File Coverage

blib/lib/Config/Model/models/Sshd/MatchElement.pl

Criterion	Covered	Total	%
statement	6	6	100.0
branch			n/a
condition			n/a
subroutine	2	2	100.0
pod			n/a
total	8	8	100.0

line	stmt	sub	time	code
1				#
2				# This file is part of Config-Model-OpenSsh
3				#
4				# This software is Copyright (c) 2008-2022 by Dominique Dumont.
5				#
6				# This is free software, licensed under:
7				#
8				# The GNU Lesser General Public License, Version 2.1, February 1999
9				#
10	3	3	20951	use strict;
	3		8
	3		106
11	3	3	15	use warnings;
	3		7
	3		3530
12
13				return [
14				{
15				'accept' => [
16				'.*',
17				{
18				'summary' => 'boilerplate parameter that may hide a typo',
19				'type' => 'leaf',
20				'value_type' => 'uniline',
21				'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author'
22				}
23				],
24				'class_description' => 'This configuration class was generated from sshd_system documentation.
25				by L<parse-man.pl\|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl>
26				',
27				'element' => [
28				'AcceptEnv',
29				{
30				'cargo' => {
31				'type' => 'leaf',
32				'value_type' => 'uniline'
33				},
34				'description' => 'Specifies what environment
35				variables sent by the client will be copied into the
36				session\'s L<environ(7)>. See B<SendEnv> and
37				B<SetEnv> in L<ssh_config(5)> for how to configure the
38				client. The TERM environment variable is always accepted
39				whenever the client requests a pseudo-terminal as it is
40				required by the protocol. Variables are specified by name,
41				which may contain the wildcard characters \'*\'
42				and \'?\'. Multiple environment variables may be
43				separated by whitespace or spread across multiple
44				B<AcceptEnv> directives. Be warned that some environment
45				variables could be used to bypass restricted user
46				environments. For this reason, care should be taken in the
47				use of this directive. The default is not to accept any
48				environment variables.',
49				'type' => 'list'
50				},
51				'AllowAgentForwarding',
52				{
53				'description' => 'Specifies whether L<ssh-agent(1)>
54				forwarding is permitted. The default is B<yes>. Note
55				that disabling agent forwarding does not improve security
56				unless users are also denied shell access, as they can
57				always install their own forwarders.',
58				'type' => 'leaf',
59				'upstream_default' => 'yes',
60				'value_type' => 'boolean',
61				'write_as' => [
62				'no',
63				'yes'
64				]
65				},
66				'AllowGroups',
67				{
68				'cargo' => {
69				'type' => 'leaf',
70				'value_type' => 'uniline'
71				},
72				'description' => 'This keyword can be followed by
73				a list of group name patterns, separated by spaces. If
74				specified, login is allowed only for users whose primary
75				group or supplementary group list matches one of the
76				patterns. Only group names are valid; a numerical group ID
77				is not recognized. By default, login is allowed for all
78				groups. The allow/deny groups directives are processed in
79				the following order: B<DenyGroups>,
80				B<AllowGroups>.
81
82				See PATTERNS in
83				L<ssh_config(5)> for more information on patterns.',
84				'type' => 'list'
85				},
86				'AllowStreamLocalForwarding',
87				{
88				'choice' => [
89				'yes',
90				'all',
91				'no',
92				'local',
93				'remote'
94				],
95				'description' => 'Specifies whether StreamLocal
96				(Unix-domain socket) forwarding is permitted. The available
97				options are B<yes> (the default) or B<all> to allow
98				StreamLocal forwarding, B<no> to prevent all StreamLocal
99				forwarding, B<local> to allow local (from the
100				perspective of L<ssh(1)>) forwarding only or B<remote> to
101				allow remote forwarding only. Note that disabling
102				StreamLocal forwarding does not improve security unless
103				users are also denied shell access, as they can always
104				install their own forwarders.',
105				'type' => 'leaf',
106				'upstream_default' => 'yes',
107				'value_type' => 'enum'
108				},
109				'AllowTcpForwarding',
110				{
111				'choice' => [
112				'yes',
113				'all',
114				'no',
115				'local',
116				'remote'
117				],
118				'description' => 'Specifies whether TCP
119				forwarding is permitted. The available options are
120				B<yes> (the default) or B<all> to allow TCP
121				forwarding, B<no> to prevent all TCP forwarding,
122				B<local> to allow local (from the perspective of L<ssh(1)>)
123				forwarding only or B<remote> to allow remote forwarding
124				only. Note that disabling TCP forwarding does not improve
125				security unless users are also denied shell access, as they
126				can always install their own forwarders.',
127				'type' => 'leaf',
128				'upstream_default' => 'yes',
129				'value_type' => 'enum'
130				},
131				'AllowUsers',
132				{
133				'cargo' => {
134				'type' => 'leaf',
135				'value_type' => 'uniline'
136				},
137				'description' => 'This keyword can be followed by
138				a list of user name patterns, separated by spaces. If
139				specified, login is allowed only for user names that match
140				one of the patterns. Only user names are valid; a numerical
141				user ID is not recognized. By default, login is allowed for
142				all users. If the pattern takes the form USER@HOST then USER
143				and HOST are separately checked, restricting logins to
144				particular users from particular hosts. HOST criteria may
145				additionally contain addresses to match in CIDR
146				address/masklen format. The allow/deny users directives are
147				processed in the following order: B<DenyUsers>,
148				B<AllowUsers>.
149
150				See PATTERNS in
151				L<ssh_config(5)> for more information on patterns.',
152				'type' => 'list'
153				},
154				'AuthenticationMethods',
155				{
156				'description' => 'Specifies the authentication
157				methods that must be successfully completed for a user to be
158				granted access. This option must be followed by one or more
159				lists of comma-separated authentication method names, or by
160				the single string B<any> to indicate the default
161				behaviour of accepting any single authentication method. If
162				the default is overridden, then successful authentication
163				requires completion of every method in at least one of these
164				lists.
165
166				For example,
167				"publickey, password
168				publickey, keyboard-interactive" would require the user
169				to complete public key authentication, followed by either
170				password or keyboard interactive authentication. Only
171				methods that are next in one or more lists are offered at
172				each stage, so for this example it would not be possible to
173				attempt password or keyboard-interactive authentication
174				before public key.
175
176				For keyboard
177				interactive authentication it is also possible to restrict
178				authentication to a specific device by appending a colon
179				followed by the device identifier B<bsdauth> or
180				B<pam>. depending on the server configuration. For
181				example, "keyboard-interactive:bsdauth" would
182				restrict keyboard interactive authentication to the
183				B<bsdauth> device.
184
185				If the
186				publickey method is listed more than once, L<sshd(8)> verifies
187				that keys that have been used successfully are not reused
188				for subsequent authentications. For example,
189				"publickey, publickey" requires successful
190				authentication using two different public keys.
191
192				Note that each
193				authentication method listed should also be explicitly
194				enabled in the configuration.
195
196				The available
197				authentication methods are: "gssapi-with-mic",
198				"hostbased", "keyboard-interactive",
199				"none" (used for access to password-less accounts
200				when B<PermitEmptyPasswords> is enabled),
201				"password" and "publickey".',
202				'type' => 'leaf',
203				'value_type' => 'uniline'
204				},
205				'AuthorizedKeysCommand',
206				{
207				'description' => 'Specifies a program to be used
208				to look up the user\'s public keys. The program must be
209				owned by root, not writable by group or others and specified
210				by an absolute path. Arguments to
211				B<AuthorizedKeysCommand> accept the tokens described in
212				the I<TOKENS> section. If no arguments are specified
213				then the username of the target user is used.
214
215				The program
216				should produce on standard output zero or more lines of
217				authorized_keys output (see I<AUTHORIZED_KEYS> in
218				L<sshd(8)>). B<AuthorizedKeysCommand> is tried after the
219				usual B<AuthorizedKeysFile> files and will not be
220				executed if a matching key is found there. By default, no
221				B<AuthorizedKeysCommand> is run.',
222				'type' => 'leaf',
223				'value_type' => 'uniline'
224				},
225				'AuthorizedKeysCommandUser',
226				{
227				'description' => 'Specifies the user under whose
228				account the B<AuthorizedKeysCommand> is run. It is
229				recommended to use a dedicated user that has no other role
230				on the host than running authorized keys commands. If
231				B<AuthorizedKeysCommand> is specified but
232				B<AuthorizedKeysCommandUser> is not, then L<sshd(8)> will
233				refuse to start.',
234				'type' => 'leaf',
235				'value_type' => 'uniline'
236				},
237				'AuthorizedKeysFile',
238				{
239				'cargo' => {
240				'type' => 'leaf',
241				'value_type' => 'uniline'
242				},
243				'description' => 'Specifies the file that
244				contains the public keys used for user authentication. The
245				format is described in the AUTHORIZED_KEYS FILE FORMAT
246				section of L<sshd(8)>. Arguments to B<AuthorizedKeysFile>
247				accept the tokens described in the I<TOKENS> section.
248				After expansion, B<AuthorizedKeysFile> is taken to be an
249				absolute path or one relative to the user\'s home
250				directory. Multiple files may be listed, separated by
251				whitespace. Alternately this option may be set to
252				B<none> to skip checking for user keys in files. The
253				default is ".ssh/authorized_keys
254				.ssh/authorized_keys2".',
255				'migrate_values_from' => '- AuthorizedKeysFile2',
256				'type' => 'list'
257				},
258				'AuthorizedPrincipalsCommand',
259				{
260				'description' => 'Specifies a program to be used
261				to generate the list of allowed certificate principals as
262				per B<AuthorizedPrincipalsFile>. The program must be
263				owned by root, not writable by group or others and specified
264				by an absolute path. Arguments to
265				B<AuthorizedPrincipalsCommand> accept the tokens
266				described in the I<TOKENS> section. If no arguments are
267				specified then the username of the target user is used.
268
269				The program
270				should produce on standard output zero or more lines of
271				B<AuthorizedPrincipalsFile> output. If either
272				B<AuthorizedPrincipalsCommand> or
273				B<AuthorizedPrincipalsFile> is specified, then
274				certificates offered by the client for authentication must
275				contain a principal that is listed. By default, no
276				B<AuthorizedPrincipalsCommand> is run.',
277				'type' => 'leaf',
278				'value_type' => 'uniline'
279				},
280				'AuthorizedPrincipalsCommandUser',
281				{
282				'description' => 'Specifies the user under whose
283				account the B<AuthorizedPrincipalsCommand> is run. It is
284				recommended to use a dedicated user that has no other role
285				on the host than running authorized principals commands. If
286				B<AuthorizedPrincipalsCommand> is specified but
287				B<AuthorizedPrincipalsCommandUser> is not, then L<sshd(8)>
288				will refuse to start.',
289				'type' => 'leaf',
290				'value_type' => 'uniline'
291				},
292				'AuthorizedPrincipalsFile',
293				{
294				'description' => "Specifies a file that lists
295				principal names that are accepted for certificate
296				authentication. When using certificates signed by a key
297				listed in B<TrustedUserCAKeys>, this file lists names,
298				one of which must appear in the certificate for it to be
299				accepted for authentication. Names are listed one per line
300				preceded by key options (as described in I<AUTHORIZED_KEYS
301				FILE FORMAT> in L<sshd(8)>). Empty lines and comments
302				starting with '#' are ignored.
303
304				Arguments to
305				B<AuthorizedPrincipalsFile> accept the tokens described
306				in the I<TOKENS> section. After expansion,
307				B<AuthorizedPrincipalsFile> is taken to be an absolute
308				path or one relative to the user's home directory. The
309				default is B<none>, i.e. not to use a principals file
310				\x{2013} in this case, the username of the user must appear
311				in a certificate's principals list for it to be
312				accepted.
313
314				Note that
315				B<AuthorizedPrincipalsFile> is only used when
316				authentication proceeds using a CA listed in
317				B<TrustedUserCAKeys> and is not consulted for
318				certification authorities trusted via
319				I<~/.ssh/authorized_keys>, though the B<principals=>
320				key option offers a similar facility (see L<sshd(8)> for
321				details).",
322				'type' => 'leaf',
323				'upstream_default' => 'none',
324				'value_type' => 'uniline'
325				},
326				'Banner',
327				{
328				'description' => 'The contents of
329				the specified file are sent to the remote user before
330				authentication is allowed. If the argument is B<none>
331				then no banner is displayed. By default, no banner is
332				displayed.',
333				'type' => 'leaf',
334				'value_type' => 'uniline'
335				},
336				'CASignatureAlgorithms',
337				{
338				'description' => 'Specifies which algorithms are
339				allowed for signing of certificates by certificate
340				authorities (CAs). The default is:
341
342				ssh-ed25519, ecdsa-sha2-nistp256,
343				ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
344				sk-ssh-ed25519@openssh.com,
345				sk-ecdsa-sha2-nistp256@openssh.com,
346				rsa-sha2-512, rsa-sha2-256
347
348				If the
349				specified list begins with a \'+\' character, then
350				the specified algorithms will be appended to the default set
351				instead of replacing them. If the specified list begins with
352				a \'-\' character, then the specified algorithms
353				(including wildcards) will be removed from the default set
354				instead of replacing them.
355
356				Certificates
357				signed using other algorithms will not be accepted for
358				public key or host-based authentication.',
359				'type' => 'leaf',
360				'value_type' => 'uniline'
361				},
362				'ChrootDirectory',
363				{
364				'description' => 'Specifies the pathname of a
365				directory to L<chroot(2)> to after authentication. At session
366				startup L<sshd(8)> checks that all components of the pathname
367				are root-owned directories which are not writable by any
368				other user or group. After the chroot, L<sshd(8)> changes the
369				working directory to the user\'s home directory.
370				Arguments to B<ChrootDirectory> accept the tokens
371				described in the I<TOKENS> section.
372
373				The
374				B<ChrootDirectory> must contain the necessary files and
375				directories to support the user\'s session. For an
376				interactive session this requires at least a shell,
377				typically L<sh(1)>, and basic I</dev> nodes such as
378				L<null(4)>, L<zero(4)>, L<stdin(4)>, L<stdout(4)>, L<stderr(4)>, and L<tty(4)>
379				devices. For file transfer sessions using SFTP no additional
380				configuration of the environment is necessary if the
381				in-process sftp-server is used, though sessions which use
382				logging may require I</dev/log> inside the chroot
383				directory on some operating systems (see L<sftp-server(8)> for
384				details).
385
386				For safety, it
387				is very important that the directory hierarchy be prevented
388				from modification by other processes on the system
389				(especially those outside the jail). Misconfiguration can
390				lead to unsafe environments which L<sshd(8)> cannot detect.
391
392				The default is
393				B<none>, indicating not to L<chroot(2)>.',
394				'type' => 'leaf',
395				'upstream_default' => 'none',
396				'value_type' => 'uniline'
397				},
398				'ClientAliveCountMax',
399				{
400				'description' => 'Sets the number of client alive
401				messages which may be sent without L<sshd(8)> receiving any
402				messages back from the client. If this threshold is reached
403				while client alive messages are being sent, sshd will
404				disconnect the client, terminating the session. It is
405				important to note that the use of client alive messages is
406				very different from B<TCPKeepAlive>. The client alive
407				messages are sent through the encrypted channel and
408				therefore will not be spoofable. The TCP keepalive option
409				enabled by B<TCPKeepAlive> is spoofable. The client
410				alive mechanism is valuable when the client or server depend
411				on knowing when a connection has become unresponsive.
412
413				The default
414				value is 3. If B<ClientAliveInterval> is set to 15, and
415				B<ClientAliveCountMax> is left at the default,
416				unresponsive SSH clients will be disconnected after
417				approximately 45 seconds. Setting a zero
418				B<ClientAliveCountMax> disables connection
419				termination.',
420				'type' => 'leaf',
421				'upstream_default' => '3',
422				'value_type' => 'integer'
423				},
424				'ClientAliveInterval',
425				{
426				'description' => 'Sets a timeout interval in
427				seconds after which if no data has been received from the
428				client, L<sshd(8)> will send a message through the encrypted
429				channel to request a response from the client. The default
430				is 0, indicating that these messages will not be sent to the
431				client.',
432				'type' => 'leaf',
433				'upstream_default' => '0',
434				'value_type' => 'integer'
435				},
436				'DenyGroups',
437				{
438				'cargo' => {
439				'type' => 'leaf',
440				'value_type' => 'uniline'
441				},
442				'description' => 'This keyword can be followed by
443				a list of group name patterns, separated by spaces. Login is
444				disallowed for users whose primary group or supplementary
445				group list matches one of the patterns. Only group names are
446				valid; a numerical group ID is not recognized. By default,
447				login is allowed for all groups. The allow/deny groups
448				directives are processed in the following order:
449				B<DenyGroups>, B<AllowGroups>.
450
451				See PATTERNS in
452				L<ssh_config(5)> for more information on patterns.',
453				'type' => 'list'
454				},
455				'DenyUsers',
456				{
457				'cargo' => {
458				'type' => 'leaf',
459				'value_type' => 'uniline'
460				},
461				'description' => 'This keyword can be followed by
462				a list of user name patterns, separated by spaces. Login is
463				disallowed for user names that match one of the patterns.
464				Only user names are valid; a numerical user ID is not
465				recognized. By default, login is allowed for all users. If
466				the pattern takes the form USER@HOST then USER and HOST are
467				separately checked, restricting logins to particular users
468				from particular hosts. HOST criteria may additionally
469				contain addresses to match in CIDR address/masklen format.
470				The allow/deny users directives are processed in the
471				following order: B<DenyUsers>, B<AllowUsers>.
472
473				See PATTERNS in
474				L<ssh_config(5)> for more information on patterns.',
475				'type' => 'list'
476				},
477				'DisableForwarding',
478				{
479				'description' => 'Disables all forwarding
480				features, including X11, L<ssh-agent(1)>, TCP and StreamLocal.
481				This option overrides all other forwarding-related options
482				and may simplify restricted configurations.',
483				'type' => 'leaf',
484				'value_type' => 'uniline'
485				},
486				'ExposeAuthInfo',
487				{
488				'description' => 'Writes a temporary file
489				containing a list of authentication methods and public
490				credentials (e.g. keys) used to authenticate the user. The
491				location of the file is exposed to the user session through
492				the SSH_USER_AUTH environment variable. The default is
493				B<no>.',
494				'type' => 'leaf',
495				'upstream_default' => 'no',
496				'value_type' => 'boolean',
497				'write_as' => [
498				'no',
499				'yes'
500				]
501				},
502				'ForceCommand',
503				{
504				'description' => 'Forces the execution of the
505				command specified by B<ForceCommand>, ignoring any
506				command supplied by the client and I<~/.ssh/rc> if
507				present. The command is invoked by using the user\'s
508				login shell with the -c option. This applies to shell,
509				command, or subsystem execution. It is most useful inside a
510				B<Match> block. The command originally supplied by the
511				client is available in the SSH_ORIGINAL_COMMAND environment
512				variable. Specifying a command of B<internal-sftp> will
513				force the use of an in-process SFTP server that requires no
514				support files when used with B<ChrootDirectory>. The
515				default is B<none>.',
516				'type' => 'leaf',
517				'upstream_default' => 'none',
518				'value_type' => 'uniline'
519				},
520				'GatewayPorts',
521				{
522				'choice' => [
523				'no',
524				'yes',
525				'clientspecified'
526				],
527				'description' => 'Specifies whether remote hosts
528				are allowed to connect to ports forwarded for the client. By
529				default, L<sshd(8)> binds remote port forwardings to the
530				loopback address. This prevents other remote hosts from
531				connecting to forwarded ports. B<GatewayPorts> can be
532				used to specify that sshd should allow remote port
533				forwardings to bind to non-loopback addresses, thus allowing
534				other hosts to connect. The argument may be B<no> to
535				force remote port forwardings to be available to the local
536				host only, B<yes> to force remote port forwardings to
537				bind to the wildcard address, or B<clientspecified> to
538				allow the client to select the address to which the
539				forwarding is bound. The default is B<no>.',
540				'type' => 'leaf',
541				'upstream_default' => 'no',
542				'value_type' => 'enum'
543				},
544				'GSSAPIAuthentication',
545				{
546				'description' => 'Specifies whether user
547				authentication based on GSSAPI is allowed. The default is
548				B<no>.',
549				'type' => 'leaf',
550				'upstream_default' => 'no',
551				'value_type' => 'boolean',
552				'write_as' => [
553				'no',
554				'yes'
555				]
556				},
557				'HostbasedAcceptedAlgorithms',
558				{
559				'description' => 'Specifies the signature
560				algorithms that will be accepted for hostbased
561				authentication as a list of comma-separated patterns.
562				Alternately if the specified list begins with a
563				\'+\' character, then the specified signature
564				algorithms will be appended to the default set instead of
565				replacing them. If the specified list begins with a
566				\'-\' character, then the specified signature
567				algorithms (including wildcards) will be removed from the
568				default set instead of replacing them. If the specified list
569				begins with a \'^\' character, then the specified
570				signature algorithms will be placed at the head of the
571				default set. The default for this option is:
572
573				ssh-ed25519-cert-v01@openssh.com,
574				ecdsa-sha2-nistp256-cert-v01@openssh.com,
575				ecdsa-sha2-nistp384-cert-v01@openssh.com,
576				ecdsa-sha2-nistp521-cert-v01@openssh.com,
577				sk-ssh-ed25519-cert-v01@openssh.com,
578				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
579				rsa-sha2-512-cert-v01@openssh.com,
580				rsa-sha2-256-cert-v01@openssh.com,
581				ssh-ed25519,
582				ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
583				sk-ssh-ed25519@openssh.com,
584				sk-ecdsa-sha2-nistp256@openssh.com,
585				rsa-sha2-512, rsa-sha2-256
586
587				The list of
588				available signature algorithms may also be obtained using
589				"ssh -Q HostbasedAcceptedAlgorithms". This was
590				formerly named HostbasedAcceptedKeyTypes.',
591				'type' => 'leaf',
592				'value_type' => 'uniline'
593				},
594				'HostbasedAuthentication',
595				{
596				'description' => 'Specifies whether rhosts or
597				/etc/hosts.equiv authentication together with successful
598				public key client host authentication is allowed (host-based
599				authentication). The default is B<no>.',
600				'type' => 'leaf',
601				'upstream_default' => 'no',
602				'value_type' => 'boolean',
603				'write_as' => [
604				'no',
605				'yes'
606				]
607				},
608				'HostbasedUsesNameFromPacketOnly',
609				{
610				'description' => 'Specifies whether or not the
611				server will attempt to perform a reverse name lookup when
612				matching the name in the I<~/.shosts>, I<~/.rhosts>,
613				and I</etc/hosts.equiv> files during
614				B<HostbasedAuthentication>. A setting of B<yes>
615				means that L<sshd(8)> uses the name supplied by the client
616				rather than attempting to resolve the name from the TCP
617				connection itself. The default is B<no>.',
618				'type' => 'leaf',
619				'upstream_default' => 'no',
620				'value_type' => 'boolean',
621				'write_as' => [
622				'no',
623				'yes'
624				]
625				},
626				'IgnoreRhosts',
627				{
628				'description' => 'Specifies whether to ignore
629				per-user I<.rhosts> and I<.shosts> files during
630				B<HostbasedAuthentication>. The system-wide
631				I</etc/hosts.equiv> and I</etc/ssh/shosts.equiv> are
632				still used regardless of this setting.
633
634				Accepted values
635				are B<yes> (the default) to ignore all per-user files,
636				B<shosts-only> to allow the use of I<.shosts> but to
637				ignore I<.rhosts> or B<no> to allow both
638				I<.shosts> and I<rhosts>.',
639				'type' => 'leaf',
640				'upstream_default' => 'yes',
641				'value_type' => 'boolean',
642				'write_as' => [
643				'no',
644				'yes'
645				]
646				},
647				'Include',
648				{
649				'cargo' => {
650				'type' => 'leaf',
651				'value_type' => 'uniline'
652				},
653				'description' => 'Include the specified
654				configuration file(s). Multiple pathnames may be specified
655				and each pathname may contain L<glob(7)> wildcards that will be
656				expanded and processed in lexical order. Files without
657				absolute paths are assumed to be in I</etc/ssh>. An
658				B<Include> directive may appear inside a B<Match>
659				block to perform conditional inclusion.',
660				'type' => 'list'
661				},
662				'IPQoS',
663				{
664				'assert' => {
665				'1_or_2' => {
666				'code' => 'return 1 unless defined $_;
667				my @v = (/(\\w+)/g);
668				return (@v < 3) ? 1 : 0;
669				',
670				'msg' => 'value must not have more than 2 fields.'
671				},
672				'accepted_values' => {
673				'code' => 'return 1 unless defined $_;
674				my @v = (/(\\S+)/g);
675				my @good = grep {/^(af[1-4][1-3]\|cs[0-7]\|ef\|lowdelay\|throughput\|reliability\|\\d+)/} @v ;
676				return @good == @v ? 1 : 0;
677				',
678				'msg' => 'Unexpected value "$_". Expected 1 or 2 occurences of: "af11", "af12", "af13", "af21", "af22",
679				"af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1",
680				"cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay",
681				"throughput", "reliability", or numeric value.
682				'
683				}
684				},
685				'description' => 'Specifies the
686				IPv4 type-of-service or DSCP class for the connection.
687				Accepted values are B<af11>, B<af12>, B<af13>,
688				B<af21>, B<af22>, B<af23>, B<af31>,
689				B<af32>, B<af33>, B<af41>, B<af42>,
690				B<af43>, B<cs0>, B<cs1>, B<cs2>, B<cs3>,
691				B<cs4>, B<cs5>, B<cs6>, B<cs7>, B<ef>,
692				B<le>, B<lowdelay>, B<throughput>,
693				B<reliability>, a numeric value, or B<none> to use
694				the operating system default. This option may take one or
695				two arguments, separated by whitespace. If one argument is
696				specified, it is used as the packet class unconditionally.
697				If two values are specified, the first is automatically
698				selected for interactive sessions and the second for
699				non-interactive sessions. The default is B<lowdelay> for
700				interactive sessions and B<throughput> for
701				non-interactive sessions.',
702				'type' => 'leaf',
703				'upstream_default' => 'af21 cs1',
704				'value_type' => 'uniline'
705				},
706				'KbdInteractiveAuthentication',
707				{
708				'description' => 'Specifies whether to allow
709				keyboard-interactive authentication. The default is
710				B<yes>. The argument to this keyword must be B<yes>
711				or B<no>. B<ChallengeResponseAuthentication> is a
712				deprecated alias for this.',
713				'migrate_from' => {
714				'formula' => '$old',
715				'variables' => {
716				'old' => '- ChallengeResponseAuthentication'
717				}
718				},
719				'type' => 'leaf',
720				'upstream_default' => 'yes',
721				'value_type' => 'boolean',
722				'write_as' => [
723				'no',
724				'yes'
725				]
726				},
727				'KerberosAuthentication',
728				{
729				'description' => 'Specifies whether the password
730				provided by the user for B<PasswordAuthentication> will
731				be validated through the Kerberos KDC. To use this option,
732				the server needs a Kerberos servtab which allows the
733				verification of the KDC\'s identity. The default is
734				B<no>.',
735				'type' => 'leaf',
736				'upstream_default' => 'no',
737				'value_type' => 'boolean',
738				'write_as' => [
739				'no',
740				'yes'
741				]
742				},
743				'LogLevel',
744				{
745				'choice' => [
746				'QUIET',
747				'FATAL',
748				'ERROR',
749				'INFO',
750				'VERBOSE',
751				'DEBUG',
752				'DEBUG1',
753				'DEBUG2',
754				'DEBUG3'
755				],
756				'description' => 'Gives the verbosity level that
757				is used when logging messages from L<sshd(8)>. The possible
758				values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
759				DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and
760				DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
761				levels of debugging output. Logging with a DEBUG level
762				violates the privacy of users and is not recommended.',
763				'type' => 'leaf',
764				'upstream_default' => 'INFO',
765				'value_type' => 'enum'
766				},
767				'MaxAuthTries',
768				{
769				'description' => 'Specifies the maximum number of
770				authentication attempts permitted per connection. Once the
771				number of failures reaches half this value, additional
772				failures are logged. The default is 6.',
773				'type' => 'leaf',
774				'upstream_default' => '6',
775				'value_type' => 'integer'
776				},
777				'MaxSessions',
778				{
779				'description' => 'Specifies the maximum number of
780				open shell, login or subsystem (e.g. sftp) sessions
781				permitted per network connection. Multiple sessions may be
782				established by clients that support connection multiplexing.
783				Setting B<MaxSessions> to 1 will effectively disable
784				session multiplexing, whereas setting it to 0 will prevent
785				all shell, login and subsystem sessions while still
786				permitting forwarding. The default is 10.',
787				'type' => 'leaf',
788				'upstream_default' => '10',
789				'value_type' => 'integer'
790				},
791				'PasswordAuthentication',
792				{
793				'description' => 'Specifies whether password
794				authentication is allowed. The default is B<yes>.',
795				'type' => 'leaf',
796				'upstream_default' => 'yes',
797				'value_type' => 'boolean',
798				'write_as' => [
799				'no',
800				'yes'
801				]
802				},
803				'PermitEmptyPasswords',
804				{
805				'description' => 'When password authentication is
806				allowed, it specifies whether the server allows login to
807				accounts with empty password strings. The default is
808				B<no>.',
809				'type' => 'leaf',
810				'upstream_default' => 'no',
811				'value_type' => 'boolean',
812				'write_as' => [
813				'no',
814				'yes'
815				]
816				},
817				'PermitListen',
818				{
819				'cargo' => {
820				'type' => 'leaf',
821				'value_type' => 'uniline'
822				},
823				'description' => "Specifies the addresses/ports
824				on which a remote TCP port forwarding may listen. The listen
825				specification must be one of the following forms:
826
827				B<PermitListen>I<port> B<
828				PermitListen> I<host>:I<port>
829
830				Multiple
831				permissions may be specified by separating them with
832				whitespace. An argument of B<any> can be used to remove
833				all restrictions and permit any listen requests. An argument
834				of B<none> can be used to prohibit all listen requests.
835				The host name may contain wildcards as described in the
836				PATTERNS section in L<ssh_config(5)>. The wildcard
837				'*' can also be used in place of a port number
838				to allow all ports. By default all port forwarding listen
839				requests are permitted. Note that the B<GatewayPorts>
840				option may further restrict which addresses may be listened
841				on. Note also that L<ssh(1)> will request a listen host of
842				B<localhost> if no listen host was specifically
843				requested, and this name is treated differently to explicit
844				localhost addresses of \x{201c}127.0.0.1\x{201d} and
845				\x{201c}::1\x{201d}.",
846				'type' => 'list'
847				},
848				'PermitOpen',
849				{
850				'cargo' => {
851				'type' => 'leaf',
852				'value_type' => 'uniline'
853				},
854				'description' => 'Specifies the destinations to
855				which TCP port forwarding is permitted. The forwarding
856				specification must be one of the following forms:
857
858				B<PermitOpen>I<host>:I<port> B<
859				PermitOpen> I<IPv4_addr>:I<port> B<
860				PermitOpen> I<[IPv6_addr]>:I<port>
861
862				Multiple
863				forwards may be specified by separating them with
864				whitespace. An argument of B<any> can be used to remove
865				all restrictions and permit any forwarding requests. An
866				argument of B<none> can be used to prohibit all
867				forwarding requests. The wildcard \'*\' can be
868				used for host or port to allow all hosts or ports
869				respectively. Otherwise, no pattern matching or address
870				lookups are performed on supplied names. By default all port
871				forwarding requests are permitted.',
872				'type' => 'list'
873				},
874				'PermitRootLogin',
875				{
876				'choice' => [
877				'yes',
878				'prohibit-password',
879				'forced-commands-only',
880				'no'
881				],
882				'description' => 'Specifies whether root can log
883				in using L<ssh(1)>. The argument must be B<yes>,
884				B<prohibit-password>, B<forced-commands-only>, or
885				B<no>. The default is B<prohibit-password>.
886
887				If this option
888				is set to B<prohibit-password> (or its deprecated alias,
889				B<without-password>), password and keyboard-interactive
890				authentication are disabled for root.
891
892				If this option
893				is set to B<forced-commands-only>, root login with
894				public key authentication will be allowed, but only if the
895				I<command> option has been specified (which may be
896				useful for taking remote backups even if root login is
897				normally not allowed). All other authentication methods are
898				disabled for root.
899
900				If this option
901				is set to B<no>, root is not allowed to log in.',
902				'type' => 'leaf',
903				'value_type' => 'enum'
904				},
905				'PermitTTY',
906				{
907				'description' => 'Specifies whether L<pty(4)>
908				allocation is permitted. The default is B<yes>.',
909				'type' => 'leaf',
910				'upstream_default' => 'yes',
911				'value_type' => 'boolean',
912				'write_as' => [
913				'no',
914				'yes'
915				]
916				},
917				'PermitTunnel',
918				{
919				'choice' => [
920				'yes',
921				'point-to-point',
922				'ethernet',
923				'no'
924				],
925				'description' => 'Specifies whether L<tun(4)> device
926				forwarding is allowed. The argument must be B<yes>,
927				B<point-to-point> (layer 3), B<ethernet> (layer 2),
928				or B<no>. Specifying B<yes> permits both
929				B<point-to-point> and B<ethernet>. The default is
930				B<no>.
931
932				Independent of
933				this setting, the permissions of the selected L<tun(4)> device
934				must allow access to the user.',
935				'type' => 'leaf',
936				'upstream_default' => 'no',
937				'value_type' => 'enum'
938				},
939				'PermitUserRC',
940				{
941				'description' => 'Specifies whether any
942				I<~/.ssh/rc> file is executed. The default is
943				B<yes>.',
944				'type' => 'leaf',
945				'upstream_default' => 'yes',
946				'value_type' => 'boolean',
947				'write_as' => [
948				'no',
949				'yes'
950				]
951				},
952				'PubkeyAcceptedAlgorithms',
953				{
954				'description' => 'Specifies the signature
955				algorithms that will be accepted for public key
956				authentication as a list of comma-separated patterns.
957				Alternately if the specified list begins with a
958				\'+\' character, then the specified algorithms
959				will be appended to the default set instead of replacing
960				them. If the specified list begins with a \'-\'
961				character, then the specified algorithms (including
962				wildcards) will be removed from the default set instead of
963				replacing them. If the specified list begins with a
964				\'^\' character, then the specified algorithms
965				will be placed at the head of the default set. The default
966				for this option is:
967
968				ssh-ed25519-cert-v01@openssh.com,
969				ecdsa-sha2-nistp256-cert-v01@openssh.com,
970				ecdsa-sha2-nistp384-cert-v01@openssh.com,
971				ecdsa-sha2-nistp521-cert-v01@openssh.com,
972				sk-ssh-ed25519-cert-v01@openssh.com,
973				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
974				rsa-sha2-512-cert-v01@openssh.com,
975				rsa-sha2-256-cert-v01@openssh.com,
976				ssh-ed25519,
977				ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
978				sk-ssh-ed25519@openssh.com,
979				sk-ecdsa-sha2-nistp256@openssh.com,
980				rsa-sha2-512, rsa-sha2-256
981
982				The list of
983				available signature algorithms may also be obtained using
984				"ssh -Q PubkeyAcceptedAlgorithms".',
985				'type' => 'leaf',
986				'value_type' => 'uniline'
987				},
988				'PubkeyAuthOptions',
989				{
990				'choice' => [
991				'none',
992				'touch-required',
993				'verify-required'
994				],
995				'description' => 'Sets one or more public key
996				authentication options. The supported keywords are:
997				B<none> (the default; indicating no additional options
998				are enabled), B<touch-required> and
999				B<verify-required>.
1000
1001				The
1002				B<touch-required> option causes public key
1003				authentication using a FIDO authenticator algorithm (i.e.
1004				B<ecdsa-sk> or B<ed25519-sk>) to always require the
1005				signature to attest that a physically present user
1006				explicitly confirmed the authentication (usually by touching
1007				the authenticator). By default, L<sshd(8)> requires user
1008				presence unless overridden with an authorized_keys option.
1009				The B<touch-required> flag disables this override.
1010
1011				The
1012				B<verify-required> option requires a FIDO key signature
1013				attest that the user was verified, e.g. via a PIN.
1014
1015				Neither the
1016				B<touch-required> or B<verify-required> options have
1017				any effect for other, non-FIDO, public key types.',
1018				'type' => 'leaf',
1019				'value_type' => 'enum'
1020				},
1021				'PubkeyAuthentication',
1022				{
1023				'description' => 'Specifies whether public key
1024				authentication is allowed. The default is B<yes>.',
1025				'type' => 'leaf',
1026				'upstream_default' => 'yes',
1027				'value_type' => 'boolean',
1028				'write_as' => [
1029				'no',
1030				'yes'
1031				]
1032				},
1033				'RekeyLimit',
1034				{
1035				'description' => 'Specifies the maximum amount of
1036				data that may be transmitted before the session key is
1037				renegotiated, optionally followed by a maximum amount of
1038				time that may pass before the session key is renegotiated.
1039				The first argument is specified in bytes and may have a
1040				suffix of \'K\', \'M\', or
1041				\'G\' to indicate Kilobytes, Megabytes, or
1042				Gigabytes, respectively. The default is between
1043				\'1G\' and \'4G\', depending on the
1044				cipher. The optional second value is specified in seconds
1045				and may use any of the units documented in the I<TIME
1046				FORMATS> section. The default value for B<RekeyLimit>
1047				is B<default none>, which means that rekeying is
1048				performed after the cipher\'s default amount of data
1049				has been sent or received and no time based rekeying is
1050				done.',
1051				'type' => 'leaf',
1052				'value_type' => 'uniline'
1053				},
1054				'RevokedKeys',
1055				{
1056				'description' => 'Specifies revoked public keys
1057				file, or B<none> to not use one. Keys listed in this
1058				file will be refused for public key authentication. Note
1059				that if this file is not readable, then public key
1060				authentication will be refused for all users. Keys may be
1061				specified as a text file, listing one public key per line,
1062				or as an OpenSSH Key Revocation List (KRL) as generated by
1063				L<ssh-keygen(1)>. For more information on KRLs, see the KEY
1064				REVOCATION LISTS section in L<ssh-keygen(1)>.',
1065				'type' => 'leaf',
1066				'value_type' => 'uniline'
1067				},
1068				'SetEnv',
1069				{
1070				'description' => "Specifies one
1071				or more environment variables to set in child sessions
1072				started by L<sshd(8)> as \x{201c}NAME=VALUE\x{201d}. The
1073				environment value may be quoted (e.g. if it contains
1074				whitespace characters). Environment variables set by
1075				B<SetEnv> override the default environment and any
1076				variables specified by the user via B<AcceptEnv> or
1077				B<PermitUserEnvironment>.",
1078				'type' => 'leaf',
1079				'value_type' => 'uniline'
1080				},
1081				'StreamLocalBindMask',
1082				{
1083				'description' => 'Sets the octal file creation
1084				mode mask (umask) used when creating a Unix-domain socket
1085				file for local or remote port forwarding. This option is
1086				only used for port forwarding to a Unix-domain socket
1087				file.
1088
1089				The default
1090				value is 0177, which creates a Unix-domain socket file that
1091				is readable and writable only by the owner. Note that not
1092				all operating systems honor the file mode on Unix-domain
1093				socket files.',
1094				'type' => 'leaf',
1095				'value_type' => 'uniline'
1096				},
1097				'StreamLocalBindUnlink',
1098				{
1099				'description' => 'Specifies whether to remove an
1100				existing Unix-domain socket file for local or remote port
1101				forwarding before creating a new one. If the socket file
1102				already exists and B<StreamLocalBindUnlink> is not
1103				enabled, B<sshd> will be unable to forward the port to
1104				the Unix-domain socket file. This option is only used for
1105				port forwarding to a Unix-domain socket file.
1106
1107				The argument
1108				must be B<yes> or B<no>. The default is
1109				B<no>.',
1110				'type' => 'leaf',
1111				'upstream_default' => 'no',
1112				'value_type' => 'boolean',
1113				'write_as' => [
1114				'no',
1115				'yes'
1116				]
1117				},
1118				'TrustedUserCAKeys',
1119				{
1120				'description' => 'Specifies a file containing
1121				public keys of certificate authorities that are trusted to
1122				sign user certificates for authentication, or B<none> to
1123				not use one. Keys are listed one per line; empty lines and
1124				comments starting with \'#\' are allowed. If a
1125				certificate is presented for authentication and has its
1126				signing CA key listed in this file, then it may be used for
1127				authentication for any user listed in the
1128				certificate\'s principals list. Note that certificates
1129				that lack a list of principals will not be permitted for
1130				authentication using B<TrustedUserCAKeys>. For more
1131				details on certificates, see the CERTIFICATES section in
1132				L<ssh-keygen(1)>.',
1133				'type' => 'leaf',
1134				'value_type' => 'uniline'
1135				},
1136				'X11DisplayOffset',
1137				{
1138				'description' => 'Specifies the first display
1139				number available for L<sshd(8)>\'s X11 forwarding. This
1140				prevents sshd from interfering with real X11 servers. The
1141				default is 10.',
1142				'type' => 'leaf',
1143				'value_type' => 'uniline'
1144				},
1145				'X11Forwarding',
1146				{
1147				'description' => 'Specifies whether X11
1148				forwarding is permitted. The argument must be B<yes> or
1149				B<no>. The default is B<no>.
1150
1151				When X11
1152				forwarding is enabled, there may be additional exposure to
1153				the server and to client displays if the L<sshd(8)> proxy
1154				display is configured to listen on the wildcard address (see
1155				B<X11UseLocalhost>), though this is not the default.
1156				Additionally, the authentication spoofing and authentication
1157				data verification and substitution occur on the client side.
1158				The security risk of using X11 forwarding is that the
1159				client\'s X11 display server may be exposed to attack
1160				when the SSH client requests forwarding (see the warnings
1161				for B<ForwardX11> in L<ssh_config(5)>). A system
1162				administrator may have a stance in which they want to
1163				protect clients that may expose themselves to attack by
1164				unwittingly requesting X11 forwarding, which can warrant a
1165				B<no> setting.
1166
1167				Note that
1168				disabling X11 forwarding does not prevent users from
1169				forwarding X11 traffic, as users can always install their
1170				own forwarders.',
1171				'type' => 'leaf',
1172				'upstream_default' => 'no',
1173				'value_type' => 'boolean',
1174				'write_as' => [
1175				'no',
1176				'yes'
1177				]
1178				},
1179				'X11UseLocalhost',
1180				{
1181				'description' => 'Specifies whether L<sshd(8)>
1182				should bind the X11 forwarding server to the loopback
1183				address or to the wildcard address. By default, sshd binds
1184				the forwarding server to the loopback address and sets the
1185				hostname part of the DISPLAY environment variable to
1186				B<localhost>. This prevents remote hosts from connecting
1187				to the proxy display. However, some older X11 clients may
1188				not function with this configuration. B<X11UseLocalhost>
1189				may be set to B<no> to specify that the forwarding
1190				server should be bound to the wildcard address. The argument
1191				must be B<yes> or B<no>. The default is
1192				B<yes>.',
1193				'type' => 'leaf',
1194				'upstream_default' => 'yes',
1195				'value_type' => 'boolean',
1196				'write_as' => [
1197				'no',
1198				'yes'
1199				]
1200				},
1201				'AuthorizedKeysFile2',
1202				{
1203				'cargo' => {
1204				'type' => 'leaf',
1205				'value_type' => 'uniline'
1206				},
1207				'description' => 'This parameter is now ignored by Ssh',
1208				'status' => 'deprecated',
1209				'type' => 'list'
1210				},
1211				'ChallengeResponseAuthentication',
1212				{
1213				'status' => 'deprecated',
1214				'type' => 'leaf',
1215				'value_type' => 'boolean'
1216				},
1217				'KeyRegenerationInterval',
1218				{
1219				'status' => 'deprecated',
1220				'type' => 'leaf',
1221				'value_type' => 'uniline'
1222				},
1223				'Protocol',
1224				{
1225				'status' => 'deprecated',
1226				'type' => 'leaf',
1227				'value_type' => 'uniline'
1228				},
1229				'RDomain',
1230				{
1231				'status' => 'deprecated',
1232				'type' => 'leaf',
1233				'value_type' => 'uniline'
1234				},
1235				'RSAAuthentication',
1236				{
1237				'status' => 'deprecated',
1238				'type' => 'leaf',
1239				'value_type' => 'uniline'
1240				},
1241				'RhostsRSAAuthentication',
1242				{
1243				'status' => 'deprecated',
1244				'type' => 'leaf',
1245				'value_type' => 'uniline'
1246				},
1247				'UsePrivilegeSeparation',
1248				{
1249				'status' => 'deprecated',
1250				'type' => 'leaf',
1251				'value_type' => 'uniline'
1252				}
1253				],
1254				'generated_by' => 'parse-man.pl from sshd_system 9.0p1 doc',
1255				'license' => 'LGPL2',
1256				'name' => 'Sshd::MatchElement'
1257				}
1258				]
1259				;
1260