Summary

This article describes the support for OpenSSH sshd options in BoKS 6.7 & BoKS 7.0 (both versions are based on OpenSSH 6.1p1). Please see the sshd_config.4 man page for more information about the OpenSSH sshd options.


Reference Information

OpenSSH Option BoKS Support Comment
AcceptEnv Yes
AddressFamily Yes Ipv6 is supported from BoKS 7.0.
AllowAgentForwarding Yes
AllowGroups No Supported only when BoKS is inactive else BoKS controls which user is a valid user.
AllowTcpForwarding Yes Requires a BoKS SSH forwarding access route when BoKS is activated.
AllowUsers No Supported only when BoKS is inactive else BoKS controls which user is a valid user.
AuthorizedKeysFile Yes User public keys location is defined using the BOKS_SSH_SERVER_UK_LOCATION ENV variable. Default is "boksdb,files". Please see the BoKS ENV.4 man page for more information.
AuthorizedPrincipalsFile Yes
Banner Yes
ChallengeResponseAuthentication Yes A valid SSH BoKS password (keyboard-interactive) access route must be defined in order to log in when BoKS is active.
ChrootDirectory Yes The BoKS SSH chroot modifier can be used when BoKS is active.
Ciphers Yes
ClientAliveCountMax Yes
ClientAliveInterval Yes
Compression Yes
DenyGroups No Supported only when BoKS is not active else BoKS controls which user is a valid user.
DenyUsers No Supported only when BoKS is not active else BoKS controls which user is a valid user.
EmptyPasswd No Supported only when BoKS is not active since this affects OpenSSH password authentication only. BoKS uses BoKS password (keyboard-interactive).
ForceCommand Yes A valid SSH access route must be defined in order to execute the command when BoKS is active.
GatewayPorts Yes A valid remote forwarding access route must be defined in order to log in when BoKS is active.
GSSAPIAuthentication Yes The KERBEROS_IS_SETUP ENV variable needs to be enabled for kerberos authentication when BoKS is active. Please see the BoKS ENV.4 man page for more information.
GSSAPICleanupCredentials Yes
HostbasedAuthentication Yes A valid hostbased access route must be defined in order to log in when BoKS is active.
HostbasedUsesNameFromPacketOnly Yes A valid hostbased access route must be defined in order to log in when BoKS is active.
HostCertificate Yes The BOKS_SSH_SERVER_HK_LOCATION ENV variable must be set to “files” or “files, boksdb” to support OpenSSH certificates when BoKS is active. Please see the BoKS ENV.4 man page for more information.
HostKey Yes
IgnoreRhosts Yes A valid hostbased access route must be defined in order to log in when BoKS is active.
IgnoreUserKnownHosts Yes
IPQoS Yes
KerberosAuthentication Yes A valid SSH access route with kerberos authentication must be defined in order to log in when BoKS is active.
KerberosGetAFSToken Yes
KerberosOrLocalPasswd No Supported only when BoKS is not active. This is controlled using a BoKS access route modifier when BoKS is active.
KerberosTicketCleanup Yes
KexAlgorithms Yes
KeyRegenerationIntervall No This is an SSH protocol 1 option. Protocol 1 is disabled in BoKS.
ListenAddress Yes
LoginGraceTime Yes
LogLevel Yes
MACs Yes
Match Yes
MaxAuthTries Yes BoKS supports this option when active, but a user is only allowed to try one authentication method (two if a BoKS optional method is defined). In BoKS you can also set "login retries allowed", this will block a user when the limit is reached, while MaxAuthTries will make boks_sshd disconnect the connection when reached.
MaxSessions Yes
MaxStartups Yes
PasswordAuthentication No Password authentication is not allowed when BoKS is active.
PermitEmptyPasswords No BoKS controls the password rules, when BoKS is active.
PermitOpen Yes A valid tcp forwarding access route must be defined in order to forward connections when BoKS is active.
PermitRootLogin Yes A valid SSH access route for user root when BoKS is active.
PermitTunnel No Supported only when BoKS is not active.
PermitUserEnvironment Yes
PidFile Yes It is not recommended to change the default value for PidFile, since changing the PidFile default value will break the sysreplace program used for activating/deactivating BoKS. The handling of the pid file for boks_sshd will change in future BoKS versions.
Port Yes
PrintLastLog Yes BoKS also writes last login when BoKS is active.
PrintMotd Yes
Protocol No SSH protocol 1 is disabled.
PubkeyAuthentication Yes A BoKS SSH pubkey authenticator and a valid SSH access route are required in order to log in when BoKS is active.
RevokedKeys Yes
RhostsRSAAuthentication No This is an SSH protocol 1 option. Protocol 1 is disabled in BoKS.
RSAAuthentication No This is an SSH protocol 1 option. Protocol 1 is disabled in BoKS.
ServerKeyBits No This is an SSH protocol 1 option. Protocol 1 is disabled in BoKS.
StrictModes Yes
Subsystem Yes Only sftp-server and internal-sftp have BoKS authorization check.
SysLogFacility Yes
TCPKeepAlive Yes
TrustedUserCAKeys Yes
UseDNS Yes
UseLogin Yes Note, it is not recommended to enable this option when BoKS is active (it is disabled by default). UseLogin will not be supported in future BoKS versions.
UsePam No
UsePrivilegeSeparation Yes
VersionAddendum Yes If the REPORT_BOKS_SSH_VERSION ENV variable is set to “sshboksver”, it will override any settings of “VersionAddendum” if BoKS is active. Please see the BoKS ENV.4 man page for more information.
X11DisplayOffset Yes
X11Forwarding Yes A valid BoKS SSH_X11 access route is required in order to log in when BoKS is active.
X11UseLocalhost Yes
XAuthLocation Yes


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: December 19, 2018