File Coverage

blib/lib/Config/Model/models/Ssh/HostElement.pl

Criterion	Covered	Total	%
statement	12	12	100.0
branch			n/a
condition			n/a
subroutine	4	4	100.0
pod			n/a
total	16	16	100.0

line	stmt	sub	time	code
1				#
2				# This file is part of Config-Model-OpenSsh
3				#
4				# This software is Copyright (c) 2008-2022 by Dominique Dumont.
5				#
6				# This is free software, licensed under:
7				#
8				# The GNU Lesser General Public License, Version 2.1, February 1999
9				#
10	2	2	6325	use strict;
	2	1	4
	2		54
	1		3162
	1		3
	1		32
11	2	2	9	use warnings;
	2	1	3
	2		3511
	1		7
	1		2
	1		1976
12
13				return [
14				{
15				'accept' => [
16				'.*',
17				{
18				'summary' => 'boilerplate parameter that may hide a typo',
19				'type' => 'leaf',
20				'value_type' => 'uniline',
21				'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author'
22				}
23				],
24				'class_description' => 'This configuration class was generated from ssh_system documentation.
25				by L<parse-man.pl\|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl>
26				',
27				'element' => [
28				'AddKeysToAgent',
29				{
30				'choice' => [
31				'no',
32				'yes',
33				'confirm',
34				'ask'
35				],
36				'description' => 'Specifies whether keys should
37				be automatically added to a running L<ssh-agent(1)>. If this
38				option is set to B<yes> and a key is loaded from a file,
39				the key and its passphrase are added to the agent with the
40				default lifetime, as if by L<ssh-add(1)>. If this option is set
41				to B<ask>, L<ssh(1)> will require confirmation using the
42				SSH_ASKPASS program before adding a key (see L<ssh-add(1)> for
43				details). If this option is set to B<confirm>, each use
44				of the key must be confirmed, as if the B<-c> option was
45				specified to L<ssh-add(1)>. If this option is set to B<no>,
46				no keys are added to the agent. Alternately, this option may
47				be specified as a time interval using the format described
48				in the I<TIME FORMATS> section of L<sshd_config(5)> to
49				specify the key\'s lifetime in L<ssh-agent(1)>, after
50				which it will automatically be removed. The argument must be
51				B<no> (the default), B<yes>, B<confirm>
52				(optionally followed by a time interval), B<ask> or a
53				time interval.',
54				'type' => 'leaf',
55				'upstream_default' => 'no',
56				'value_type' => 'enum'
57				},
58				'AddressFamily',
59				{
60				'choice' => [
61				'any',
62				'inet',
63				'inet6'
64				],
65				'description' => 'Specifies which address family
66				to use when connecting. Valid arguments are B<any> (the
67				default), B<inet> (use IPv4 only), or B<inet6> (use
68				IPv6 only).',
69				'type' => 'leaf',
70				'upstream_default' => 'any',
71				'value_type' => 'enum'
72				},
73				'BatchMode',
74				{
75				'description' => 'If set to B<yes>, user
76				interaction such as password prompts and host key
77				confirmation requests will be disabled. In addition, the
78				B<ServerAliveInterval> option will be set to 300 seconds
79				by default (Debian-specific). This option is useful in
80				scripts and other batch jobs where no user is present to
81				interact with L<ssh(1)>, and where it is desirable to detect a
82				broken network swiftly. The argument must be B<yes> or
83				B<no> (the default).',
84				'type' => 'leaf',
85				'upstream_default' => 'no',
86				'value_type' => 'boolean',
87				'write_as' => [
88				'no',
89				'yes'
90				]
91				},
92				'BindAddress',
93				{
94				'description' => 'Use the specified address on
95				the local machine as the source address of the connection.
96				Only useful on systems with more than one address.',
97				'type' => 'leaf',
98				'value_type' => 'uniline'
99				},
100				'BindInterface',
101				{
102				'description' => 'Use the address of the
103				specified interface on the local machine as the source
104				address of the connection.',
105				'type' => 'leaf',
106				'value_type' => 'uniline'
107				},
108				'CanonicalDomains',
109				{
110				'description' => 'When
111				B<CanonicalizeHostname> is enabled, this option
112				specifies the list of domain suffixes in which to search for
113				the specified destination host.',
114				'type' => 'leaf',
115				'value_type' => 'uniline'
116				},
117				'CanonicalizeFallbackLocal',
118				{
119				'description' => 'Specifies whether to fail with
120				an error when hostname canonicalization fails. The default,
121				B<yes>, will attempt to look up the unqualified hostname
122				using the system resolver\'s search rules. A value of
123				B<no> will cause L<ssh(1)> to fail instantly if
124				B<CanonicalizeHostname> is enabled and the target
125				hostname cannot be found in any of the domains specified by
126				B<CanonicalDomains>.',
127				'type' => 'leaf',
128				'upstream_default' => 'yes',
129				'value_type' => 'boolean',
130				'write_as' => [
131				'no',
132				'yes'
133				]
134				},
135				'CanonicalizeHostname',
136				{
137				'choice' => [
138				'no',
139				'yes',
140				'always',
141				'none'
142				],
143				'description' => 'Controls whether explicit
144				hostname canonicalization is performed. The default,
145				B<no>, is not to perform any name rewriting and let the
146				system resolver handle all hostname lookups. If set to
147				B<yes> then, for connections that do not use a
148				B<ProxyCommand> or B<ProxyJump>, L<ssh(1)> will attempt
149				to canonicalize the hostname specified on the command line
150				using the B<CanonicalDomains> suffixes and
151				B<CanonicalizePermittedCNAMEs> rules. If
152				B<CanonicalizeHostname> is set to B<always>, then
153				canonicalization is applied to proxied connections too.
154
155				If this option
156				is enabled, then the configuration files are processed again
157				using the new target name to pick up any new configuration
158				in matching B<Host> and B<Match> stanzas. A value of
159				B<none> disables the use of a B<ProxyJump> host.',
160				'type' => 'leaf',
161				'upstream_default' => 'no',
162				'value_type' => 'enum'
163				},
164				'CanonicalizeMaxDots',
165				{
166				'description' => 'Specifies the maximum number of
167				dot characters in a hostname before canonicalization is
168				disabled. The default, 1, allows a single dot (i.e.
169				hostname.subdomain).',
170				'type' => 'leaf',
171				'upstream_default' => '1',
172				'value_type' => 'integer'
173				},
174				'CanonicalizePermittedCNAMEs',
175				{
176				'description' => 'Specifies rules to determine
177				whether CNAMEs should be followed when canonicalizing
178				hostnames. The rules consist of one or more arguments of
179				I<source_domain_list>:I<target_domain_list>, where
180				I<source_domain_list> is a pattern-list of domains that
181				may follow CNAMEs in canonicalization, and
182				I<target_domain_list> is a pattern-list of domains that
183				they may resolve to.
184
185				For example,
186				".a.example.com:.b.example.com,*.c.example.com"
187				will allow hostnames matching "*.a.example.com" to
188				be canonicalized to names in the "*.b.example.com"
189				or "*.c.example.com" domains.
190
191				A single
192				argument of "none" causes no CNAMEs to be
193				considered for canonicalization. This is the default
194				behaviour.',
195				'type' => 'leaf',
196				'value_type' => 'uniline'
197				},
198				'CASignatureAlgorithms',
199				{
200				'description' => 'Specifies which algorithms are
201				allowed for signing of certificates by certificate
202				authorities (CAs). The default is:
203
204				ssh-ed25519, ecdsa-sha2-nistp256,
205				ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
206				sk-ssh-ed25519@openssh.com,
207				sk-ecdsa-sha2-nistp256@openssh.com,
208				rsa-sha2-512, rsa-sha2-256
209
210				If the
211				specified list begins with a \'+\' character, then
212				the specified algorithms will be appended to the default set
213				instead of replacing them. If the specified list begins with
214				a \'-\' character, then the specified algorithms
215				(including wildcards) will be removed from the default set
216				instead of replacing them.
217
218				L<ssh(1)> will not
219				accept host certificates signed using algorithms other than
220				those specified.',
221				'type' => 'leaf',
222				'value_type' => 'uniline'
223				},
224				'CertificateFile',
225				{
226				'description' => 'Specifies a file from which the
227				user\'s certificate is read. A corresponding private
228				key must be provided separately in order to use this
229				certificate either from an B<IdentityFile> directive or
230				B<-i> flag to L<ssh(1)>, via L<ssh-agent(1)>, or via a
231				B<PKCS11Provider> or B<SecurityKeyProvider>.
232
233				Arguments to
234				B<CertificateFile> may use the tilde syntax to refer to
235				a user\'s home directory, the tokens described in the
236				I<TOKENS> section and environment variables as described
237				in the I<ENVIRONMENT VARIABLES> section.
238
239				It is possible
240				to have multiple certificate files specified in
241				configuration files; these certificates will be tried in
242				sequence. Multiple B<CertificateFile> directives will
243				add to the list of certificates used for authentication.',
244				'type' => 'leaf',
245				'value_type' => 'uniline'
246				},
247				'CheckHostIP',
248				{
249				'description' => 'If set to B<yes>, L<ssh(1)>
250				will additionally check the host IP address in the
251				I<known_hosts> file. This allows it to detect if a host
252				key changed due to DNS spoofing and will add addresses of
253				destination hosts to I<~/.ssh/known_hosts> in the
254				process, regardless of the setting of
255				B<StrictHostKeyChecking>. If the option is set to
256				B<no> (the default), the check will not be executed.',
257				'type' => 'leaf',
258				'upstream_default' => 'no',
259				'value_type' => 'boolean',
260				'write_as' => [
261				'no',
262				'yes'
263				]
264				},
265				'Ciphers',
266				{
267				'description' => 'Specifies the ciphers allowed
268				and their order of preference. Multiple ciphers must be
269				comma-separated. If the specified list begins with a
270				\'+\' character, then the specified ciphers will
271				be appended to the default set instead of replacing them. If
272				the specified list begins with a \'-\' character,
273				then the specified ciphers (including wildcards) will be
274				removed from the default set instead of replacing them. If
275				the specified list begins with a \'^\' character,
276				then the specified ciphers will be placed at the head of the
277				default set.
278
279				The supported
280				ciphers are:
281
282				3des-cbc
283				aes128-cbc
284				aes192-cbc
285				aes256-cbc
286				aes128-ctr
287				aes192-ctr
288				aes256-ctr
289				aes128-gcm@openssh.com
290				aes256-gcm@openssh.com
291				chacha20-poly1305@openssh.com
292
293				The default
294				is:
295
296				chacha20-poly1305@openssh.com,
297				aes128-ctr, aes192-ctr, aes256-ctr,
298				aes128-gcm@openssh.com, aes256-gcm@openssh.com
299
300				The list of
301				available ciphers may also be obtained using "ssh -Q
302				cipher".',
303				'type' => 'leaf',
304				'value_type' => 'uniline'
305				},
306				'ClearAllForwardings',
307				{
308				'description' => 'Specifies that all local,
309				remote, and dynamic port forwardings specified in the
310				configuration files or on the command line be cleared. This
311				option is primarily useful when used from the L<ssh(1)> command
312				line to clear port forwardings set in configuration files,
313				and is automatically set by L<scp(1)> and L<sftp(1)>. The argument
314				must be B<yes> or B<no> (the default).',
315				'type' => 'leaf',
316				'upstream_default' => 'no',
317				'value_type' => 'boolean',
318				'write_as' => [
319				'no',
320				'yes'
321				]
322				},
323				'Compression',
324				{
325				'description' => 'Specifies whether to use
326				compression. The argument must be B<yes> or B<no>
327				(the default).',
328				'type' => 'leaf',
329				'upstream_default' => 'no',
330				'value_type' => 'boolean',
331				'write_as' => [
332				'no',
333				'yes'
334				]
335				},
336				'ConnectionAttempts',
337				{
338				'description' => 'Specifies the number of tries
339				(one per second) to make before exiting. The argument must
340				be an integer. This may be useful in scripts if the
341				connection sometimes fails. The default is 1.',
342				'type' => 'leaf',
343				'upstream_default' => '1',
344				'value_type' => 'integer'
345				},
346				'ConnectTimeout',
347				{
348				'description' => 'Specifies the timeout (in
349				seconds) used when connecting to the SSH server, instead of
350				using the default system TCP timeout. This timeout is
351				applied both to establishing the connection and to
352				performing the initial SSH protocol handshake and key
353				exchange.',
354				'type' => 'leaf',
355				'value_type' => 'integer'
356				},
357				'ControlMaster',
358				{
359				'choice' => [
360				'auto',
361				'autoask',
362				'yes',
363				'no',
364				'ask'
365				],
366				'description' => 'Enables the sharing of multiple
367				sessions over a single network connection. When set to
368				B<yes>, L<ssh(1)> will listen for connections on a control
369				socket specified using the B<ControlPath> argument.
370				Additional sessions can connect to this socket using the
371				same B<ControlPath> with B<ControlMaster> set to
372				B<no> (the default). These sessions will try to reuse
373				the master instance\'s network connection rather than
374				initiating new ones, but will fall back to connecting
375				normally if the control socket does not exist, or is not
376				listening.
377
378				Setting this to
379				B<ask> will cause L<ssh(1)> to listen for control
380				connections, but require confirmation using L<ssh-askpass(1)>.
381				If the B<ControlPath> cannot be opened, L<ssh(1)> will
382				continue without connecting to a master instance.
383
384				X11 and
385				L<ssh-agent(1)> forwarding is supported over these multiplexed
386				connections, however the display and agent forwarded will be
387				the one belonging to the master connection i.e. it is not
388				possible to forward multiple displays or agents.
389
390				Two additional
391				options allow for opportunistic multiplexing: try to use a
392				master connection but fall back to creating a new one if one
393				does not already exist. These options are: B<auto> and
394				B<autoask>. The latter requires confirmation like the
395				B<ask> option.',
396				'type' => 'leaf',
397				'upstream_default' => 'no',
398				'value_type' => 'enum'
399				},
400				'ControlPath',
401				{
402				'description' => 'Specify the path to the control
403				socket used for connection sharing as described in the
404				B<ControlMaster> section above or the string B<none>
405				to disable connection sharing. Arguments to
406				B<ControlPath> may use the tilde syntax to refer to a
407				user\'s home directory, the tokens described in the
408				I<TOKENS> section and environment variables as described
409				in the I<ENVIRONMENT VARIABLES> section. It is
410				recommended that any B<ControlPath> used for
411				opportunistic connection sharing include at least %h, %p,
412				and %r (or alternatively %C) and be placed in a directory
413				that is not writable by other users. This ensures that
414				shared connections are uniquely identified.',
415				'type' => 'leaf',
416				'value_type' => 'uniline'
417				},
418				'ControlPersist',
419				{
420				'description' => 'When used in conjunction with
421				B<ControlMaster>, specifies that the master connection
422				should remain open in the background (waiting for future
423				client connections) after the initial client connection has
424				been closed. If set to B<no> (the default), then the
425				master connection will not be placed into the background,
426				and will close as soon as the initial client connection is
427				closed. If set to B<yes> or 0, then the master
428				connection will remain in the background indefinitely (until
429				killed or closed via a mechanism such as the "ssh -O
430				exit"). If set to a time in seconds, or a time in any
431				of the formats documented in L<sshd_config(5)>, then the
432				backgrounded master connection will automatically terminate
433				after it has remained idle (with no client connections) for
434				the specified time.',
435				'type' => 'leaf',
436				'value_type' => 'uniline'
437				},
438				'DynamicForward',
439				{
440				'cargo' => {
441				'type' => 'leaf',
442				'value_type' => 'uniline'
443				},
444				'description' => 'Specifies that a TCP port on
445				the local machine be forwarded over the secure channel, and
446				the application protocol is then used to determine where to
447				connect to from the remote machine.
448
449				The argument
450				must be [
451
452				I<bind_address>: ]I<port>. IPv6 addresses can be
453				specified by enclosing addresses in square brackets. By
454				default, the local port is bound in accordance with the
455				B<GatewayPorts> setting. However, an explicit
456				I<bind_address> may be used to bind the connection to a
457				specific address. The I<bind_address> of
458				B<localhost> indicates that the listening port be bound
459				for local use only, while an empty address or
460				\'*\' indicates that the port should be available
461				from all interfaces.
462
463				Currently the
464				SOCKS4 and SOCKS5 protocols are supported, and L<ssh(1)> will
465				act as a SOCKS server. Multiple forwardings may be
466				specified, and additional forwardings can be given on the
467				command line. Only the superuser can forward privileged
468				ports.',
469				'type' => 'list'
470				},
471				'EnableSSHKeysign',
472				{
473				'description' => 'Setting this option to
474				B<yes> in the global client configuration file
475				I</etc/ssh/ssh_config> enables the use of the helper
476				program L<ssh-keysign(8)> during
477				B<HostbasedAuthentication>. The argument must be
478				B<yes> or B<no> (the default). This option should be
479				placed in the non-hostspecific section. See L<ssh-keysign(8)>
480				for more information.',
481				'type' => 'leaf',
482				'upstream_default' => 'no',
483				'value_type' => 'boolean',
484				'write_as' => [
485				'no',
486				'yes'
487				]
488				},
489				'EscapeChar',
490				{
491				'description' => 'Sets the escape character
492				(default: \'~\'). The escape character can also be
493				set on the command line. The argument should be a single
494				character, \'^\' followed by a letter, or
495				B<none> to disable the escape character entirely (making
496				the connection transparent for binary data).',
497				'type' => 'leaf',
498				'value_type' => 'uniline'
499				},
500				'ExitOnForwardFailure',
501				{
502				'description' => 'Specifies whether L<ssh(1)> should
503				terminate the connection if it cannot set up all requested
504				dynamic, tunnel, local, and remote port forwardings, (e.g.
505				if either end is unable to bind and listen on a specified
506				port). Note that B<ExitOnForwardFailure> does not apply
507				to connections made over port forwardings and will not, for
508				example, cause L<ssh(1)> to exit if TCP connections to the
509				ultimate forwarding destination fail. The argument must be
510				B<yes> or B<no> (the default).',
511				'type' => 'leaf',
512				'upstream_default' => 'no',
513				'value_type' => 'boolean',
514				'write_as' => [
515				'no',
516				'yes'
517				]
518				},
519				'FingerprintHash',
520				{
521				'choice' => [
522				'md5',
523				'sha256'
524				],
525				'description' => 'Specifies the hash algorithm
526				used when displaying key fingerprints. Valid options are:
527				B<md5> and B<sha256> (the default).',
528				'type' => 'leaf',
529				'upstream_default' => 'sha256',
530				'value_type' => 'enum'
531				},
532				'ForkAfterAuthentication',
533				{
534				'description' => 'Requests B<ssh> to go to
535				background just before command execution. This is useful if
536				B<ssh> is going to ask for passwords or passphrases, but
537				the user wants it in the background. This implies the
538				B<StdinNull> configuration option being set to
539				B<yes>. The recommended way to start X11 programs
540				at a remote site is with something like B<ssh -f host
541				xterm>, which is the same as B<ssh host xterm> if the
542				B<ForkAfterAuthentication> configuration option is set
543				to B<yes>.
544
545				If the
546				B<ExitOnForwardFailure> configuration option is set to
547				B<yes>, then a client started with the
548				B<ForkAfterAuthentication> configuration option being
549				set to B<yes> will wait for all remote port
550				forwards to be successfully established before placing
551				itself in the background. The argument to this keyword must
552				be B<yes> (same as the B<-f> option) or B<no>
553				(the default).',
554				'type' => 'leaf',
555				'upstream_default' => 'no',
556				'value_type' => 'boolean',
557				'write_as' => [
558				'no',
559				'yes'
560				]
561				},
562				'ForwardAgent',
563				{
564				'description' => 'Specifies whether the
565				connection to the authentication agent (if any) will be
566				forwarded to the remote machine. The argument may be
567				B<yes>, B<no> (the default), an explicit path to an
568				agent socket or the name of an environment variable
569				(beginning with \'$\') in which to find the
570				path.
571
572				Agent
573				forwarding should be enabled with caution. Users with the
574				ability to bypass file permissions on the remote host (for
575				the agent\'s Unix-domain socket) can access the local
576				agent through the forwarded connection. An attacker cannot
577				obtain key material from the agent, however they can perform
578				operations on the keys that enable them to authenticate
579				using the identities loaded into the agent.',
580				'type' => 'leaf',
581				'upstream_default' => 'no',
582				'value_type' => 'boolean',
583				'write_as' => [
584				'no',
585				'yes'
586				]
587				},
588				'ForwardX11',
589				{
590				'description' => 'Specifies whether X11
591				connections will be automatically redirected over the secure
592				channel and DISPLAY set. The argument must be B<yes> or
593				B<no> (the default).
594
595				X11 forwarding
596				should be enabled with caution. Users with the ability to
597				bypass file permissions on the remote host (for the
598				user\'s X11 authorization database) can access the
599				local X11 display through the forwarded connection. An
600				attacker may then be able to perform activities such as
601				keystroke monitoring if the B<ForwardX11Trusted> option
602				is also enabled.',
603				'type' => 'leaf',
604				'upstream_default' => 'no',
605				'value_type' => 'boolean',
606				'write_as' => [
607				'no',
608				'yes'
609				]
610				},
611				'ForwardX11Timeout',
612				{
613				'description' => 'Specify a timeout for untrusted
614				X11 forwarding using the format described in the I<TIME
615				FORMATS> section of L<sshd_config(5)>. X11 connections
616				received by L<ssh(1)> after this time will be refused. Setting
617				B<ForwardX11Timeout> to zero will disable the timeout
618				and permit X11 forwarding for the life of the connection.
619				The default is to disable untrusted X11 forwarding after
620				twenty minutes has elapsed.',
621				'type' => 'leaf',
622				'value_type' => 'integer'
623				},
624				'ForwardX11Trusted',
625				{
626				'description' => 'If this option is set to
627				B<yes>, (the Debian-specific default), remote X11
628				clients will have full access to the original X11
629				display.
630
631				If this option
632				is set to B<no> (the upstream default), remote X11
633				clients will be considered untrusted and prevented from
634				stealing or tampering with data belonging to trusted X11
635				clients. Furthermore, the L<xauth(1)> token used for the
636				session will be set to expire after 20 minutes. Remote
637				clients will be refused access after this time.
638
639				See the X11
640				SECURITY extension specification for full details on the
641				restrictions imposed on untrusted clients.',
642				'type' => 'leaf',
643				'value_type' => 'boolean',
644				'write_as' => [
645				'no',
646				'yes'
647				]
648				},
649				'GatewayPorts',
650				{
651				'description' => 'Specifies whether remote hosts
652				are allowed to connect to local forwarded ports. By default,
653				L<ssh(1)> binds local port forwardings to the loopback address.
654				This prevents other remote hosts from connecting to
655				forwarded ports. B<GatewayPorts> can be used to specify
656				that ssh should bind local port forwardings to the wildcard
657				address, thus allowing remote hosts to connect to forwarded
658				ports. The argument must be B<yes> or B<no> (the
659				default).',
660				'type' => 'leaf',
661				'upstream_default' => 'no',
662				'value_type' => 'boolean',
663				'write_as' => [
664				'no',
665				'yes'
666				]
667				},
668				'GlobalKnownHostsFile',
669				{
670				'description' => 'Specifies one or more files to
671				use for the global host key database, separated by
672				whitespace. The default is I</etc/ssh/ssh_known_hosts>,
673				I</etc/ssh/ssh_known_hosts2>.',
674				'type' => 'leaf',
675				'upstream_default' => '/etc/ssh/ssh_known_hosts',
676				'value_type' => 'uniline'
677				},
678				'GSSAPIAuthentication',
679				{
680				'description' => 'Specifies whether user
681				authentication based on GSSAPI is allowed. The default is
682				B<no>.',
683				'type' => 'leaf',
684				'upstream_default' => 'no',
685				'value_type' => 'boolean',
686				'write_as' => [
687				'no',
688				'yes'
689				]
690				},
691				'GSSAPIClientIdentity',
692				{
693				'description' => 'If set, specifies the GSSAPI
694				client identity that ssh should use when connecting to the
695				server. The default is unset, which means that the default
696				identity will be used.',
697				'type' => 'leaf',
698				'value_type' => 'uniline'
699				},
700				'GSSAPIDelegateCredentials',
701				{
702				'description' => 'Forward (delegate) credentials
703				to the server. The default is B<no>.',
704				'type' => 'leaf',
705				'upstream_default' => 'no',
706				'value_type' => 'boolean',
707				'write_as' => [
708				'no',
709				'yes'
710				]
711				},
712				'GSSAPIKeyExchange',
713				{
714				'description' => 'Specifies whether key exchange
715				based on GSSAPI may be used. When using GSSAPI key exchange
716				the server need not have a host key. The default is
717				B<no>.',
718				'type' => 'leaf',
719				'upstream_default' => 'no',
720				'value_type' => 'boolean',
721				'write_as' => [
722				'no',
723				'yes'
724				]
725				},
726				'GSSAPIRenewalForcesRekey',
727				{
728				'description' => 'If set to B<yes>
729				then renewal of the client\'s GSSAPI credentials will
730				force the rekeying of the ssh connection. With a compatible
731				server, this will delegate the renewed credentials to a
732				session on the server.
733
734				Checks are made
735				to ensure that credentials are only propagated when the new
736				credentials match the old ones on the originating client and
737				where the receiving server still has the old set in its
738				cache.
739
740				The default is
741				B<no>.
742
743				For this to
744				work B<GSSAPIKeyExchange> needs to be enabled in the
745				server and also used by the client.',
746				'type' => 'leaf',
747				'upstream_default' => 'no',
748				'value_type' => 'boolean',
749				'write_as' => [
750				'no',
751				'yes'
752				]
753				},
754				'GSSAPIServerIdentity',
755				{
756				'description' => 'If set, specifies the GSSAPI
757				server identity that ssh should expect when connecting to
758				the server. The default is unset, which means that the
759				expected GSSAPI server identity will be determined from the
760				target hostname.',
761				'type' => 'leaf',
762				'value_type' => 'uniline'
763				},
764				'GSSAPITrustDns',
765				{
766				'description' => 'Set to B<yes> to
767				indicate that the DNS is trusted to securely canonicalize
768				the name of the host being connected to. If
769				B<no>, the hostname entered on the command line
770				will be passed untouched to the GSSAPI library. The default
771				is B<no>.',
772				'type' => 'leaf',
773				'upstream_default' => 'no',
774				'value_type' => 'boolean',
775				'write_as' => [
776				'no',
777				'yes'
778				]
779				},
780				'GSSAPIKexAlgorithms',
781				{
782				'description' => "The list of key exchange
783				algorithms that are offered for GSSAPI key exchange.
784				Possible values are
785
786				gss-gex-sha1-,
787				gss-group1-sha1-,
788				gss-group14-sha1-,
789				gss-group14-sha256-,
790				gss-group16-sha512-,
791				gss-nistp256-sha256-,
792				gss-curve25519-sha256-
793
794				The default is
795				\x{201c}gss-group14-sha256-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-, gss-gex-sha1-, gss-group14-sha1-\x{201d}.
796				This option only applies to connections using GSSAPI.",
797				'type' => 'leaf',
798				'value_type' => 'uniline'
799				},
800				'HashKnownHosts',
801				{
802				'description' => 'Indicates that L<ssh(1)> should
803				hash host names and addresses when they are added to
804				I<~/.ssh/known_hosts>. These hashed names may be used
805				normally by L<ssh(1)> and L<sshd(8)>, but they do not visually
806				reveal identifying information if the file\'s contents
807				are disclosed. The default is B<no>. Note that existing
808				names and addresses in known hosts files will not be
809				converted automatically, but may be manually hashed using
810				L<ssh-keygen(1)>. Use of this option may break facilities such
811				as tab-completion that rely on being able to read unhashed
812				host names from I<~/.ssh/known_hosts>.',
813				'type' => 'leaf',
814				'upstream_default' => 'no',
815				'value_type' => 'boolean',
816				'write_as' => [
817				'no',
818				'yes'
819				]
820				},
821				'HostbasedAcceptedAlgorithms',
822				{
823				'description' => 'Specifies the signature
824				algorithms that will be used for hostbased authentication as
825				a comma-separated list of patterns. Alternately if the
826				specified list begins with a \'+\' character, then
827				the specified signature algorithms will be appended to the
828				default set instead of replacing them. If the specified list
829				begins with a \'-\' character, then the specified
830				signature algorithms (including wildcards) will be removed
831				from the default set instead of replacing them. If the
832				specified list begins with a \'^\' character, then
833				the specified signature algorithms will be placed at the
834				head of the default set. The default for this option is:
835
836				ssh-ed25519-cert-v01@openssh.com,
837				ecdsa-sha2-nistp256-cert-v01@openssh.com,
838				ecdsa-sha2-nistp384-cert-v01@openssh.com,
839				ecdsa-sha2-nistp521-cert-v01@openssh.com,
840				sk-ssh-ed25519-cert-v01@openssh.com,
841				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
842				rsa-sha2-512-cert-v01@openssh.com,
843				rsa-sha2-256-cert-v01@openssh.com,
844				ssh-ed25519,
845				ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
846				sk-ssh-ed25519@openssh.com,
847				sk-ecdsa-sha2-nistp256@openssh.com,
848				rsa-sha2-512, rsa-sha2-256
849
850				The B<-Q>
851				option of L<ssh(1)> may be used to list supported signature
852				algorithms. This was formerly named HostbasedKeyTypes.',
853				'migrate_from' => {
854				'formula' => '$old',
855				'variables' => {
856				'old' => '- HostbasedKeyTypes'
857				}
858				},
859				'type' => 'leaf',
860				'value_type' => 'uniline'
861				},
862				'HostbasedAuthentication',
863				{
864				'description' => 'Specifies whether to try rhosts
865				based authentication with public key authentication. The
866				argument must be B<yes> or B<no> (the default).',
867				'type' => 'leaf',
868				'upstream_default' => 'no',
869				'value_type' => 'boolean',
870				'write_as' => [
871				'no',
872				'yes'
873				]
874				},
875				'HostKeyAlgorithms',
876				{
877				'description' => 'Specifies the host key
878				signature algorithms that the client wants to use in order
879				of preference. Alternately if the specified list begins with
880				a \'+\' character, then the specified signature
881				algorithms will be appended to the default set instead of
882				replacing them. If the specified list begins with a
883				\'-\' character, then the specified signature
884				algorithms (including wildcards) will be removed from the
885				default set instead of replacing them. If the specified list
886				begins with a \'^\' character, then the specified
887				signature algorithms will be placed at the head of the
888				default set. The default for this option is:
889
890				ssh-ed25519-cert-v01@openssh.com,
891				ecdsa-sha2-nistp256-cert-v01@openssh.com,
892				ecdsa-sha2-nistp384-cert-v01@openssh.com,
893				ecdsa-sha2-nistp521-cert-v01@openssh.com,
894				sk-ssh-ed25519-cert-v01@openssh.com,
895				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
896				rsa-sha2-512-cert-v01@openssh.com,
897				rsa-sha2-256-cert-v01@openssh.com,
898				ssh-ed25519,
899				ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
900				sk-ecdsa-sha2-nistp256@openssh.com,
901				sk-ssh-ed25519@openssh.com,
902				rsa-sha2-512, rsa-sha2-256
903
904				If hostkeys are
905				known for the destination host then this default is modified
906				to prefer their algorithms.
907
908				The list of
909				available signature algorithms may also be obtained using
910				"ssh -Q HostKeyAlgorithms".',
911				'type' => 'leaf',
912				'value_type' => 'uniline'
913				},
914				'HostKeyAlias',
915				{
916				'description' => 'Specifies an alias that should
917				be used instead of the real host name when looking up or
918				saving the host key in the host key database files and when
919				validating host certificates. This option is useful for
920				tunneling SSH connections or for multiple servers running on
921				a single host.',
922				'type' => 'leaf',
923				'value_type' => 'uniline'
924				},
925				'Hostname',
926				{
927				'description' => 'Specifies the real host name to
928				log into. This can be used to specify nicknames or
929				abbreviations for hosts. Arguments to B<Hostname> accept
930				the tokens described in the I<TOKENS> section. Numeric
931				IP addresses are also permitted (both on the command line
932				and in B<Hostname> specifications). The default is the
933				name given on the command line.',
934				'type' => 'leaf',
935				'value_type' => 'uniline'
936				},
937				'IdentitiesOnly',
938				{
939				'description' => 'Specifies that L<ssh(1)> should
940				only use the configured authentication identity and
941				certificate files (either the default files, or those
942				explicitly configured in the B<ssh_config> files or
943				passed on the L<ssh(1)> command-line), even if L<ssh-agent(1)> or
944				a B<PKCS11Provider> or B<SecurityKeyProvider> offers
945				more identities. The argument to this keyword must be
946				B<yes> or B<no> (the default). This option is
947				intended for situations where ssh-agent offers many
948				different identities.',
949				'type' => 'leaf',
950				'upstream_default' => 'no',
951				'value_type' => 'boolean',
952				'write_as' => [
953				'no',
954				'yes'
955				]
956				},
957				'IdentityAgent',
958				{
959				'description' => 'Specifies the UNIX-domain
960				socket used to communicate with the authentication
961				agent.
962
963				This option
964				overrides the SSH_AUTH_SOCK environment variable and can be
965				used to select a specific agent. Setting the socket name to
966				B<none> disables the use of an authentication agent. If
967				the string "SSH_AUTH_SOCK" is specified, the
968				location of the socket will be read from the SSH_AUTH_SOCK
969				environment variable. Otherwise if the specified value
970				begins with a \'$\' character, then it will be
971				treated as an environment variable containing the location
972				of the socket.
973
974				Arguments to
975				B<IdentityAgent> may use the tilde syntax to refer to a
976				user\'s home directory, the tokens described in the
977				I<TOKENS> section and environment variables as described
978				in the I<ENVIRONMENT VARIABLES> section.',
979				'type' => 'leaf',
980				'value_type' => 'uniline'
981				},
982				'IdentityFile',
983				{
984				'cargo' => {
985				'type' => 'leaf',
986				'value_type' => 'uniline',
987				'warn_if_match' => {
988				'\\.pub$' => {
989				'fix' => 's/\\.pub$//;',
990				'msg' => 'identity file must be the private key'
991				}
992				}
993				},
994				'description' => 'Specifies a file from which the
995				user\'s DSA, ECDSA, authenticator-hosted ECDSA,
996				Ed25519, authenticator-hosted Ed25519 or RSA authentication
997				identity is read. The default is I<~/.ssh/id_rsa>,
998				I<~/.ssh/id_ecdsa>, I<~/.ssh/id_ecdsa_sk>,
999				I<~/.ssh/id_ed25519>, I<~/.ssh/id_ed25519_sk> and
1000				I<~/.ssh/id_dsa>. Additionally, any identities
1001				represented by the authentication agent will be used for
1002				authentication unless B<IdentitiesOnly> is set. If no
1003				certificates have been explicitly specified by
1004				B<CertificateFile>, L<ssh(1)> will try to load certificate
1005				information from the filename obtained by appending
1006				I<-cert.pub> to the path of a specified
1007				B<IdentityFile>.
1008
1009				Arguments to
1010				B<IdentityFile> may use the tilde syntax to refer to a
1011				user\'s home directory or the tokens described in the
1012				I<TOKENS> section.
1013
1014				It is possible
1015				to have multiple identity files specified in configuration
1016				files; all these identities will be tried in sequence.
1017				Multiple B<IdentityFile> directives will add to the list
1018				of identities tried (this behaviour differs from that of
1019				other configuration directives).
1020
1021				B<IdentityFile>
1022				may be used in conjunction with B<IdentitiesOnly> to
1023				select which identities in an agent are offered during
1024				authentication. B<IdentityFile> may also be used in
1025				conjunction with B<CertificateFile> in order to provide
1026				any certificate also needed for authentication with the
1027				identity.',
1028				'type' => 'list'
1029				},
1030				'IgnoreUnknown',
1031				{
1032				'description' => 'Specifies a pattern-list of
1033				unknown options to be ignored if they are encountered in
1034				configuration parsing. This may be used to suppress errors
1035				if B<ssh_config> contains options that are unrecognised
1036				by L<ssh(1)>. It is recommended that B<IgnoreUnknown> be
1037				listed early in the configuration file as it will not be
1038				applied to unknown options that appear before it.',
1039				'type' => 'leaf',
1040				'value_type' => 'uniline'
1041				},
1042				'Include',
1043				{
1044				'cargo' => {
1045				'type' => 'leaf',
1046				'value_type' => 'uniline'
1047				},
1048				'description' => 'Include the specified
1049				configuration file(s). Multiple pathnames may be specified
1050				and each pathname may contain L<glob(7)> wildcards and, for
1051				user configurations, shell-like \'~\' references
1052				to user home directories. Wildcards will be expanded and
1053				processed in lexical order. Files without absolute paths are
1054				assumed to be in I<~/.ssh> if included in a user
1055				configuration file or I</etc/ssh> if included from the
1056				system configuration file. B<Include> directive may
1057				appear inside a B<Match> or B<Host> block to perform
1058				conditional inclusion.',
1059				'type' => 'list'
1060				},
1061				'IPQoS',
1062				{
1063				'assert' => {
1064				'1_or_2' => {
1065				'code' => 'return 1 unless defined $_;
1066				my @v = (/(\\w+)/g);
1067				return (@v < 3) ? 1 : 0;
1068				',
1069				'msg' => 'value must not have more than 2 fields.'
1070				},
1071				'accepted_values' => {
1072				'code' => 'return 1 unless defined $_;
1073				my @v = (/(\\S+)/g);
1074				my @good = grep {/^(af[1-4][1-3]\|cs[0-7]\|ef\|lowdelay\|throughput\|reliability\|\\d+)/} @v ;
1075				return @good == @v ? 1 : 0;
1076				',
1077				'msg' => 'Unexpected value "$_". Expected 1 or 2 occurences of: "af11", "af12", "af13", "af21", "af22",
1078				"af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1",
1079				"cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay",
1080				"throughput", "reliability", or numeric value.
1081				'
1082				}
1083				},
1084				'description' => 'Specifies the
1085				IPv4 type-of-service or DSCP class for connections. Accepted
1086				values are B<af11>, B<af12>, B<af13>,
1087				B<af21>, B<af22>, B<af23>, B<af31>,
1088				B<af32>, B<af33>, B<af41>, B<af42>,
1089				B<af43>, B<cs0>, B<cs1>, B<cs2>, B<cs3>,
1090				B<cs4>, B<cs5>, B<cs6>, B<cs7>, B<ef>,
1091				B<le>, B<lowdelay>, B<throughput>,
1092				B<reliability>, a numeric value, or B<none> to use
1093				the operating system default. This option may take one or
1094				two arguments, separated by whitespace. If one argument is
1095				specified, it is used as the packet class unconditionally.
1096				If two values are specified, the first is automatically
1097				selected for interactive sessions and the second for
1098				non-interactive sessions. The default is B<lowdelay> for
1099				interactive sessions and B<throughput> for
1100				non-interactive sessions.',
1101				'type' => 'leaf',
1102				'upstream_default' => 'af21 cs1',
1103				'value_type' => 'uniline'
1104				},
1105				'KbdInteractiveAuthentication',
1106				{
1107				'description' => 'Specifies whether to use
1108				keyboard-interactive authentication. The argument to this
1109				keyword must be B<yes> (the default) or B<no>.
1110				B<ChallengeResponseAuthentication> is a deprecated alias
1111				for this.',
1112				'type' => 'leaf',
1113				'upstream_default' => 'yes',
1114				'value_type' => 'boolean',
1115				'write_as' => [
1116				'no',
1117				'yes'
1118				]
1119				},
1120				'KbdInteractiveDevices',
1121				{
1122				'cargo' => {
1123				'type' => 'leaf',
1124				'value_type' => 'uniline'
1125				},
1126				'description' => 'Specifies the list of methods
1127				to use in keyboard-interactive authentication. Multiple
1128				method names must be comma-separated. The default is to use
1129				the server specified list. The methods available vary
1130				depending on what the server supports. For an OpenSSH
1131				server, it may be zero or more of: B<bsdauth> and
1132				B<pam>.',
1133				'type' => 'list'
1134				},
1135				'KexAlgorithms',
1136				{
1137				'description' => 'Specifies the available KEX
1138				(Key Exchange) algorithms. Multiple algorithms must be
1139				comma-separated. If the specified list begins with a
1140				\'+\' character, then the specified algorithms
1141				will be appended to the default set instead of replacing
1142				them. If the specified list begins with a \'-\'
1143				character, then the specified algorithms (including
1144				wildcards) will be removed from the default set instead of
1145				replacing them. If the specified list begins with a
1146				\'^\' character, then the specified algorithms
1147				will be placed at the head of the default set. The default
1148				is:
1149
1150				sntrup761x25519-sha512@openssh.com,
1151				curve25519-sha256, curve25519-sha256@libssh.org,
1152				ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521,
1153				diffie-hellman-group-exchange-sha256,
1154				diffie-hellman-group16-sha512,
1155				diffie-hellman-group18-sha512,
1156				diffie-hellman-group14-sha256
1157
1158				The list of
1159				available key exchange algorithms may also be obtained using
1160				"ssh -Q kex".',
1161				'type' => 'leaf',
1162				'value_type' => 'uniline'
1163				},
1164				'KnownHostsCommand',
1165				{
1166				'description' => 'Specifies a command to use to
1167				obtain a list of host keys, in addition to those listed in
1168				B<UserKnownHostsFile> and B<GlobalKnownHostsFile>.
1169				This command is executed after the files have been read. It
1170				may write host key lines to standard output in identical
1171				format to the usual files (described in the I<VERIFYING
1172				HOST KEYS> section in L<ssh(1)>). Arguments to
1173				B<KnownHostsCommand> accept the tokens described in the
1174				I<TOKENS> section. The command may be invoked multiple
1175				times per connection: once when preparing the preference
1176				list of host key algorithms to use, again to obtain the host
1177				key for the requested host name and, if B<CheckHostIP>
1178				is enabled, one more time to obtain the host key matching
1179				the server\'s address. If the command exits abnormally
1180				or returns a non-zero exit status then the connection is
1181				terminated.',
1182				'type' => 'leaf',
1183				'value_type' => 'uniline'
1184				},
1185				'LocalCommand',
1186				{
1187				'description' => 'Specifies a command to execute
1188				on the local machine after successfully connecting to the
1189				server. The command string extends to the end of the line,
1190				and is executed with the user\'s shell. Arguments to
1191				B<LocalCommand> accept the tokens described in the
1192				I<TOKENS> section.
1193
1194				The command is
1195				run synchronously and does not have access to the session of
1196				the L<ssh(1)> that spawned it. It should not be used for
1197				interactive commands.
1198
1199				This directive
1200				is ignored unless B<PermitLocalCommand> has been
1201				enabled.',
1202				'type' => 'leaf',
1203				'value_type' => 'uniline'
1204				},
1205				'LocalForward',
1206				{
1207				'cargo' => {
1208				'config_class_name' => 'Ssh::PortForward',
1209				'type' => 'node'
1210				},
1211				'description' => 'Specifies that a TCP port on
1212				the local machine be forwarded over the secure channel to
1213				the specified host and port from the remote machine. The
1214				first argument specifies the listener and may be [
1215
1216				I<bind_address>: ]I<port> or a Unix domain
1217				socket path. The second argument is the destination and may
1218				be I<host>:I<hostport> or a Unix domain socket path
1219				if the remote host supports it.
1220
1221				IPv6 addresses
1222				can be specified by enclosing addresses in square brackets.
1223				Multiple forwardings may be specified, and additional
1224				forwardings can be given on the command line. Only the
1225				superuser can forward privileged ports. By default, the
1226				local port is bound in accordance with the
1227				B<GatewayPorts> setting. However, an explicit
1228				I<bind_address> may be used to bind the connection to a
1229				specific address. The I<bind_address> of
1230				B<localhost> indicates that the listening port be bound
1231				for local use only, while an empty address or
1232				\'*\' indicates that the port should be available
1233				from all interfaces. Unix domain socket paths may use the
1234				tokens described in the I<TOKENS> section and
1235				environment variables as described in the I<ENVIRONMENT
1236				VARIABLES> section.',
1237				'type' => 'list'
1238				},
1239				'LogLevel',
1240				{
1241				'choice' => [
1242				'QUIET',
1243				'FATAL',
1244				'ERROR',
1245				'INFO',
1246				'VERBOSE',
1247				'DEBUG',
1248				'DEBUG1',
1249				'DEBUG2',
1250				'DEBUG3'
1251				],
1252				'description' => 'Gives the verbosity level that
1253				is used when logging messages from L<ssh(1)>. The possible
1254				values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
1255				DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and
1256				DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
1257				levels of verbose output.',
1258				'type' => 'leaf',
1259				'upstream_default' => 'INFO',
1260				'value_type' => 'enum'
1261				},
1262				'LogVerbose',
1263				{
1264				'description' => 'Specify one or more overrides
1265				to LogLevel. An override consists of a pattern lists that
1266				matches the source file, function and line number to force
1267				detailed logging for. For example, an override pattern
1268				of:
1269
1270				kex.c::1000,:kex_exchange_identification():, packet.c:
1271
1272				would enable
1273				detailed logging for line 1000 of I<kex.c>, everything
1274				in the B<kex_exchange_identification>() function, and
1275				all code in the I<packet.c> file. This option is
1276				intended for debugging and no overrides are enabled by
1277				default.',
1278				'type' => 'leaf',
1279				'value_type' => 'uniline'
1280				},
1281				'MACs',
1282				{
1283				'description' => 'Specifies the
1284				MAC (message authentication code) algorithms in order of
1285				preference. The MAC algorithm is used for data integrity
1286				protection. Multiple algorithms must be comma-separated. If
1287				the specified list begins with a \'+\' character,
1288				then the specified algorithms will be appended to the
1289				default set instead of replacing them. If the specified list
1290				begins with a \'-\' character, then the specified
1291				algorithms (including wildcards) will be removed from the
1292				default set instead of replacing them. If the specified list
1293				begins with a \'^\' character, then the specified
1294				algorithms will be placed at the head of the default
1295				set.
1296
1297				The algorithms
1298				that contain "-etm" calculate the MAC after
1299				encryption (encrypt-then-mac). These are considered safer
1300				and their use recommended.
1301
1302				The default
1303				is:
1304
1305				umac-64-etm@openssh.com, umac-128-etm@openssh.com,
1306				hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com,
1307				hmac-sha1-etm@openssh.com,
1308				umac-64@openssh.com, umac-128@openssh.com,
1309				hmac-sha2-256, hmac-sha2-512, hmac-sha1
1310
1311				The list of
1312				available MAC algorithms may also be obtained using
1313				"ssh -Q mac".',
1314				'type' => 'leaf',
1315				'value_type' => 'uniline'
1316				},
1317				'NoHostAuthenticationForLocalhost',
1318				{
1319				'description' => 'Disable host authentication for
1320				localhost (loopback addresses). The argument to this keyword
1321				must be B<yes> or B<no> (the default).',
1322				'type' => 'leaf',
1323				'upstream_default' => 'no',
1324				'value_type' => 'boolean',
1325				'write_as' => [
1326				'no',
1327				'yes'
1328				]
1329				},
1330				'NumberOfPasswordPrompts',
1331				{
1332				'description' => 'Specifies the number of
1333				password prompts before giving up. The argument to this
1334				keyword must be an integer. The default is 3.',
1335				'type' => 'leaf',
1336				'upstream_default' => '3',
1337				'value_type' => 'integer'
1338				},
1339				'PasswordAuthentication',
1340				{
1341				'description' => 'Specifies whether to use
1342				password authentication. The argument to this keyword must
1343				be B<yes> (the default) or B<no>.',
1344				'type' => 'leaf',
1345				'upstream_default' => 'yes',
1346				'value_type' => 'boolean',
1347				'write_as' => [
1348				'no',
1349				'yes'
1350				]
1351				},
1352				'PermitLocalCommand',
1353				{
1354				'description' => 'Allow local command execution
1355				via the B<LocalCommand> option or using the
1356				B<!>I<command> escape sequence in L<ssh(1)>. The
1357				argument must be B<yes> or B<no> (the default).',
1358				'type' => 'leaf',
1359				'upstream_default' => 'no',
1360				'value_type' => 'boolean',
1361				'write_as' => [
1362				'no',
1363				'yes'
1364				]
1365				},
1366				'PermitRemoteOpen',
1367				{
1368				'cargo' => {
1369				'type' => 'leaf',
1370				'value_type' => 'uniline'
1371				},
1372				'description' => 'Specifies the destinations to
1373				which remote TCP port forwarding is permitted when
1374				B<RemoteForward> is used as a SOCKS proxy. The
1375				forwarding specification must be one of the following
1376				forms:
1377
1378				B<PermitRemoteOpen>I<host>:I<port> B<
1379				PermitRemoteOpen> I<IPv4_addr>:I<port> B<
1380				PermitRemoteOpen> I<[IPv6_addr]>:I<port>
1381
1382				Multiple
1383				forwards may be specified by separating them with
1384				whitespace. An argument of B<any> can be used to remove
1385				all restrictions and permit any forwarding requests. An
1386				argument of B<none> can be used to prohibit all
1387				forwarding requests. The wildcard \'*\' can be
1388				used for host or port to allow all hosts or ports
1389				respectively. Otherwise, no pattern matching or address
1390				lookups are performed on supplied names.',
1391				'type' => 'list'
1392				},
1393				'PKCS11Provider',
1394				{
1395				'description' => 'Specifies which PKCS#11
1396				provider to use or B<none> to indicate that no provider
1397				should be used (the default). The argument to this keyword
1398				is a path to the PKCS#11 shared library L<ssh(1)> should use to
1399				communicate with a PKCS#11 token providing keys for user
1400				authentication.',
1401				'type' => 'leaf',
1402				'value_type' => 'uniline'
1403				},
1404				'Port',
1405				{
1406				'description' => 'Specifies the
1407				port number to connect on the remote host. The default is
1408				22.',
1409				'type' => 'leaf',
1410				'value_type' => 'uniline'
1411				},
1412				'PreferredAuthentications',
1413				{
1414				'cargo' => {
1415				'type' => 'leaf',
1416				'value_type' => 'uniline',
1417				'warn_unless_match' => {
1418				'^(gssapi-with-mic\|hostbased\|publickey\|keyboard-interactive\|password)$' => {
1419				'msg' => 'Unexpected authentication method: \'C<$_>\'. Expected one of
1420				C<gssapi-with-mic>, C<hostbased>, C<publickey>,
1421				C<keyboard-interactive> or C<password>
1422				'
1423				}
1424				}
1425				},
1426				'description' => 'Specifies the order in which
1427				the client should try authentication methods. This allows a
1428				client to prefer one method (e.g.
1429				B<keyboard-interactive>) over another method (e.g.
1430				B<password>). The default is:
1431
1432				gssapi-with-mic, hostbased, publickey,
1433				keyboard-interactive, password',
1434				'type' => 'list'
1435				},
1436				'ProxyCommand',
1437				{
1438				'description' => 'Specifies the command to use to
1439				connect to the server. The command string extends to the end
1440				of the line, and is executed using the user\'s shell
1441				\'exec\' directive to avoid a lingering shell
1442				process.
1443
1444				Arguments to
1445				B<ProxyCommand> accept the tokens described in the
1446				I<TOKENS> section. The command can be basically
1447				anything, and should read from its standard input and write
1448				to its standard output. It should eventually connect an
1449				L<sshd(8)> server running on some machine, or execute B<sshd
1450				-i> somewhere. Host key management will be done using the
1451				B<Hostname> of the host being connected (defaulting to
1452				the name typed by the user). Setting the command to
1453				B<none> disables this option entirely. Note that
1454				B<CheckHostIP> is not available for connects with a
1455				proxy command.
1456
1457				This directive
1458				is useful in conjunction with L<nc(1)> and its proxy support.
1459				For example, the following directive would connect via an
1460				HTTP proxy at 192.0.2.0:
1461
1462				ProxyCommand
1463				/usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p',
1464				'type' => 'leaf',
1465				'value_type' => 'uniline'
1466				},
1467				'ProxyJump',
1468				{
1469				'cargo' => {
1470				'type' => 'leaf',
1471				'value_type' => 'uniline'
1472				},
1473				'description' => 'Specifies one or more jump
1474				proxies as either
1475
1476				[I<user>@]I<host>[:I<port>] or an ssh URI .
1477				Multiple proxies may be separated by comma characters and
1478				will be visited sequentially. Setting this option will cause
1479				L<ssh(1)> to connect to the target host by first making a
1480				L<ssh(1)> connection to the specified B<ProxyJump> host and
1481				then establishing a TCP forwarding to the ultimate target
1482				from there. Setting the host to B<none> disables this
1483				option entirely.
1484
1485				Note that this
1486				option will compete with the B<ProxyCommand> option -
1487				whichever is specified first will prevent later instances of
1488				the other from taking effect.
1489
1490				Note also that
1491				the configuration for the destination host (either supplied
1492				via the command-line or the configuration file) is not
1493				generally applied to jump hosts. I<~/.ssh/config> should
1494				be used if specific configuration is required for jump
1495				hosts.',
1496				'type' => 'list'
1497				},
1498				'ProxyUseFdpass',
1499				{
1500				'description' => 'Specifies that
1501				B<ProxyCommand> will pass a connected file descriptor
1502				back to L<ssh(1)> instead of continuing to execute and pass
1503				data. The default is B<no>.',
1504				'type' => 'leaf',
1505				'upstream_default' => 'no',
1506				'value_type' => 'boolean',
1507				'write_as' => [
1508				'no',
1509				'yes'
1510				]
1511				},
1512				'PubkeyAcceptedAlgorithms',
1513				{
1514				'description' => 'Specifies the signature
1515				algorithms that will be used for public key authentication
1516				as a comma-separated list of patterns. If the specified list
1517				begins with a \'+\' character, then the algorithms
1518				after it will be appended to the default instead of
1519				replacing it. If the specified list begins with a
1520				\'-\' character, then the specified algorithms
1521				(including wildcards) will be removed from the default set
1522				instead of replacing them. If the specified list begins with
1523				a \'^\' character, then the specified algorithms
1524				will be placed at the head of the default set. The default
1525				for this option is:
1526
1527				ssh-ed25519-cert-v01@openssh.com,
1528				ecdsa-sha2-nistp256-cert-v01@openssh.com,
1529				ecdsa-sha2-nistp384-cert-v01@openssh.com,
1530				ecdsa-sha2-nistp521-cert-v01@openssh.com,
1531				sk-ssh-ed25519-cert-v01@openssh.com,
1532				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1533				rsa-sha2-512-cert-v01@openssh.com,
1534				rsa-sha2-256-cert-v01@openssh.com,
1535				ssh-ed25519,
1536				ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
1537				sk-ssh-ed25519@openssh.com,
1538				sk-ecdsa-sha2-nistp256@openssh.com,
1539				rsa-sha2-512, rsa-sha2-256
1540
1541				The list of
1542				available signature algorithms may also be obtained using
1543				"ssh -Q PubkeyAcceptedAlgorithms".',
1544				'migrate_from' => {
1545				'formula' => '$old',
1546				'variables' => {
1547				'old' => '- PubkeyAcceptedKeyTypes'
1548				}
1549				},
1550				'type' => 'leaf',
1551				'value_type' => 'uniline'
1552				},
1553				'PubkeyAuthentication',
1554				{
1555				'choice' => [
1556				'yes',
1557				'no',
1558				'unbound',
1559				'host-bound'
1560				],
1561				'description' => 'Specifies whether to try public
1562				key authentication. The argument to this keyword must be
1563				B<yes> (the default), B<no>, B<unbound> or
1564				B<host-bound>. The final two options enable public key
1565				authentication while respectively disabling or enabling the
1566				OpenSSH host-bound authentication protocol extension
1567				required for restricted L<ssh-agent(1)> forwarding.',
1568				'type' => 'leaf',
1569				'upstream_default' => 'yes',
1570				'value_type' => 'enum'
1571				},
1572				'RekeyLimit',
1573				{
1574				'description' => 'Specifies the maximum amount of
1575				data that may be transmitted before the session key is
1576				renegotiated, optionally followed by a maximum amount of
1577				time that may pass before the session key is renegotiated.
1578				The first argument is specified in bytes and may have a
1579				suffix of \'K\', \'M\', or
1580				\'G\' to indicate Kilobytes, Megabytes, or
1581				Gigabytes, respectively. The default is between
1582				\'1G\' and \'4G\', depending on the
1583				cipher. The optional second value is specified in seconds
1584				and may use any of the units documented in the TIME FORMATS
1585				section of L<sshd_config(5)>. The default value for
1586				B<RekeyLimit> is B<default none>, which means that
1587				rekeying is performed after the cipher\'s default
1588				amount of data has been sent or received and no time based
1589				rekeying is done.',
1590				'type' => 'leaf',
1591				'value_type' => 'uniline'
1592				},
1593				'RemoteCommand',
1594				{
1595				'description' => 'Specifies a command to execute
1596				on the remote machine after successfully connecting to the
1597				server. The command string extends to the end of the line,
1598				and is executed with the user\'s shell. Arguments to
1599				B<RemoteCommand> accept the tokens described in the
1600				I<TOKENS> section.',
1601				'type' => 'leaf',
1602				'value_type' => 'uniline'
1603				},
1604				'RemoteForward',
1605				{
1606				'cargo' => {
1607				'config_class_name' => 'Ssh::PortForward',
1608				'type' => 'node'
1609				},
1610				'description' => 'Specifies that a TCP port on
1611				the remote machine be forwarded over the secure channel. The
1612				remote port may either be forwarded to a specified host and
1613				port from the local machine, or may act as a SOCKS 4/5 proxy
1614				that allows a remote client to connect to arbitrary
1615				destinations from the local machine. The first argument is
1616				the listening specification and may be [
1617
1618				I<bind_address>: ]I<port> or, if the remote host
1619				supports it, a Unix domain socket path. If forwarding to a
1620				specific destination then the second argument must be
1621				I<host>:I<hostport> or a Unix domain socket path,
1622				otherwise if no destination argument is specified then the
1623				remote forwarding will be established as a SOCKS proxy. When
1624				acting as a SOCKS proxy, the destination of the connection
1625				can be restricted by B<PermitRemoteOpen>.
1626
1627				IPv6 addresses
1628				can be specified by enclosing addresses in square brackets.
1629				Multiple forwardings may be specified, and additional
1630				forwardings can be given on the command line. Privileged
1631				ports can be forwarded only when logging in as root on the
1632				remote machine. Unix domain socket paths may use the tokens
1633				described in the I<TOKENS> section and environment
1634				variables as described in the I<ENVIRONMENT VARIABLES>
1635				section.
1636
1637				If the
1638				I<port> argument is 0, the listen port will be
1639				dynamically allocated on the server and reported to the
1640				client at run time.
1641
1642				If the
1643				I<bind_address> is not specified, the default is to only
1644				bind to loopback addresses. If the I<bind_address> is
1645				\'*\' or an empty string, then the forwarding is
1646				requested to listen on all interfaces. Specifying a remote
1647				I<bind_address> will only succeed if the server\'s
1648				B<GatewayPorts> option is enabled (see
1649				L<sshd_config(5)>).',
1650				'type' => 'list'
1651				},
1652				'RequestTTY',
1653				{
1654				'choice' => [
1655				'no',
1656				'yes',
1657				'force',
1658				'auto'
1659				],
1660				'description' => 'Specifies whether to request a
1661				pseudo-tty for the session. The argument may be one of:
1662				B<no> (never request a TTY), B<yes> (always request
1663				a TTY when standard input is a TTY), B<force> (always
1664				request a TTY) or B<auto> (request a TTY when opening a
1665				login session). This option mirrors the B<-t> and
1666				B<-T> flags for L<ssh(1)>.',
1667				'type' => 'leaf',
1668				'value_type' => 'enum'
1669				},
1670				'RevokedHostKeys',
1671				{
1672				'description' => 'Specifies revoked host public
1673				keys. Keys listed in this file will be refused for host
1674				authentication. Note that if this file does not exist or is
1675				not readable, then host authentication will be refused for
1676				all hosts. Keys may be specified as a text file, listing one
1677				public key per line, or as an OpenSSH Key Revocation List
1678				(KRL) as generated by L<ssh-keygen(1)>. For more information on
1679				KRLs, see the KEY REVOCATION LISTS section in
1680				L<ssh-keygen(1)>.',
1681				'type' => 'leaf',
1682				'value_type' => 'uniline'
1683				},
1684				'SecurityKeyProvider',
1685				{
1686				'description' => 'Specifies a path to a library
1687				that will be used when loading any FIDO authenticator-hosted
1688				keys, overriding the default of using the built-in USB HID
1689				support.
1690
1691				If the
1692				specified value begins with a \'$\' character,
1693				then it will be treated as an environment variable
1694				containing the path to the library.',
1695				'type' => 'leaf',
1696				'value_type' => 'uniline'
1697				},
1698				'SendEnv',
1699				{
1700				'cargo' => {
1701				'type' => 'leaf',
1702				'value_type' => 'uniline'
1703				},
1704				'description' => 'Specifies what variables from
1705				the local L<environ(7)> should be sent to the server. The
1706				server must also support it, and the server must be
1707				configured to accept these environment variables. Note that
1708				the TERM environment variable is always sent whenever a
1709				pseudo-terminal is requested as it is required by the
1710				protocol. Refer to B<AcceptEnv> in L<sshd_config(5)> for
1711				how to configure the server. Variables are specified by
1712				name, which may contain wildcard characters. Multiple
1713				environment variables may be separated by whitespace or
1714				spread across multiple B<SendEnv> directives.
1715
1716				See
1717				I<PATTERNS> for more information on patterns.
1718
1719				It is possible
1720				to clear previously set B<SendEnv> variable names by
1721				prefixing patterns with I<->. The default is not to send
1722				any environment variables.',
1723				'type' => 'list'
1724				},
1725				'ServerAliveCountMax',
1726				{
1727				'description' => 'Sets the number of server alive
1728				messages (see below) which may be sent without L<ssh(1)>
1729				receiving any messages back from the server. If this
1730				threshold is reached while server alive messages are being
1731				sent, ssh will disconnect from the server, terminating the
1732				session. It is important to note that the use of server
1733				alive messages is very different from B<TCPKeepAlive>
1734				(below). The server alive messages are sent through the
1735				encrypted channel and therefore will not be spoofable. The
1736				TCP keepalive option enabled by B<TCPKeepAlive> is
1737				spoofable. The server alive mechanism is valuable when the
1738				client or server depend on knowing when a connection has
1739				become unresponsive.
1740
1741				The default
1742				value is 3. If, for example, B<ServerAliveInterval> (see
1743				below) is set to 15 and B<ServerAliveCountMax> is left
1744				at the default, if the server becomes unresponsive, ssh will
1745				disconnect after approximately 45 seconds.',
1746				'type' => 'leaf',
1747				'upstream_default' => '3',
1748				'value_type' => 'integer'
1749				},
1750				'ServerAliveInterval',
1751				{
1752				'description' => 'Sets a timeout interval in
1753				seconds after which if no data has been received from the
1754				server, L<ssh(1)> will send a message through the encrypted
1755				channel to request a response from the server. The default
1756				is 0, indicating that these messages will not be sent to the
1757				server, or 300 if the B<BatchMode> option is set
1758				(Debian-specific). B<ProtocolKeepAlives> and
1759				B<SetupTimeOut> are Debian-specific compatibility
1760				aliases for this option.',
1761				'type' => 'leaf',
1762				'upstream_default' => '0',
1763				'value_type' => 'integer'
1764				},
1765				'SessionType',
1766				{
1767				'choice' => [
1768				'none',
1769				'subsystem',
1770				'default'
1771				],
1772				'description' => 'May be used to either request
1773				invocation of a subsystem on the remote system, or to
1774				prevent the execution of a remote command at all. The latter
1775				is useful for just forwarding ports. The argument to this
1776				keyword must be B<none> (same as the B<-N> option),
1777				B<subsystem> (same as the B<-s> option) or
1778				B<default> (shell or command execution).',
1779				'type' => 'leaf',
1780				'value_type' => 'enum'
1781				},
1782				'SetEnv',
1783				{
1784				'description' => 'Directly
1785				specify one or more environment variables and their contents
1786				to be sent to the server. Similarly to B<SendEnv>, with
1787				the exception of the TERM variable, the server must be
1788				prepared to accept the environment variable.',
1789				'type' => 'leaf',
1790				'value_type' => 'uniline'
1791				},
1792				'StdinNull',
1793				{
1794				'description' => 'Redirects stdin from
1795				I</dev/null> (actually, prevents reading from stdin).
1796				Either this or the equivalent B<-n> option must be used
1797				when B<ssh> is run in the background. The argument to
1798				this keyword must be B<yes> (same as the B<-n>
1799				option) or B<no> (the default).',
1800				'type' => 'leaf',
1801				'upstream_default' => 'no',
1802				'value_type' => 'boolean',
1803				'write_as' => [
1804				'no',
1805				'yes'
1806				]
1807				},
1808				'StreamLocalBindMask',
1809				{
1810				'description' => 'Sets the octal file creation
1811				mode mask (umask) used when creating a Unix-domain socket
1812				file for local or remote port forwarding. This option is
1813				only used for port forwarding to a Unix-domain socket
1814				file.
1815
1816				The default
1817				value is 0177, which creates a Unix-domain socket file that
1818				is readable and writable only by the owner. Note that not
1819				all operating systems honor the file mode on Unix-domain
1820				socket files.',
1821				'type' => 'leaf',
1822				'value_type' => 'uniline'
1823				},
1824				'StreamLocalBindUnlink',
1825				{
1826				'description' => 'Specifies whether to remove an
1827				existing Unix-domain socket file for local or remote port
1828				forwarding before creating a new one. If the socket file
1829				already exists and B<StreamLocalBindUnlink> is not
1830				enabled, B<ssh> will be unable to forward the port to
1831				the Unix-domain socket file. This option is only used for
1832				port forwarding to a Unix-domain socket file.
1833
1834				The argument
1835				must be B<yes> or B<no> (the default).',
1836				'type' => 'leaf',
1837				'upstream_default' => 'no',
1838				'value_type' => 'boolean',
1839				'write_as' => [
1840				'no',
1841				'yes'
1842				]
1843				},
1844				'StrictHostKeyChecking',
1845				{
1846				'choice' => [
1847				'yes',
1848				'accept-new',
1849				'no',
1850				'off',
1851				'ask'
1852				],
1853				'description' => 'If this flag is set to
1854				B<yes>, L<ssh(1)> will never automatically add host keys to
1855				the I<~/.ssh/known_hosts> file, and refuses to connect
1856				to hosts whose host key has changed. This provides maximum
1857				protection against man-in-the-middle (MITM) attacks, though
1858				it can be annoying when the I</etc/ssh/ssh_known_hosts>
1859				file is poorly maintained or when connections to new hosts
1860				are frequently made. This option forces the user to manually
1861				add all new hosts.
1862
1863				If this flag is
1864				set to B<accept-new> then ssh will automatically add new
1865				host keys to the user\'s I<known_hosts> file, but
1866				will not permit connections to hosts with changed host keys.
1867				If this flag is set to B<no> or B<off>, ssh will
1868				automatically add new host keys to the user known hosts
1869				files and allow connections to hosts with changed hostkeys
1870				to proceed, subject to some restrictions. If this flag is
1871				set to B<ask> (the default), new host keys will be added
1872				to the user known host files only after the user has
1873				confirmed that is what they really want to do, and ssh will
1874				refuse to connect to hosts whose host key has changed. The
1875				host keys of known hosts will be verified automatically in
1876				all cases.',
1877				'type' => 'leaf',
1878				'upstream_default' => 'ask',
1879				'value_type' => 'enum'
1880				},
1881				'SyslogFacility',
1882				{
1883				'choice' => [
1884				'DAEMON',
1885				'USER',
1886				'AUTH',
1887				'LOCAL0',
1888				'LOCAL1',
1889				'LOCAL2',
1890				'LOCAL3',
1891				'LOCAL4',
1892				'LOCAL5',
1893				'LOCAL6',
1894				'LOCAL7'
1895				],
1896				'description' => 'Gives the facility code that is
1897				used when logging messages from L<ssh(1)>. The possible values
1898				are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
1899				LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is USER.',
1900				'type' => 'leaf',
1901				'upstream_default' => 'USER',
1902				'value_type' => 'enum'
1903				},
1904				'TCPKeepAlive',
1905				{
1906				'description' => 'Specifies whether the system
1907				should send TCP keepalive messages to the other side. If
1908				they are sent, death of the connection or crash of one of
1909				the machines will be properly noticed. This option only uses
1910				TCP keepalives (as opposed to using ssh level keepalives),
1911				so takes a long time to notice when the connection dies. As
1912				such, you probably want the B<ServerAliveInterval>
1913				option as well. However, this means that connections will
1914				die if the route is down temporarily, and some people find
1915				it annoying.
1916
1917				The default is
1918				B<yes> (to send TCP keepalive messages), and the client
1919				will notice if the network goes down or the remote host
1920				dies. This is important in scripts, and many users want it
1921				too.
1922
1923				To disable TCP
1924				keepalive messages, the value should be set to B<no>.
1925				See also B<ServerAliveInterval> for protocol-level
1926				keepalives.',
1927				'type' => 'leaf',
1928				'upstream_default' => 'yes',
1929				'value_type' => 'boolean',
1930				'write_as' => [
1931				'no',
1932				'yes'
1933				]
1934				},
1935				'Tunnel',
1936				{
1937				'choice' => [
1938				'yes',
1939				'point-to-point',
1940				'ethernet',
1941				'no'
1942				],
1943				'description' => 'Request L<tun(4)>
1944				device forwarding between the client and the server. The
1945				argument must be B<yes>, B<point-to-point> (layer
1946				3), B<ethernet> (layer 2), or B<no> (the default).
1947				Specifying B<yes> requests the default tunnel mode,
1948				which is B<point-to-point>.',
1949				'type' => 'leaf',
1950				'upstream_default' => 'no',
1951				'value_type' => 'enum'
1952				},
1953				'TunnelDevice',
1954				{
1955				'description' => 'Specifies the L<tun(4)> devices to
1956				open on the client (I<local_tun>) and the server
1957				(I<remote_tun>).
1958
1959				The argument
1960				must be I<local_tun>[:I<remote_tun>]. The devices
1961				may be specified by numerical ID or the keyword B<any>,
1962				which uses the next available tunnel device. If
1963				I<remote_tun> is not specified, it defaults to
1964				B<any>. The default is B<any:any>.',
1965				'type' => 'leaf',
1966				'upstream_default' => 'any:any',
1967				'value_type' => 'uniline'
1968				},
1969				'UpdateHostKeys',
1970				{
1971				'choice' => [
1972				'yes',
1973				'no',
1974				'ask'
1975				],
1976				'description' => 'Specifies whether L<ssh(1)> should
1977				accept notifications of additional hostkeys from the server
1978				sent after authentication has completed and add them to
1979				B<UserKnownHostsFile>. The argument must be B<yes>,
1980				B<no> or B<ask>. This option allows learning
1981				alternate hostkeys for a server and supports graceful key
1982				rotation by allowing a server to send replacement public
1983				keys before old ones are removed.
1984
1985				Additional
1986				hostkeys are only accepted if the key used to authenticate
1987				the host was already trusted or explicitly accepted by the
1988				user, the host was authenticated via
1989				B<UserKnownHostsFile> (i.e. not
1990				B<GlobalKnownHostsFile>) and the host was authenticated
1991				using a plain key and not a certificate.
1992
1993				B<UpdateHostKeys>
1994				is enabled by default if the user has not overridden the
1995				default B<UserKnownHostsFile> setting and has not
1996				enabled B<VerifyHostKeyDNS>, otherwise
1997				B<UpdateHostKeys> will be set to B<no>.
1998
1999				If
2000				B<UpdateHostKeys> is set to B<ask>, then the user is
2001				asked to confirm the modifications to the known_hosts file.
2002				Confirmation is currently incompatible with
2003				B<ControlPersist>, and will be disabled if it is
2004				enabled.
2005
2006				Presently, only
2007				L<sshd(8)> from OpenSSH 6.8 and greater support the
2008				"hostkeys@openssh.com" protocol extension used to
2009				inform the client of all the server\'s hostkeys.',
2010				'type' => 'leaf',
2011				'value_type' => 'enum'
2012				},
2013				'User',
2014				{
2015				'description' => 'Specifies the
2016				user to log in as. This can be useful when a different user
2017				name is used on different machines. This saves the trouble
2018				of having to remember to give the user name on the command
2019				line.',
2020				'type' => 'leaf',
2021				'value_type' => 'uniline'
2022				},
2023				'UserKnownHostsFile',
2024				{
2025				'description' => 'Specifies one or more files to
2026				use for the user host key database, separated by whitespace.
2027				Each filename may use tilde notation to refer to the
2028				user\'s home directory, the tokens described in the
2029				I<TOKENS> section and environment variables as described
2030				in the I<ENVIRONMENT VARIABLES> section. The default is
2031				I<~/.ssh/known_hosts>, I<~/.ssh/known_hosts2>.',
2032				'type' => 'leaf',
2033				'value_type' => 'uniline'
2034				},
2035				'VerifyHostKeyDNS',
2036				{
2037				'choice' => [
2038				'yes',
2039				'ask',
2040				'no'
2041				],
2042				'description' => 'Specifies whether to verify the
2043				remote key using DNS and SSHFP resource records. If this
2044				option is set to B<yes>, the client will implicitly
2045				trust keys that match a secure fingerprint from DNS.
2046				Insecure fingerprints will be handled as if this option was
2047				set to B<ask>. If this option is set to B<ask>,
2048				information on fingerprint match will be displayed, but the
2049				user will still need to confirm new host keys according to
2050				the B<StrictHostKeyChecking> option. The default is
2051				B<no>.
2052
2053				See also
2054				I<VERIFYING HOST KEYS> in L<ssh(1)>.',
2055				'type' => 'leaf',
2056				'upstream_default' => 'no',
2057				'value_type' => 'enum'
2058				},
2059				'VisualHostKey',
2060				{
2061				'description' => 'If this flag is set to
2062				B<yes>, an ASCII art representation of the remote host
2063				key fingerprint is printed in addition to the fingerprint
2064				string at login and for unknown host keys. If this flag is
2065				set to B<no> (the default), no fingerprint strings are
2066				printed at login and only the fingerprint string will be
2067				printed for unknown host keys.',
2068				'type' => 'leaf',
2069				'upstream_default' => 'no',
2070				'value_type' => 'uniline'
2071				},
2072				'XAuthLocation',
2073				{
2074				'description' => 'Specifies the full pathname of
2075				the L<xauth(1)> program. The default is
2076				I</usr/bin/xauth>.',
2077				'type' => 'leaf',
2078				'upstream_default' => '/usr/bin/xauth',
2079				'value_type' => 'uniline'
2080				},
2081				'FallBackToRsh',
2082				{
2083				'description' => 'This parameter is now ignored by Ssh',
2084				'status' => 'deprecated',
2085				'type' => 'leaf',
2086				'value_type' => 'uniline'
2087				},
2088				'HostbasedKeyTypes',
2089				{
2090				'description' => 'This parameter is now ignored by Ssh',
2091				'status' => 'deprecated',
2092				'type' => 'leaf',
2093				'value_type' => 'uniline'
2094				},
2095				'PubkeyAcceptedKeyTypes',
2096				{
2097				'description' => 'This parameter is now ignored by Ssh',
2098				'status' => 'deprecated',
2099				'type' => 'leaf',
2100				'value_type' => 'uniline'
2101				},
2102				'UseRsh',
2103				{
2104				'description' => 'This parameter is now ignored by Ssh',
2105				'status' => 'deprecated',
2106				'type' => 'leaf',
2107				'value_type' => 'uniline'
2108				}
2109				],
2110				'generated_by' => 'parse-man.pl from ssh_system 9.0p1 doc',
2111				'license' => 'LGPL2',
2112				'name' => 'Ssh::HostElement'
2113				}
2114				]
2115				;
2116