameters

  Table of Contents

  Glossary

  Index

Some of the server configuration parameters that you can modify are as follows:

  • AccountingAuthentications

    Allowed values: password, publickey, hostbased, all, none. The keyword all is equivalent to publickey, password, hostbased. The keyword none explicitly disables all SSH authentication methods.
    Default: publickey, password, hostbased
    Description: Specifies the authentication methods for which accounting data is updated.
    The following command displays the contents of the intrusion database: ACCOUNTING
  • AllowedAuthentications

    Specifies the authentication methods the server will allow.

    Allowed values: password, publickey, hostbased, gssapi-with-mic, kerberos-2@ssh.com, kerberos-tgt-2@ssh.com

    Default: hostbased,password,publickey

    Description: Specifies the authentication methods the server will accept.

    The keyword all is equivalent to publickey, password, hostbased. The keyword none explicitly disables all SSH authentication methods.

  • AllowGroups

    The groups in the AllowGroups list are specified by the decimal representation that is the group portion of the UIC. That is, if a user's UIC is [777,42], the following syntax allows the user and all other users with UIC [777,*]:

    AllowGroups 511

  • AllowNonvmsLoginWithExpiredPw

    Allowed values: yes, no
    Default: no
    Description: Controls behavior when a different SSH client implemention attempts to establish an SSH connection to an OpenVMS server account with an expired password. The password change option is implemented for OpenVMS-to-OpenVMS connections only. The value yes allows clients to connect with the following warning message and sets the pwd_expired flag in the user's SYSUAF record: WARNING - Your password has expired; update immediately with SET PASSWORD! The value no rejects the login. The SSH client implementation must support the CHANGEREQ mechanism (message type 60) to update passwords.
  • AllowVmsLoginWithExpiredPw

    Allows OpenVMS users to change expired passwords, if required. If the value is No, the login is rejected.

    For a user to be allowed to make a connection (from either an OpenVMS client or from a different SSH implementation) with an expired password, the OpenVMS account must set the DISFORCE_PWD_CHANGE flag. To set this flag, enter the following command:

    $ MCR AUTHORIZE MODIFY USERNAME /FLAG=DISFORCE_PWD_CHANGE
    

    When you log in to an account with an expired password, the following message is displayed:

    WARNING - Your password has expired; update immediately with SET PASSWORD!
    

  • AllowX11Forwarding

    Enables X11 port forwarding.

  • DenyGroups

    The groups in the DenyGroups list are specified by the decimal representation that is the group portion of the UIC. That is, if a user's UIC is [777,42], the following syntax denies the user and all other users with UIC [777,*]:

    DenyGroups 511

  • IntrusionAuthentications

    Allowed values: password, publickey, hostbased, all, none
    Default: password
    Description: Specifies the methods for which the server intrusion database is updated for the user in case of login failure.
    The following command displays the contents of the intrusion database: SHOW INTRUSION
  • IntrusionIdentLocalUser

    Allowed values: yes, no
    Default: yes
    Description: Controls whether intrusion identification records are identified by IP address or user name. Set to yes,then the server uses the lcal user name in intrusion records. If this parameter is set to no, uses SSH_xxxxxxxx, where xxxxxxxx is the intruder's IP address.
  • IntrusionIdentMethod

    Allowed values: password, publickey, hostbased, all, none. The keyword all is equivalent to publickey, password, hostbased. The keyword none explicitly disables all SSH authentication methods.
    Default: publickey, password, hostbased
    Description: For entries in the intrusion database, this option controls whether the authentication method is included in the text of the intrusion Source (as displayed by the SHOW INTRUSION command). The value of this option is ignored if IntrusionAuthentications and IntrusionIdentSsh are not both active for the specified method.
    The following command displays the contents of the intrusion database: $ SHOW INTRUSION
  • IntrusionIdentSSH

    Allowed values: password, publickey, hostbased, all, none. The keyword all is equivalent to publickey, password, hostbased. The keyword none explicitly disables all SSH authentication methods.
    Default: publickey, password, hostbased
    Description: For entries in the intrusion database, this option controls whether the string SSH_ is included in the text of the intrusion "Source" (as displayed by the SHOW INTRUSION command). The value of this option is ignored if the IntrusionAuthentications is not active for the specified method.
    The following command displays thecontents of intrusion database: $ SHOW INTRUSION
  • LogfailAuthentications

    Allowed values: password, publickey, hostbased, all, none. The keyword all is equivalent to publickey, password, hostbased. The keyword none explicitly disables all SSH authentication methods.
    Default: password
    Description: Specifies the authentication methods for which the SYSUAF login failure count is updated for the user. The following command displays the number of login failures: MCR AUTHORIZE SHOW username.
  • PasswordGuesses

    Specifies the number of times the user can enter an incorrect password.

  • IntrusionIdentLocalUser

    Uses the local user name in the intrusion record. If set to No, uses SSH_xxxxxxxx (where xxxxxxx is the IP address of the remote host, in hexadecimal format). The default is Yes.

  • IgnoreRhosts

    Specifies that the SHOSTS.EQUIV file be used to allow a user from one system to log in as a different user from another host. If this parameter is set to No, the user-specific SHOSTS. file is used.

  • PubkeyPassphraseGuesses

    Allowed values: Integers greater than 0
    Default: 3
    Description: Specifies the number of times the client user is allowed to enter the passphrase associated with public/private key pair. Used for public key authentication method only. In the server configuration file, this value affects all clients, including those on OpenVMS systems.
    When the value is different on an OpenVMS client and the associated OpenVMS server, the lower value takes precedence.
    Each prompt for passphrase is of the following format: Passphrase for key "ssh2/KAREN-SELFDBOB_SQA_UCX_ABC_ACME_COM"with comment "1024-bit dsa, karen@dbob.sqa.ucx.abc.acme.com,Wed May 21 2003 12:42:14":
  • UserLoginLimit

    Allowed values: integers from -1 to 8192
    Default: -1
    Description: Controls the number of times individual users can be logged in. If the value is -1, the system-wide limit on interactive logins (SYSGEN parameter IJOBLIM) applies. If the value is greater than zero, the number specifies the maximum number of times that an individual user can log in.
    -1 = no limit on specific users
    0 = disable all users
    1 - 8192 = number of logins permitted for individual users
    To display details on login processes for USER, enter the following command:$ SHOW USER /FULL /NODE=serverhost