File Coverage

blib/lib/Config/Model/models/Sshd.pl

Criterion	Covered	Total	%
statement	6	6	100.0
branch			n/a
condition			n/a
subroutine	2	2	100.0
pod			n/a
total	8	8	100.0

line	stmt	sub	time	code
1				#
2				# This file is part of Config-Model-OpenSsh
3				#
4				# This software is Copyright (c) 2008-2022 by Dominique Dumont.
5				#
6				# This is free software, licensed under:
7				#
8				# The GNU Lesser General Public License, Version 2.1, February 1999
9				#
10	3	3	248591	use strict;
	3		8
	3		107
11	3	3	17	use warnings;
	3		6
	3		2408
12
13				return [
14				{
15				'accept' => [
16				'.*',
17				{
18				'summary' => 'boilerplate parameter that may hide a typo',
19				'type' => 'leaf',
20				'value_type' => 'uniline',
21				'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author'
22				}
23				],
24				'class_description' => 'This configuration class was generated from sshd_system documentation.
25				by L<parse-man.pl\|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl>
26				',
27				'element' => [
28				'AddressFamily',
29				{
30				'choice' => [
31				'any',
32				'inet',
33				'inet6'
34				],
35				'description' => 'Specifies which address family
36				should be used by L<sshd(8)>. Valid arguments are B<any>
37				(the default), B<inet> (use IPv4 only), or B<inet6>
38				(use IPv6 only).',
39				'type' => 'leaf',
40				'upstream_default' => 'any',
41				'value_type' => 'enum'
42				},
43				'Ciphers',
44				{
45				'description' => 'Specifies the ciphers allowed.
46				Multiple ciphers must be comma-separated. If the specified
47				list begins with a \'+\' character, then the
48				specified ciphers will be appended to the default set
49				instead of replacing them. If the specified list begins with
50				a \'-\' character, then the specified ciphers
51				(including wildcards) will be removed from the default set
52				instead of replacing them. If the specified list begins with
53				a \'^\' character, then the specified ciphers will
54				be placed at the head of the default set.
55
56				The supported
57				ciphers are:
58
59				3des-cbc
60				aes128-cbc
61				aes192-cbc
62				aes256-cbc
63				aes128-ctr
64				aes192-ctr
65				aes256-ctr
66				aes128-gcm@openssh.com
67				aes256-gcm@openssh.com
68				chacha20-poly1305@openssh.com
69
70				The default
71				is:
72
73				chacha20-poly1305@openssh.com,
74				aes128-ctr, aes192-ctr, aes256-ctr,
75				aes128-gcm@openssh.com, aes256-gcm@openssh.com
76
77				The list of
78				available ciphers may also be obtained using "ssh -Q
79				cipher".',
80				'type' => 'leaf',
81				'value_type' => 'uniline'
82				},
83				'Compression',
84				{
85				'choice' => [
86				'yes',
87				'delayed',
88				'no'
89				],
90				'description' => 'Specifies whether compression
91				is enabled after the user has authenticated successfully.
92				The argument must be B<yes>, B<delayed> (a legacy
93				synonym for B<yes>) or B<no>. The default is
94				B<yes>.',
95				'type' => 'leaf',
96				'upstream_default' => 'yes',
97				'value_type' => 'enum'
98				},
99				'DebianBanner',
100				{
101				'description' => 'Specifies whether the
102				distribution-specified extra version suffix is included
103				during initial protocol handshake. The default is
104				B<yes>.',
105				'type' => 'leaf',
106				'upstream_default' => 'yes',
107				'value_type' => 'boolean',
108				'write_as' => [
109				'no',
110				'yes'
111				]
112				},
113				'FingerprintHash',
114				{
115				'choice' => [
116				'md5',
117				'sha256'
118				],
119				'description' => 'Specifies the hash algorithm
120				used when logging key fingerprints. Valid options are:
121				B<md5> and B<sha256>. The default is
122				B<sha256>.',
123				'type' => 'leaf',
124				'upstream_default' => 'sha256',
125				'value_type' => 'enum'
126				},
127				'GSSAPICleanupCredentials',
128				{
129				'description' => 'Specifies whether to
130				automatically destroy the user\'s credentials cache on
131				logout. The default is B<yes>.',
132				'type' => 'leaf',
133				'upstream_default' => 'yes',
134				'value_type' => 'boolean',
135				'write_as' => [
136				'no',
137				'yes'
138				]
139				},
140				'GSSAPIKeyExchange',
141				{
142				'description' => 'Specifies whether key exchange
143				based on GSSAPI is allowed. GSSAPI key exchange
144				doesn\'t rely on ssh keys to verify host identity. The
145				default is B<no>.',
146				'type' => 'leaf',
147				'upstream_default' => 'no',
148				'value_type' => 'boolean',
149				'write_as' => [
150				'no',
151				'yes'
152				]
153				},
154				'GSSAPIStrictAcceptorCheck',
155				{
156				'description' => 'Determines whether to be strict
157				about the identity of the GSSAPI acceptor a client
158				authenticates against. If set to B<yes> then the client
159				must authenticate against the host service on the current
160				hostname. If set to B<no> then the client may
161				authenticate against any service key stored in the
162				machine\'s default store. This facility is provided to
163				assist with operation on multi homed machines. The default
164				is B<yes>.',
165				'type' => 'leaf',
166				'upstream_default' => 'yes',
167				'value_type' => 'boolean',
168				'write_as' => [
169				'no',
170				'yes'
171				]
172				},
173				'GSSAPIStoreCredentialsOnRekey',
174				{
175				'description' => 'Controls whether the
176				user\'s GSSAPI credentials should be updated following
177				a successful connection rekeying. This option can be used to
178				accepted renewed or updated credentials from a compatible
179				client. The default is B<no>.
180
181				For this to
182				work B<GSSAPIKeyExchange> needs to be enabled in the
183				server and also used by the client.',
184				'type' => 'leaf',
185				'upstream_default' => 'no',
186				'value_type' => 'boolean',
187				'write_as' => [
188				'no',
189				'yes'
190				]
191				},
192				'GSSAPIKexAlgorithms',
193				{
194				'description' => "The list of key exchange
195				algorithms that are accepted by GSSAPI key exchange.
196				Possible values are
197
198				gss-gex-sha1-,
199				gss-group1-sha1-,
200				gss-group14-sha1-,
201				gss-group14-sha256-,
202				gss-group16-sha512-,
203				gss-nistp256-sha256-,
204				gss-curve25519-sha256-
205
206				The default is
207				\x{201c}gss-group14-sha256-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-, gss-gex-sha1-, gss-group14-sha1-\x{201d}.
208				This option only applies to connections using GSSAPI.",
209				'type' => 'leaf',
210				'value_type' => 'uniline'
211				},
212				'HostCertificate',
213				{
214				'description' => 'Specifies a file containing a
215				public host certificate. The certificate\'s public key
216				must match a private host key already specified by
217				B<HostKey>. The default behaviour of L<sshd(8)> is not to
218				load any certificates.',
219				'type' => 'leaf',
220				'value_type' => 'uniline'
221				},
222				'HostKey',
223				{
224				'description' => 'Specifies a file containing a
225				private host key used by SSH. The defaults are
226				I</etc/ssh/ssh_host_ecdsa_key>,
227				I</etc/ssh/ssh_host_ed25519_key> and
228				I</etc/ssh/ssh_host_rsa_key>.
229
230				Note that
231				L<sshd(8)> will refuse to use a file if it is
232				group/world-accessible and that the B<HostKeyAlgorithms>
233				option restricts which of the keys are actually used by
234				L<sshd(8)>.
235
236				It is possible
237				to have multiple host key files. It is also possible to
238				specify public host key files instead. In this case
239				operations on the private key will be delegated to an
240				L<ssh-agent(1)>.',
241				'type' => 'leaf',
242				'value_type' => 'uniline'
243				},
244				'HostKeyAgent',
245				{
246				'description' => 'Identifies the UNIX-domain
247				socket used to communicate with an agent that has access to
248				the private host keys. If the string
249				"SSH_AUTH_SOCK" is specified, the location of the
250				socket will be read from the SSH_AUTH_SOCK environment
251				variable.',
252				'type' => 'leaf',
253				'value_type' => 'uniline'
254				},
255				'HostKeyAlgorithms',
256				{
257				'description' => 'Specifies the host key
258				signature algorithms that the server offers. The default for
259				this option is:
260
261				ssh-ed25519-cert-v01@openssh.com,
262				ecdsa-sha2-nistp256-cert-v01@openssh.com,
263				ecdsa-sha2-nistp384-cert-v01@openssh.com,
264				ecdsa-sha2-nistp521-cert-v01@openssh.com,
265				sk-ssh-ed25519-cert-v01@openssh.com,
266				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
267				rsa-sha2-512-cert-v01@openssh.com,
268				rsa-sha2-256-cert-v01@openssh.com,
269				ssh-ed25519,
270				ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
271				sk-ssh-ed25519@openssh.com,
272				sk-ecdsa-sha2-nistp256@openssh.com,
273				rsa-sha2-512, rsa-sha2-256
274
275				The list of
276				available signature algorithms may also be obtained using
277				"ssh -Q HostKeyAlgorithms".',
278				'type' => 'leaf',
279				'value_type' => 'uniline'
280				},
281				'IgnoreUserKnownHosts',
282				{
283				'description' => 'Specifies whether L<sshd(8)>
284				should ignore the user\'s I<~/.ssh/known_hosts>
285				during B<HostbasedAuthentication> and use only the
286				system-wide known hosts file I</etc/ssh/known_hosts>.
287				The default is B<no>.',
288				'type' => 'leaf',
289				'upstream_default' => 'no',
290				'value_type' => 'boolean',
291				'write_as' => [
292				'no',
293				'yes'
294				]
295				},
296				'KerberosGetAFSToken',
297				{
298				'description' => 'If AFS is active and the user
299				has a Kerberos 5 TGT, attempt to acquire an AFS token before
300				accessing the user\'s home directory. The default is
301				B<no>.',
302				'type' => 'leaf',
303				'upstream_default' => 'no',
304				'value_type' => 'boolean',
305				'write_as' => [
306				'no',
307				'yes'
308				]
309				},
310				'KerberosOrLocalPasswd',
311				{
312				'description' => 'If password authentication
313				through Kerberos fails then the password will be validated
314				via any additional local mechanism such as
315				I</etc/passwd>. The default is B<yes>.',
316				'type' => 'leaf',
317				'upstream_default' => 'yes',
318				'value_type' => 'boolean',
319				'write_as' => [
320				'no',
321				'yes'
322				]
323				},
324				'KerberosTicketCleanup',
325				{
326				'description' => 'Specifies whether to
327				automatically destroy the user\'s ticket cache file on
328				logout. The default is B<yes>.',
329				'type' => 'leaf',
330				'upstream_default' => 'yes',
331				'value_type' => 'boolean',
332				'write_as' => [
333				'no',
334				'yes'
335				]
336				},
337				'KexAlgorithms',
338				{
339				'description' => 'Specifies the available KEX
340				(Key Exchange) algorithms. Multiple algorithms must be
341				comma-separated. Alternately if the specified list begins
342				with a \'+\' character, then the specified
343				algorithms will be appended to the default set instead of
344				replacing them. If the specified list begins with a
345				\'-\' character, then the specified algorithms
346				(including wildcards) will be removed from the default set
347				instead of replacing them. If the specified list begins with
348				a \'^\' character, then the specified algorithms
349				will be placed at the head of the default set. The supported
350				algorithms are:
351
352				curve25519-sha256
353				curve25519-sha256@libssh.org
354				diffie-hellman-group1-sha1
355				diffie-hellman-group14-sha1
356				diffie-hellman-group14-sha256
357				diffie-hellman-group16-sha512
358				diffie-hellman-group18-sha512
359				diffie-hellman-group-exchange-sha1
360				diffie-hellman-group-exchange-sha256
361				ecdh-sha2-nistp256
362				ecdh-sha2-nistp384
363				ecdh-sha2-nistp521
364				sntrup761x25519-sha512@openssh.com
365
366				The default
367				is:
368
369				sntrup761x25519-sha512@openssh.com,
370				curve25519-sha256, curve25519-sha256@libssh.org,
371				ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521,
372				diffie-hellman-group-exchange-sha256,
373				diffie-hellman-group16-sha512, diffie-hellman-group18-sha512,
374				diffie-hellman-group14-sha256
375
376				The list of
377				available key exchange algorithms may also be obtained using
378				"ssh -Q KexAlgorithms".',
379				'type' => 'leaf',
380				'value_type' => 'uniline'
381				},
382				'ListenAddress',
383				{
384				'description' => 'Specifies the local addresses
385				L<sshd(8)> should listen on. The following forms may be
386				used:
387
388				B<ListenAddress>I<hostname>\|I<address> B<
389				ListenAddress> I<hostname>:I<port> B<
390				ListenAddress> I<IPv4_address>:I<port> B<
391				ListenAddress> [
392
393				I<hostname>\|I<address> ]:I<port>
394
395				If I<port>
396				is not specified, sshd will listen on the address and all
397				B<Port> options specified. The default is to listen on
398				all local addresses. Multiple B<ListenAddress> options
399				are permitted.',
400				'type' => 'leaf',
401				'value_type' => 'uniline'
402				},
403				'LoginGraceTime',
404				{
405				'description' => 'The server disconnects after
406				this time if the user has not successfully logged in. If the
407				value is 0, there is no time limit. The default is 120
408				seconds.',
409				'type' => 'leaf',
410				'value_type' => 'uniline'
411				},
412				'LogVerbose',
413				{
414				'description' => 'Specify one or more overrides
415				to LogLevel. An override consists of a pattern lists that
416				matches the source file, function and line number to force
417				detailed logging for. For example, an override pattern
418				of:
419
420				kex.c::1000,:kex_exchange_identification():, packet.c:
421
422				would enable
423				detailed logging for line 1000 of I<kex.c>, everything
424				in the B<kex_exchange_identification>() function, and
425				all code in the I<packet.c> file. This option is
426				intended for debugging and no overrides are enabled by
427				default.',
428				'type' => 'leaf',
429				'value_type' => 'uniline'
430				},
431				'MACs',
432				{
433				'description' => 'Specifies the
434				available MAC (message authentication code) algorithms. The
435				MAC algorithm is used for data integrity protection.
436				Multiple algorithms must be comma-separated. If the
437				specified list begins with a \'+\' character, then
438				the specified algorithms will be appended to the default set
439				instead of replacing them. If the specified list begins with
440				a \'-\' character, then the specified algorithms
441				(including wildcards) will be removed from the default set
442				instead of replacing them. If the specified list begins with
443				a \'^\' character, then the specified algorithms
444				will be placed at the head of the default set.
445
446				The algorithms
447				that contain "-etm" calculate the MAC after
448				encryption (encrypt-then-mac). These are considered safer
449				and their use recommended. The supported MACs are:
450
451				hmac-md5
452				hmac-md5-96
453				hmac-sha1
454				hmac-sha1-96
455				hmac-sha2-256
456				hmac-sha2-512
457				umac-64@openssh.com
458				umac-128@openssh.com
459				hmac-md5-etm@openssh.com
460				hmac-md5-96-etm@openssh.com
461				hmac-sha1-etm@openssh.com
462				hmac-sha1-96-etm@openssh.com
463				hmac-sha2-256-etm@openssh.com
464				hmac-sha2-512-etm@openssh.com
465				umac-64-etm@openssh.com
466				umac-128-etm@openssh.com
467
468				The default
469				is:
470
471				umac-64-etm@openssh.com, umac-128-etm@openssh.com,
472				hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com,
473				hmac-sha1-etm@openssh.com,
474				umac-64@openssh.com, umac-128@openssh.com,
475				hmac-sha2-256, hmac-sha2-512, hmac-sha1
476
477				The list of
478				available MAC algorithms may also be obtained using
479				"ssh -Q mac".',
480				'type' => 'leaf',
481				'value_type' => 'uniline'
482				},
483				'Match',
484				{
485				'cargo' => {
486				'config_class_name' => 'Sshd::MatchBlock',
487				'type' => 'node'
488				},
489				'description' => 'Introduces a
490				conditional block. If all of the criteria on the
491				B<Match> line are satisfied, the keywords on the
492				following lines override those set in the global section of
493				the config file, until either another B<Match> line or
494				the end of the file. If a keyword appears in multiple
495				B<Match> blocks that are satisfied, only the first
496				instance of the keyword is applied.
497
498				The arguments
499				to B<Match> are one or more criteria-pattern pairs or
500				the single token B<All> which matches all criteria. The
501				available criteria are B<User>, B<Group>,
502				B<Host>, B<LocalAddress>, B<LocalPort>, and
503				B<Address>.
504
505				The match
506				patterns may consist of single entries or comma-separated
507				lists and may use the wildcard and negation operators
508				described in the I<PATTERNS> section of
509				L<ssh_config(5)>.
510
511				The patterns in
512				an B<Address> criteria may additionally contain
513				addresses to match in CIDR address/masklen format, such as
514				192.0.2.0/24 or 2001:db8::/32. Note that the mask length
515				provided must be consistent with the address - it is an
516				error to specify a mask length that is too long for the
517				address or one with bits set in this host portion of the
518				address. For example, 192.0.2.0/33 and 192.0.2.0/8,
519				respectively.
520
521				Only a subset
522				of keywords may be used on the lines following a
523				B<Match> keyword. Available keywords are
524				B<AcceptEnv>, B<AllowAgentForwarding>,
525				B<AllowGroups>, B<AllowStreamLocalForwarding>,
526				B<AllowTcpForwarding>, B<AllowUsers>,
527				B<AuthenticationMethods>, B<AuthorizedKeysCommand>,
528				B<AuthorizedKeysCommandUser>, B<AuthorizedKeysFile>,
529				B<AuthorizedPrincipalsCommand>,
530				B<AuthorizedPrincipalsCommandUser>,
531				B<AuthorizedPrincipalsFile>, B<Banner>,
532				B<CASignatureAlgorithms>, B<ChrootDirectory>,
533				B<ClientAliveCountMax>, B<ClientAliveInterval>,
534				B<DenyGroups>, B<DenyUsers>,
535				B<DisableForwarding>, B<ExposeAuthInfo>,
536				B<ForceCommand>, B<GatewayPorts>,
537				B<GSSAPIAuthentication>,
538				B<HostbasedAcceptedAlgorithms>,
539				B<HostbasedAuthentication>,
540				B<HostbasedUsesNameFromPacketOnly>, B<IgnoreRhosts>,
541				B<Include>, B<IPQoS>,
542				B<KbdInteractiveAuthentication>,
543				B<KerberosAuthentication>, B<LogLevel>,
544				B<MaxAuthTries>, B<MaxSessions>,
545				B<PasswordAuthentication>, B<PermitEmptyPasswords>,
546				B<PermitListen>, B<PermitOpen>,
547				B<PermitRootLogin>, B<PermitTTY>,
548				B<PermitTunnel>, B<PermitUserRC>,
549				B<PubkeyAcceptedAlgorithms>,
550				B<PubkeyAuthentication>, B<PubkeyAuthOptions>,
551				B<RekeyLimit>, B<RevokedKeys>, B<SetEnv>,
552				B<StreamLocalBindMask>, B<StreamLocalBindUnlink>,
553				B<TrustedUserCAKeys>, B<X11DisplayOffset>,
554				B<X11Forwarding> and B<X11UseLocalhost>.',
555				'type' => 'list'
556				},
557				'MaxStartups',
558				{
559				'description' => 'Specifies the maximum number of
560				concurrent unauthenticated connections to the SSH daemon.
561				Additional connections will be dropped until authentication
562				succeeds or the B<LoginGraceTime> expires for a
563				connection. The default is 10:30:100.
564
565				Alternatively,
566				random early drop can be enabled by specifying the three
567				colon separated values start:rate:full (e.g.
568				"10:30:60"). L<sshd(8)> will refuse connection
569				attempts with a probability of rate/100 (30%) if there are
570				currently start (10) unauthenticated connections. The
571				probability increases linearly and all connection attempts
572				are refused if the number of unauthenticated connections
573				reaches full (60).',
574				'type' => 'leaf',
575				'upstream_default' => '10',
576				'value_type' => 'uniline'
577				},
578				'ModuliFile',
579				{
580				'description' => "Specifies the L<moduli(5)> file
581				that contains the Diffie-Hellman groups used for the
582				\x{201c}diffie-hellman-group-exchange-sha1\x{201d} and
583				\x{201c}diffie-hellman-group-exchange-sha256\x{201d} key
584				exchange methods. The default is I</etc/ssh/moduli>.",
585				'type' => 'leaf',
586				'upstream_default' => '/etc/ssh/moduli',
587				'value_type' => 'uniline'
588				},
589				'PermitUserEnvironment',
590				{
591				'description' => 'Specifies whether
592				I<~/.ssh/environment> and B<environment=> options in
593				I<~/.ssh/authorized_keys> are processed by L<sshd(8)>.
594				Valid options are B<yes>, B<no> or a pattern-list
595				specifying which environment variable names to accept (for
596				example "LANG, LC_*"). The default is B<no>.
597				Enabling environment processing may enable users to bypass
598				access restrictions in some configurations using mechanisms
599				such as LD_PRELOAD.',
600				'type' => 'leaf',
601				'upstream_default' => 'no',
602				'value_type' => 'boolean',
603				'write_as' => [
604				'no',
605				'yes'
606				]
607				},
608				'PerSourceMaxStartups',
609				{
610				'description' => 'Specifies the number of
611				unauthenticated connections allowed from a given source
612				address, or B<none> if there is no limit. This
613				limit is applied in addition to B<MaxStartups>,
614				whichever is lower. The default is B<none>.',
615				'type' => 'leaf',
616				'upstream_default' => 'none',
617				'value_type' => 'uniline'
618				},
619				'PerSourceNetBlockSize',
620				{
621				'description' => 'Specifies the number of bits of
622				source address that are grouped together for the purposes of
623				applying PerSourceMaxStartups limits. Values for IPv4 and
624				optionally IPv6 may be specified, separated by a colon. The
625				default is B<32:128>, which means each address is
626				considered individually.',
627				'type' => 'leaf',
628				'upstream_default' => '32:128',
629				'value_type' => 'uniline'
630				},
631				'PidFile',
632				{
633				'description' => 'Specifies the file that
634				contains the process ID of the SSH daemon, or B<none> to
635				not write one. The default is I</run/sshd.pid>.',
636				'type' => 'leaf',
637				'value_type' => 'uniline'
638				},
639				'Port',
640				{
641				'description' => 'Specifies the
642				port number that L<sshd(8)> listens on. The default is 22.
643				Multiple options of this type are permitted. See also
644				B<ListenAddress>.',
645				'type' => 'leaf',
646				'value_type' => 'uniline'
647				},
648				'PrintLastLog',
649				{
650				'description' => 'Specifies whether L<sshd(8)>
651				should print the date and time of the last user login when a
652				user logs in interactively. The default is B<yes>.',
653				'type' => 'leaf',
654				'upstream_default' => 'yes',
655				'value_type' => 'boolean',
656				'write_as' => [
657				'no',
658				'yes'
659				]
660				},
661				'PrintMotd',
662				{
663				'description' => 'Specifies whether L<sshd(8)>
664				should print I</etc/motd> when a user logs in
665				interactively. (On some systems it is also printed by the
666				shell, I</etc/profile>, or equivalent.) The default is
667				B<yes>.',
668				'type' => 'leaf',
669				'upstream_default' => 'yes',
670				'value_type' => 'boolean',
671				'write_as' => [
672				'no',
673				'yes'
674				]
675				},
676				'SecurityKeyProvider',
677				{
678				'description' => 'Specifies a path to a library
679				that will be used when loading FIDO authenticator-hosted
680				keys, overriding the default of using the built-in USB HID
681				support.',
682				'type' => 'leaf',
683				'value_type' => 'uniline'
684				},
685				'StrictModes',
686				{
687				'description' => 'Specifies whether L<sshd(8)>
688				should check file modes and ownership of the user\'s
689				files and home directory before accepting login. This is
690				normally desirable because novices sometimes accidentally
691				leave their directory or files world-writable. The default
692				is B<yes>. Note that this does not apply to
693				B<ChrootDirectory>, whose permissions and ownership are
694				checked unconditionally.',
695				'type' => 'leaf',
696				'upstream_default' => 'yes',
697				'value_type' => 'boolean',
698				'write_as' => [
699				'no',
700				'yes'
701				]
702				},
703				'Subsystem',
704				{
705				'cargo' => {
706				'mandatory' => '1',
707				'type' => 'leaf',
708				'value_type' => 'uniline'
709				},
710				'description' => 'Configures an external
711				subsystem (e.g. file transfer daemon). Arguments should be a
712				subsystem name and a command (with optional arguments) to
713				execute upon subsystem request.
714
715				The command
716				B<sftp-server> implements the SFTP file transfer
717				subsystem.
718
719				Alternately the
720				name B<internal-sftp> implements an in-process SFTP
721				server. This may simplify configurations using
722				B<ChrootDirectory> to force a different filesystem root
723				on clients.
724
725				By default no
726				subsystems are defined.',
727				'index_type' => 'string',
728				'type' => 'hash'
729				},
730				'SyslogFacility',
731				{
732				'choice' => [
733				'DAEMON',
734				'USER',
735				'AUTH',
736				'LOCAL0',
737				'LOCAL1',
738				'LOCAL2',
739				'LOCAL3',
740				'LOCAL4',
741				'LOCAL5',
742				'LOCAL6',
743				'LOCAL7'
744				],
745				'description' => 'Gives the facility code that is
746				used when logging messages from L<sshd(8)>. The possible values
747				are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
748				LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.',
749				'type' => 'leaf',
750				'upstream_default' => 'AUTH',
751				'value_type' => 'enum'
752				},
753				'TCPKeepAlive',
754				{
755				'description' => 'Specifies whether the system
756				should send TCP keepalive messages to the other side. If
757				they are sent, death of the connection or crash of one of
758				the machines will be properly noticed. However, this means
759				that connections will die if the route is down temporarily,
760				and some people find it annoying. On the other hand, if TCP
761				keepalives are not sent, sessions may hang indefinitely on
762				the server, leaving "ghost" users and consuming
763				server resources.
764
765				The default is
766				B<yes> (to send TCP keepalive messages), and the server
767				will notice if the network goes down or the client host
768				crashes. This avoids infinitely hanging sessions.
769
770				To disable TCP
771				keepalive messages, the value should be set to
772				B<no>.
773
774				This option was
775				formerly called B<KeepAlive>.',
776				'type' => 'leaf',
777				'upstream_default' => 'yes',
778				'value_type' => 'boolean',
779				'write_as' => [
780				'no',
781				'yes'
782				]
783				},
784				'UseDNS',
785				{
786				'description' => 'Specifies
787				whether L<sshd(8)> should look up the remote host name, and to
788				check that the resolved host name for the remote IP address
789				maps back to the very same IP address.
790
791				If this option
792				is set to B<no> (the default) then only addresses and
793				not host names may be used in I<~/.ssh/authorized_keys>B<from> and B<sshd_config Match Host>
794				directives.',
795				'type' => 'leaf',
796				'upstream_default' => 'no',
797				'value_type' => 'boolean',
798				'write_as' => [
799				'no',
800				'yes'
801				]
802				},
803				'UsePAM',
804				{
805				'description' => 'Enables the
806				Pluggable Authentication Module interface. If set to
807				B<yes> this will enable PAM authentication using
808				B<KbdInteractiveAuthentication> and
809				B<PasswordAuthentication> in addition to PAM account and
810				session module processing for all authentication types.
811
812				Because PAM
813				keyboard-interactive authentication usually serves an
814				equivalent role to password authentication, you should
815				disable either B<PasswordAuthentication> or
816				B<KbdInteractiveAuthentication>.
817
818				If
819				B<UsePAM> is enabled, you will not be able to run
820				L<sshd(8)> as a non-root user. The default is B<no>.',
821				'type' => 'leaf',
822				'upstream_default' => 'no',
823				'value_type' => 'boolean',
824				'write_as' => [
825				'no',
826				'yes'
827				]
828				},
829				'VersionAddendum',
830				{
831				'description' => 'Optionally specifies additional
832				text to append to the SSH protocol banner sent by the server
833				upon connection. The default is B<none>.',
834				'type' => 'leaf',
835				'value_type' => 'uniline'
836				},
837				'XAuthLocation',
838				{
839				'description' => 'Specifies the full pathname of
840				the L<xauth(1)> program, or B<none> to not use one. The
841				default is I</usr/bin/xauth>.',
842				'type' => 'leaf',
843				'upstream_default' => '/usr/bin/xauth',
844				'value_type' => 'uniline'
845				}
846				],
847				'generated_by' => 'parse-man.pl from sshd_system 9.0p1 doc',
848				'include' => [
849				'Sshd::MatchElement'
850				],
851				'license' => 'LGPL2',
852				'name' => 'Sshd',
853				'rw_config' => {
854				'backend' => 'OpenSsh::Sshd',
855				'config_dir' => '/etc/ssh',
856				'file' => 'sshd_config',
857				'os_config_dir' => {
858				'darwin' => '/etc'
859				}
860				}
861				}
862				]
863				;
864