Format of the authorized_keys file

Each line of the file contains one key specification (empty lines and lines starting with # are ignored as comments).

• Public keys that are not in key rings consist of options, keytype, base64-encoded key, comment. The options field is optional; its presence is determined by whether the line starts with a number (the options field never starts with a number).

  Public keys that are in a key ring only consist of options, one of which must be the zos-key-ring-label option.

  The keytype is "ssh-dss", "ssh-rsa", "ecdsa-sha2-nistp256", "ecdsa-sha2- nistp384", or "ecdsa-sha2-nistp521", "ssh-ed25519".

The options field (if present) consists of comma-separated option specifications. No spaces are permitted, except within double quotation marks. The following option specifications are supported (option keywords are not case-sensitive):

agent-forwarding

Enable authentication agent forwarding previously disabled by the restrict option.

cert-authority

Specifies that the listed key is a certificate authority (CA) that is trusted to validate signed certificates for user authentication.

Certificates may encode access restrictions similar to these key options. If both certificate restrictions and key options are present, the most restrictive union of the two is applied.

command="command"

Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is on a pseudo terminal (pty) if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean channel is required, do not request a pty or should specify no-pty. A quotation mark can be included in the command by quoting it with a backslash. This option can be useful to restrict certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. The client can specify any combination of TCP and X11 forwarding unless they are explicitly prohibited, for example, using the restrict key option. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. This option applies to shell, command, or subsystem execution.

Note: This command may be superseded by either a sshd_config(5) ForceCommand directive or a command embedded in a certificate.

environment="NAME=value"

Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. See Environment variables in ssh for more information. Multiple options of this type are permitted. Environment processing is disabled by default and is controlled by means of the PermitUserEnvironment option. This option is automatically disabled if UseLogin is enabled.

See PermitUserEnvironment for information about environment variable processing and precedence rules.

expiry-time="timespec"

Specifies a time after which the key will not be accepted. The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time in the system time-zone.

from="pattern-list"

Specifies that in addition to public key authentication, the canonical name of the remote host must be present in the comma-separated list of patterns. The purpose of this option is to increase security; public key authentication by itself does not trust the network or name servers or anything but the key. However, if the key is stolen, this additional option makes using a stolen key more difficult because name servers and routers would have to be compromised in addition to just the key.

See Patterns for more information about patterns.

no-agent-forwarding

Prevents authentication agent forwarding when this key is used for authentication.

no-port-forwarding

Prevents TCP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This option can be used in conjunction with the command option.

no-pty

Prevents tty allocation (a request to allocate a pty will fail).

no-user-rc

Disables execution of the ~/.ssh/rc file.

no-X11-forwarding

Prevents X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error.

permitlisten="[host:]port"

Limits remove port forwarding with the ssh -R option such that it may only listen on the specified host (optional) and port. IPv6 addresses can be specified by enclosing the address in square brackets. Multiple permitlisten options may be applied separated by commas. Hostnames may include wildcards as described in Patterns. A port specification of * matches any port. The setting of GatewayPorts might further restrict listen addresses. ssh will send a hostname of localhost if a listen host was not specified when the forwarding was requested, and that this name is treated differently to the explicit localhost addresses 127.0.0.1 and ::1.

permitopen="host:port"

Limits local ssh -L port forwarding such that it can only connect to the specified host and port. IPv6 addresses can be specified with an alternate syntax: host/port. Use commas to separate multiple permitopen options. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. A port specification of "*" matches any port.

OpenSSH - port forwarding examples has examples of port forwarding.

principals="principals"

On a cert-authority line, specifies allowed principals for certificate authentication as a comma-separated list. At least one name from the list must appear in the certificate's list of principals for the certificate to be accepted. This option is ignored for keys that are not marked as trusted certificate signers using the cert-authority option.

port-forwarding

Enable port forwarding previously disabled by the restrict option.

restrict

Enable all restrictions, that is, disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files they will be included in this set.

tunnel="n"

This option is ignored on z/OS UNIX. Forces a tunnel device on the server. Without this option, the next available device is used if the client requests a tunnel.

user-rc

Enables execution of ~/.ssh/rc previously disabled by the restrict option.

X11-forwarding

Permits X11 forwarding previously disabled by the restrict option.

zos-key-ring-label="KeyRingOwner/KeyRingName label"

Specifies the key ring owner, key ring name, and the certificate label within the key ring on the OpenSSH server that contains the user's public key. One or more blanks separate the key ring (real or virtual) name from the certificate label. Certificate labels can contain embedded blanks. The option value must be enclosed in double quotation marks. Key fields following the options (on the same line) are ignored.

These requirements must be met.

• The certificate must be copied from the client system and added to the user's key ring on the OpenSSH server.
• If the user is not storing the authorized keys in a key ring, then the public key must be extracted from the certificate and added to the user's authorized keys on the OpenSSH server.

If a key ring is being used on the server side (for example, SSHAuthKeysRing), it was created in the user authentication setup described in Steps for setting up user authentication when using key rings to store keys.

An example of an authorized_keys file:

# Comments allowed at start of line
ssh-rsa AAAAB3Nza...LiPk== user@example.net 
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa AAAAB2...19Q== john@example.net
command="dump /home",no-pty,no-port-forwarding ssh-dss AAAAC3...51R== example.net
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss AAAAB5...21S==
ssh-rsa AAAA...==jane@example.net
zos-key-ring-label="KeyRingOwner/SSHAuthKeysRing uniq-ssh-rsa"
from="*.example.com",zos-key-ring-label="KeyRingOwner/SSHAuthKeysRing uniq-ssh-dsa"