line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# |
2
|
|
|
|
|
|
|
# This file is part of Config-Model-OpenSsh |
3
|
|
|
|
|
|
|
# |
4
|
|
|
|
|
|
|
# This software is Copyright (c) 2008-2022 by Dominique Dumont. |
5
|
|
|
|
|
|
|
# |
6
|
|
|
|
|
|
|
# This is free software, licensed under: |
7
|
|
|
|
|
|
|
# |
8
|
|
|
|
|
|
|
# The GNU Lesser General Public License, Version 2.1, February 1999 |
9
|
|
|
|
|
|
|
# |
10
|
3
|
|
|
3
|
|
19532
|
use strict; |
|
3
|
|
|
|
|
8
|
|
|
3
|
|
|
|
|
85
|
|
11
|
3
|
|
|
3
|
|
15
|
use warnings; |
|
3
|
|
|
|
|
6
|
|
|
3
|
|
|
|
|
3154
|
|
12
|
|
|
|
|
|
|
|
13
|
|
|
|
|
|
|
return [ |
14
|
|
|
|
|
|
|
{ |
15
|
|
|
|
|
|
|
'accept' => [ |
16
|
|
|
|
|
|
|
'.*', |
17
|
|
|
|
|
|
|
{ |
18
|
|
|
|
|
|
|
'summary' => 'boilerplate parameter that may hide a typo', |
19
|
|
|
|
|
|
|
'type' => 'leaf', |
20
|
|
|
|
|
|
|
'value_type' => 'uniline', |
21
|
|
|
|
|
|
|
'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author' |
22
|
|
|
|
|
|
|
} |
23
|
|
|
|
|
|
|
], |
24
|
|
|
|
|
|
|
'class_description' => 'This configuration class was generated from sshd_system documentation. |
25
|
|
|
|
|
|
|
by L<parse-man.pl|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl> |
26
|
|
|
|
|
|
|
', |
27
|
|
|
|
|
|
|
'element' => [ |
28
|
|
|
|
|
|
|
'AcceptEnv', |
29
|
|
|
|
|
|
|
{ |
30
|
|
|
|
|
|
|
'cargo' => { |
31
|
|
|
|
|
|
|
'type' => 'leaf', |
32
|
|
|
|
|
|
|
'value_type' => 'uniline' |
33
|
|
|
|
|
|
|
}, |
34
|
|
|
|
|
|
|
'description' => 'Specifies what environment |
35
|
|
|
|
|
|
|
variables sent by the client will be copied into the |
36
|
|
|
|
|
|
|
session\'s L<environ(7)>. See B<SendEnv> and |
37
|
|
|
|
|
|
|
B<SetEnv> in L<ssh_config(5)> for how to configure the |
38
|
|
|
|
|
|
|
client. The TERM environment variable is always accepted |
39
|
|
|
|
|
|
|
whenever the client requests a pseudo-terminal as it is |
40
|
|
|
|
|
|
|
required by the protocol. Variables are specified by name, |
41
|
|
|
|
|
|
|
which may contain the wildcard characters \'*\' |
42
|
|
|
|
|
|
|
and \'?\'. Multiple environment variables may be |
43
|
|
|
|
|
|
|
separated by whitespace or spread across multiple |
44
|
|
|
|
|
|
|
B<AcceptEnv> directives. Be warned that some environment |
45
|
|
|
|
|
|
|
variables could be used to bypass restricted user |
46
|
|
|
|
|
|
|
environments. For this reason, care should be taken in the |
47
|
|
|
|
|
|
|
use of this directive. The default is not to accept any |
48
|
|
|
|
|
|
|
environment variables.', |
49
|
|
|
|
|
|
|
'type' => 'list' |
50
|
|
|
|
|
|
|
}, |
51
|
|
|
|
|
|
|
'AllowAgentForwarding', |
52
|
|
|
|
|
|
|
{ |
53
|
|
|
|
|
|
|
'description' => 'Specifies whether L<ssh-agent(1)> |
54
|
|
|
|
|
|
|
forwarding is permitted. The default is B<yes>. Note |
55
|
|
|
|
|
|
|
that disabling agent forwarding does not improve security |
56
|
|
|
|
|
|
|
unless users are also denied shell access, as they can |
57
|
|
|
|
|
|
|
always install their own forwarders.', |
58
|
|
|
|
|
|
|
'type' => 'leaf', |
59
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
60
|
|
|
|
|
|
|
'value_type' => 'boolean', |
61
|
|
|
|
|
|
|
'write_as' => [ |
62
|
|
|
|
|
|
|
'no', |
63
|
|
|
|
|
|
|
'yes' |
64
|
|
|
|
|
|
|
] |
65
|
|
|
|
|
|
|
}, |
66
|
|
|
|
|
|
|
'AllowGroups', |
67
|
|
|
|
|
|
|
{ |
68
|
|
|
|
|
|
|
'cargo' => { |
69
|
|
|
|
|
|
|
'type' => 'leaf', |
70
|
|
|
|
|
|
|
'value_type' => 'uniline' |
71
|
|
|
|
|
|
|
}, |
72
|
|
|
|
|
|
|
'description' => 'This keyword can be followed by |
73
|
|
|
|
|
|
|
a list of group name patterns, separated by spaces. If |
74
|
|
|
|
|
|
|
specified, login is allowed only for users whose primary |
75
|
|
|
|
|
|
|
group or supplementary group list matches one of the |
76
|
|
|
|
|
|
|
patterns. Only group names are valid; a numerical group ID |
77
|
|
|
|
|
|
|
is not recognized. By default, login is allowed for all |
78
|
|
|
|
|
|
|
groups. The allow/deny groups directives are processed in |
79
|
|
|
|
|
|
|
the following order: B<DenyGroups>, |
80
|
|
|
|
|
|
|
B<AllowGroups>. |
81
|
|
|
|
|
|
|
|
82
|
|
|
|
|
|
|
See PATTERNS in |
83
|
|
|
|
|
|
|
L<ssh_config(5)> for more information on patterns.', |
84
|
|
|
|
|
|
|
'type' => 'list' |
85
|
|
|
|
|
|
|
}, |
86
|
|
|
|
|
|
|
'AllowStreamLocalForwarding', |
87
|
|
|
|
|
|
|
{ |
88
|
|
|
|
|
|
|
'choice' => [ |
89
|
|
|
|
|
|
|
'yes', |
90
|
|
|
|
|
|
|
'all', |
91
|
|
|
|
|
|
|
'no', |
92
|
|
|
|
|
|
|
'local', |
93
|
|
|
|
|
|
|
'remote' |
94
|
|
|
|
|
|
|
], |
95
|
|
|
|
|
|
|
'description' => 'Specifies whether StreamLocal |
96
|
|
|
|
|
|
|
(Unix-domain socket) forwarding is permitted. The available |
97
|
|
|
|
|
|
|
options are B<yes> (the default) or B<all> to allow |
98
|
|
|
|
|
|
|
StreamLocal forwarding, B<no> to prevent all StreamLocal |
99
|
|
|
|
|
|
|
forwarding, B<local> to allow local (from the |
100
|
|
|
|
|
|
|
perspective of L<ssh(1)>) forwarding only or B<remote> to |
101
|
|
|
|
|
|
|
allow remote forwarding only. Note that disabling |
102
|
|
|
|
|
|
|
StreamLocal forwarding does not improve security unless |
103
|
|
|
|
|
|
|
users are also denied shell access, as they can always |
104
|
|
|
|
|
|
|
install their own forwarders.', |
105
|
|
|
|
|
|
|
'type' => 'leaf', |
106
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
107
|
|
|
|
|
|
|
'value_type' => 'enum' |
108
|
|
|
|
|
|
|
}, |
109
|
|
|
|
|
|
|
'AllowTcpForwarding', |
110
|
|
|
|
|
|
|
{ |
111
|
|
|
|
|
|
|
'choice' => [ |
112
|
|
|
|
|
|
|
'yes', |
113
|
|
|
|
|
|
|
'all', |
114
|
|
|
|
|
|
|
'no', |
115
|
|
|
|
|
|
|
'local', |
116
|
|
|
|
|
|
|
'remote' |
117
|
|
|
|
|
|
|
], |
118
|
|
|
|
|
|
|
'description' => 'Specifies whether TCP |
119
|
|
|
|
|
|
|
forwarding is permitted. The available options are |
120
|
|
|
|
|
|
|
B<yes> (the default) or B<all> to allow TCP |
121
|
|
|
|
|
|
|
forwarding, B<no> to prevent all TCP forwarding, |
122
|
|
|
|
|
|
|
B<local> to allow local (from the perspective of L<ssh(1)>) |
123
|
|
|
|
|
|
|
forwarding only or B<remote> to allow remote forwarding |
124
|
|
|
|
|
|
|
only. Note that disabling TCP forwarding does not improve |
125
|
|
|
|
|
|
|
security unless users are also denied shell access, as they |
126
|
|
|
|
|
|
|
can always install their own forwarders.', |
127
|
|
|
|
|
|
|
'type' => 'leaf', |
128
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
129
|
|
|
|
|
|
|
'value_type' => 'enum' |
130
|
|
|
|
|
|
|
}, |
131
|
|
|
|
|
|
|
'AllowUsers', |
132
|
|
|
|
|
|
|
{ |
133
|
|
|
|
|
|
|
'cargo' => { |
134
|
|
|
|
|
|
|
'type' => 'leaf', |
135
|
|
|
|
|
|
|
'value_type' => 'uniline' |
136
|
|
|
|
|
|
|
}, |
137
|
|
|
|
|
|
|
'description' => 'This keyword can be followed by |
138
|
|
|
|
|
|
|
a list of user name patterns, separated by spaces. If |
139
|
|
|
|
|
|
|
specified, login is allowed only for user names that match |
140
|
|
|
|
|
|
|
one of the patterns. Only user names are valid; a numerical |
141
|
|
|
|
|
|
|
user ID is not recognized. By default, login is allowed for |
142
|
|
|
|
|
|
|
all users. If the pattern takes the form USER@HOST then USER |
143
|
|
|
|
|
|
|
and HOST are separately checked, restricting logins to |
144
|
|
|
|
|
|
|
particular users from particular hosts. HOST criteria may |
145
|
|
|
|
|
|
|
additionally contain addresses to match in CIDR |
146
|
|
|
|
|
|
|
address/masklen format. The allow/deny users directives are |
147
|
|
|
|
|
|
|
processed in the following order: B<DenyUsers>, |
148
|
|
|
|
|
|
|
B<AllowUsers>. |
149
|
|
|
|
|
|
|
|
150
|
|
|
|
|
|
|
See PATTERNS in |
151
|
|
|
|
|
|
|
L<ssh_config(5)> for more information on patterns.', |
152
|
|
|
|
|
|
|
'type' => 'list' |
153
|
|
|
|
|
|
|
}, |
154
|
|
|
|
|
|
|
'AuthenticationMethods', |
155
|
|
|
|
|
|
|
{ |
156
|
|
|
|
|
|
|
'description' => 'Specifies the authentication |
157
|
|
|
|
|
|
|
methods that must be successfully completed for a user to be |
158
|
|
|
|
|
|
|
granted access. This option must be followed by one or more |
159
|
|
|
|
|
|
|
lists of comma-separated authentication method names, or by |
160
|
|
|
|
|
|
|
the single string B<any> to indicate the default |
161
|
|
|
|
|
|
|
behaviour of accepting any single authentication method. If |
162
|
|
|
|
|
|
|
the default is overridden, then successful authentication |
163
|
|
|
|
|
|
|
requires completion of every method in at least one of these |
164
|
|
|
|
|
|
|
lists. |
165
|
|
|
|
|
|
|
|
166
|
|
|
|
|
|
|
For example, |
167
|
|
|
|
|
|
|
"publickey, password |
168
|
|
|
|
|
|
|
publickey, keyboard-interactive" would require the user |
169
|
|
|
|
|
|
|
to complete public key authentication, followed by either |
170
|
|
|
|
|
|
|
password or keyboard interactive authentication. Only |
171
|
|
|
|
|
|
|
methods that are next in one or more lists are offered at |
172
|
|
|
|
|
|
|
each stage, so for this example it would not be possible to |
173
|
|
|
|
|
|
|
attempt password or keyboard-interactive authentication |
174
|
|
|
|
|
|
|
before public key. |
175
|
|
|
|
|
|
|
|
176
|
|
|
|
|
|
|
For keyboard |
177
|
|
|
|
|
|
|
interactive authentication it is also possible to restrict |
178
|
|
|
|
|
|
|
authentication to a specific device by appending a colon |
179
|
|
|
|
|
|
|
followed by the device identifier B<bsdauth> or |
180
|
|
|
|
|
|
|
B<pam>. depending on the server configuration. For |
181
|
|
|
|
|
|
|
example, "keyboard-interactive:bsdauth" would |
182
|
|
|
|
|
|
|
restrict keyboard interactive authentication to the |
183
|
|
|
|
|
|
|
B<bsdauth> device. |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
If the |
186
|
|
|
|
|
|
|
publickey method is listed more than once, L<sshd(8)> verifies |
187
|
|
|
|
|
|
|
that keys that have been used successfully are not reused |
188
|
|
|
|
|
|
|
for subsequent authentications. For example, |
189
|
|
|
|
|
|
|
"publickey, publickey" requires successful |
190
|
|
|
|
|
|
|
authentication using two different public keys. |
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
Note that each |
193
|
|
|
|
|
|
|
authentication method listed should also be explicitly |
194
|
|
|
|
|
|
|
enabled in the configuration. |
195
|
|
|
|
|
|
|
|
196
|
|
|
|
|
|
|
The available |
197
|
|
|
|
|
|
|
authentication methods are: "gssapi-with-mic", |
198
|
|
|
|
|
|
|
"hostbased", "keyboard-interactive", |
199
|
|
|
|
|
|
|
"none" (used for access to password-less accounts |
200
|
|
|
|
|
|
|
when B<PermitEmptyPasswords> is enabled), |
201
|
|
|
|
|
|
|
"password" and "publickey".', |
202
|
|
|
|
|
|
|
'type' => 'leaf', |
203
|
|
|
|
|
|
|
'value_type' => 'uniline' |
204
|
|
|
|
|
|
|
}, |
205
|
|
|
|
|
|
|
'AuthorizedKeysCommand', |
206
|
|
|
|
|
|
|
{ |
207
|
|
|
|
|
|
|
'description' => 'Specifies a program to be used |
208
|
|
|
|
|
|
|
to look up the user\'s public keys. The program must be |
209
|
|
|
|
|
|
|
owned by root, not writable by group or others and specified |
210
|
|
|
|
|
|
|
by an absolute path. Arguments to |
211
|
|
|
|
|
|
|
B<AuthorizedKeysCommand> accept the tokens described in |
212
|
|
|
|
|
|
|
the I<TOKENS> section. If no arguments are specified |
213
|
|
|
|
|
|
|
then the username of the target user is used. |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
The program |
216
|
|
|
|
|
|
|
should produce on standard output zero or more lines of |
217
|
|
|
|
|
|
|
authorized_keys output (see I<AUTHORIZED_KEYS> in |
218
|
|
|
|
|
|
|
L<sshd(8)>). B<AuthorizedKeysCommand> is tried after the |
219
|
|
|
|
|
|
|
usual B<AuthorizedKeysFile> files and will not be |
220
|
|
|
|
|
|
|
executed if a matching key is found there. By default, no |
221
|
|
|
|
|
|
|
B<AuthorizedKeysCommand> is run.', |
222
|
|
|
|
|
|
|
'type' => 'leaf', |
223
|
|
|
|
|
|
|
'value_type' => 'uniline' |
224
|
|
|
|
|
|
|
}, |
225
|
|
|
|
|
|
|
'AuthorizedKeysCommandUser', |
226
|
|
|
|
|
|
|
{ |
227
|
|
|
|
|
|
|
'description' => 'Specifies the user under whose |
228
|
|
|
|
|
|
|
account the B<AuthorizedKeysCommand> is run. It is |
229
|
|
|
|
|
|
|
recommended to use a dedicated user that has no other role |
230
|
|
|
|
|
|
|
on the host than running authorized keys commands. If |
231
|
|
|
|
|
|
|
B<AuthorizedKeysCommand> is specified but |
232
|
|
|
|
|
|
|
B<AuthorizedKeysCommandUser> is not, then L<sshd(8)> will |
233
|
|
|
|
|
|
|
refuse to start.', |
234
|
|
|
|
|
|
|
'type' => 'leaf', |
235
|
|
|
|
|
|
|
'value_type' => 'uniline' |
236
|
|
|
|
|
|
|
}, |
237
|
|
|
|
|
|
|
'AuthorizedKeysFile', |
238
|
|
|
|
|
|
|
{ |
239
|
|
|
|
|
|
|
'cargo' => { |
240
|
|
|
|
|
|
|
'type' => 'leaf', |
241
|
|
|
|
|
|
|
'value_type' => 'uniline' |
242
|
|
|
|
|
|
|
}, |
243
|
|
|
|
|
|
|
'description' => 'Specifies the file that |
244
|
|
|
|
|
|
|
contains the public keys used for user authentication. The |
245
|
|
|
|
|
|
|
format is described in the AUTHORIZED_KEYS FILE FORMAT |
246
|
|
|
|
|
|
|
section of L<sshd(8)>. Arguments to B<AuthorizedKeysFile> |
247
|
|
|
|
|
|
|
accept the tokens described in the I<TOKENS> section. |
248
|
|
|
|
|
|
|
After expansion, B<AuthorizedKeysFile> is taken to be an |
249
|
|
|
|
|
|
|
absolute path or one relative to the user\'s home |
250
|
|
|
|
|
|
|
directory. Multiple files may be listed, separated by |
251
|
|
|
|
|
|
|
whitespace. Alternately this option may be set to |
252
|
|
|
|
|
|
|
B<none> to skip checking for user keys in files. The |
253
|
|
|
|
|
|
|
default is ".ssh/authorized_keys |
254
|
|
|
|
|
|
|
.ssh/authorized_keys2".', |
255
|
|
|
|
|
|
|
'migrate_values_from' => '- AuthorizedKeysFile2', |
256
|
|
|
|
|
|
|
'type' => 'list' |
257
|
|
|
|
|
|
|
}, |
258
|
|
|
|
|
|
|
'AuthorizedPrincipalsCommand', |
259
|
|
|
|
|
|
|
{ |
260
|
|
|
|
|
|
|
'description' => 'Specifies a program to be used |
261
|
|
|
|
|
|
|
to generate the list of allowed certificate principals as |
262
|
|
|
|
|
|
|
per B<AuthorizedPrincipalsFile>. The program must be |
263
|
|
|
|
|
|
|
owned by root, not writable by group or others and specified |
264
|
|
|
|
|
|
|
by an absolute path. Arguments to |
265
|
|
|
|
|
|
|
B<AuthorizedPrincipalsCommand> accept the tokens |
266
|
|
|
|
|
|
|
described in the I<TOKENS> section. If no arguments are |
267
|
|
|
|
|
|
|
specified then the username of the target user is used. |
268
|
|
|
|
|
|
|
|
269
|
|
|
|
|
|
|
The program |
270
|
|
|
|
|
|
|
should produce on standard output zero or more lines of |
271
|
|
|
|
|
|
|
B<AuthorizedPrincipalsFile> output. If either |
272
|
|
|
|
|
|
|
B<AuthorizedPrincipalsCommand> or |
273
|
|
|
|
|
|
|
B<AuthorizedPrincipalsFile> is specified, then |
274
|
|
|
|
|
|
|
certificates offered by the client for authentication must |
275
|
|
|
|
|
|
|
contain a principal that is listed. By default, no |
276
|
|
|
|
|
|
|
B<AuthorizedPrincipalsCommand> is run.', |
277
|
|
|
|
|
|
|
'type' => 'leaf', |
278
|
|
|
|
|
|
|
'value_type' => 'uniline' |
279
|
|
|
|
|
|
|
}, |
280
|
|
|
|
|
|
|
'AuthorizedPrincipalsCommandUser', |
281
|
|
|
|
|
|
|
{ |
282
|
|
|
|
|
|
|
'description' => 'Specifies the user under whose |
283
|
|
|
|
|
|
|
account the B<AuthorizedPrincipalsCommand> is run. It is |
284
|
|
|
|
|
|
|
recommended to use a dedicated user that has no other role |
285
|
|
|
|
|
|
|
on the host than running authorized principals commands. If |
286
|
|
|
|
|
|
|
B<AuthorizedPrincipalsCommand> is specified but |
287
|
|
|
|
|
|
|
B<AuthorizedPrincipalsCommandUser> is not, then L<sshd(8)> |
288
|
|
|
|
|
|
|
will refuse to start.', |
289
|
|
|
|
|
|
|
'type' => 'leaf', |
290
|
|
|
|
|
|
|
'value_type' => 'uniline' |
291
|
|
|
|
|
|
|
}, |
292
|
|
|
|
|
|
|
'AuthorizedPrincipalsFile', |
293
|
|
|
|
|
|
|
{ |
294
|
|
|
|
|
|
|
'description' => "Specifies a file that lists |
295
|
|
|
|
|
|
|
principal names that are accepted for certificate |
296
|
|
|
|
|
|
|
authentication. When using certificates signed by a key |
297
|
|
|
|
|
|
|
listed in B<TrustedUserCAKeys>, this file lists names, |
298
|
|
|
|
|
|
|
one of which must appear in the certificate for it to be |
299
|
|
|
|
|
|
|
accepted for authentication. Names are listed one per line |
300
|
|
|
|
|
|
|
preceded by key options (as described in I<AUTHORIZED_KEYS |
301
|
|
|
|
|
|
|
FILE FORMAT> in L<sshd(8)>). Empty lines and comments |
302
|
|
|
|
|
|
|
starting with '#' are ignored. |
303
|
|
|
|
|
|
|
|
304
|
|
|
|
|
|
|
Arguments to |
305
|
|
|
|
|
|
|
B<AuthorizedPrincipalsFile> accept the tokens described |
306
|
|
|
|
|
|
|
in the I<TOKENS> section. After expansion, |
307
|
|
|
|
|
|
|
B<AuthorizedPrincipalsFile> is taken to be an absolute |
308
|
|
|
|
|
|
|
path or one relative to the user's home directory. The |
309
|
|
|
|
|
|
|
default is B<none>, i.e. not to use a principals file |
310
|
|
|
|
|
|
|
\x{2013} in this case, the username of the user must appear |
311
|
|
|
|
|
|
|
in a certificate's principals list for it to be |
312
|
|
|
|
|
|
|
accepted. |
313
|
|
|
|
|
|
|
|
314
|
|
|
|
|
|
|
Note that |
315
|
|
|
|
|
|
|
B<AuthorizedPrincipalsFile> is only used when |
316
|
|
|
|
|
|
|
authentication proceeds using a CA listed in |
317
|
|
|
|
|
|
|
B<TrustedUserCAKeys> and is not consulted for |
318
|
|
|
|
|
|
|
certification authorities trusted via |
319
|
|
|
|
|
|
|
I<~/.ssh/authorized_keys>, though the B<principals=> |
320
|
|
|
|
|
|
|
key option offers a similar facility (see L<sshd(8)> for |
321
|
|
|
|
|
|
|
details).", |
322
|
|
|
|
|
|
|
'type' => 'leaf', |
323
|
|
|
|
|
|
|
'upstream_default' => 'none', |
324
|
|
|
|
|
|
|
'value_type' => 'uniline' |
325
|
|
|
|
|
|
|
}, |
326
|
|
|
|
|
|
|
'Banner', |
327
|
|
|
|
|
|
|
{ |
328
|
|
|
|
|
|
|
'description' => 'The contents of |
329
|
|
|
|
|
|
|
the specified file are sent to the remote user before |
330
|
|
|
|
|
|
|
authentication is allowed. If the argument is B<none> |
331
|
|
|
|
|
|
|
then no banner is displayed. By default, no banner is |
332
|
|
|
|
|
|
|
displayed.', |
333
|
|
|
|
|
|
|
'type' => 'leaf', |
334
|
|
|
|
|
|
|
'value_type' => 'uniline' |
335
|
|
|
|
|
|
|
}, |
336
|
|
|
|
|
|
|
'CASignatureAlgorithms', |
337
|
|
|
|
|
|
|
{ |
338
|
|
|
|
|
|
|
'description' => 'Specifies which algorithms are |
339
|
|
|
|
|
|
|
allowed for signing of certificates by certificate |
340
|
|
|
|
|
|
|
authorities (CAs). The default is: |
341
|
|
|
|
|
|
|
|
342
|
|
|
|
|
|
|
ssh-ed25519, ecdsa-sha2-nistp256, |
343
|
|
|
|
|
|
|
ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, |
344
|
|
|
|
|
|
|
sk-ssh-ed25519@openssh.com, |
345
|
|
|
|
|
|
|
sk-ecdsa-sha2-nistp256@openssh.com, |
346
|
|
|
|
|
|
|
rsa-sha2-512, rsa-sha2-256 |
347
|
|
|
|
|
|
|
|
348
|
|
|
|
|
|
|
If the |
349
|
|
|
|
|
|
|
specified list begins with a \'+\' character, then |
350
|
|
|
|
|
|
|
the specified algorithms will be appended to the default set |
351
|
|
|
|
|
|
|
instead of replacing them. If the specified list begins with |
352
|
|
|
|
|
|
|
a \'-\' character, then the specified algorithms |
353
|
|
|
|
|
|
|
(including wildcards) will be removed from the default set |
354
|
|
|
|
|
|
|
instead of replacing them. |
355
|
|
|
|
|
|
|
|
356
|
|
|
|
|
|
|
Certificates |
357
|
|
|
|
|
|
|
signed using other algorithms will not be accepted for |
358
|
|
|
|
|
|
|
public key or host-based authentication.', |
359
|
|
|
|
|
|
|
'type' => 'leaf', |
360
|
|
|
|
|
|
|
'value_type' => 'uniline' |
361
|
|
|
|
|
|
|
}, |
362
|
|
|
|
|
|
|
'ChrootDirectory', |
363
|
|
|
|
|
|
|
{ |
364
|
|
|
|
|
|
|
'description' => 'Specifies the pathname of a |
365
|
|
|
|
|
|
|
directory to L<chroot(2)> to after authentication. At session |
366
|
|
|
|
|
|
|
startup L<sshd(8)> checks that all components of the pathname |
367
|
|
|
|
|
|
|
are root-owned directories which are not writable by any |
368
|
|
|
|
|
|
|
other user or group. After the chroot, L<sshd(8)> changes the |
369
|
|
|
|
|
|
|
working directory to the user\'s home directory. |
370
|
|
|
|
|
|
|
Arguments to B<ChrootDirectory> accept the tokens |
371
|
|
|
|
|
|
|
described in the I<TOKENS> section. |
372
|
|
|
|
|
|
|
|
373
|
|
|
|
|
|
|
The |
374
|
|
|
|
|
|
|
B<ChrootDirectory> must contain the necessary files and |
375
|
|
|
|
|
|
|
directories to support the user\'s session. For an |
376
|
|
|
|
|
|
|
interactive session this requires at least a shell, |
377
|
|
|
|
|
|
|
typically L<sh(1)>, and basic I</dev> nodes such as |
378
|
|
|
|
|
|
|
L<null(4)>, L<zero(4)>, L<stdin(4)>, L<stdout(4)>, L<stderr(4)>, and L<tty(4)> |
379
|
|
|
|
|
|
|
devices. For file transfer sessions using SFTP no additional |
380
|
|
|
|
|
|
|
configuration of the environment is necessary if the |
381
|
|
|
|
|
|
|
in-process sftp-server is used, though sessions which use |
382
|
|
|
|
|
|
|
logging may require I</dev/log> inside the chroot |
383
|
|
|
|
|
|
|
directory on some operating systems (see L<sftp-server(8)> for |
384
|
|
|
|
|
|
|
details). |
385
|
|
|
|
|
|
|
|
386
|
|
|
|
|
|
|
For safety, it |
387
|
|
|
|
|
|
|
is very important that the directory hierarchy be prevented |
388
|
|
|
|
|
|
|
from modification by other processes on the system |
389
|
|
|
|
|
|
|
(especially those outside the jail). Misconfiguration can |
390
|
|
|
|
|
|
|
lead to unsafe environments which L<sshd(8)> cannot detect. |
391
|
|
|
|
|
|
|
|
392
|
|
|
|
|
|
|
The default is |
393
|
|
|
|
|
|
|
B<none>, indicating not to L<chroot(2)>.', |
394
|
|
|
|
|
|
|
'type' => 'leaf', |
395
|
|
|
|
|
|
|
'upstream_default' => 'none', |
396
|
|
|
|
|
|
|
'value_type' => 'uniline' |
397
|
|
|
|
|
|
|
}, |
398
|
|
|
|
|
|
|
'ClientAliveCountMax', |
399
|
|
|
|
|
|
|
{ |
400
|
|
|
|
|
|
|
'description' => 'Sets the number of client alive |
401
|
|
|
|
|
|
|
messages which may be sent without L<sshd(8)> receiving any |
402
|
|
|
|
|
|
|
messages back from the client. If this threshold is reached |
403
|
|
|
|
|
|
|
while client alive messages are being sent, sshd will |
404
|
|
|
|
|
|
|
disconnect the client, terminating the session. It is |
405
|
|
|
|
|
|
|
important to note that the use of client alive messages is |
406
|
|
|
|
|
|
|
very different from B<TCPKeepAlive>. The client alive |
407
|
|
|
|
|
|
|
messages are sent through the encrypted channel and |
408
|
|
|
|
|
|
|
therefore will not be spoofable. The TCP keepalive option |
409
|
|
|
|
|
|
|
enabled by B<TCPKeepAlive> is spoofable. The client |
410
|
|
|
|
|
|
|
alive mechanism is valuable when the client or server depend |
411
|
|
|
|
|
|
|
on knowing when a connection has become unresponsive. |
412
|
|
|
|
|
|
|
|
413
|
|
|
|
|
|
|
The default |
414
|
|
|
|
|
|
|
value is 3. If B<ClientAliveInterval> is set to 15, and |
415
|
|
|
|
|
|
|
B<ClientAliveCountMax> is left at the default, |
416
|
|
|
|
|
|
|
unresponsive SSH clients will be disconnected after |
417
|
|
|
|
|
|
|
approximately 45 seconds. Setting a zero |
418
|
|
|
|
|
|
|
B<ClientAliveCountMax> disables connection |
419
|
|
|
|
|
|
|
termination.', |
420
|
|
|
|
|
|
|
'type' => 'leaf', |
421
|
|
|
|
|
|
|
'upstream_default' => '3', |
422
|
|
|
|
|
|
|
'value_type' => 'integer' |
423
|
|
|
|
|
|
|
}, |
424
|
|
|
|
|
|
|
'ClientAliveInterval', |
425
|
|
|
|
|
|
|
{ |
426
|
|
|
|
|
|
|
'description' => 'Sets a timeout interval in |
427
|
|
|
|
|
|
|
seconds after which if no data has been received from the |
428
|
|
|
|
|
|
|
client, L<sshd(8)> will send a message through the encrypted |
429
|
|
|
|
|
|
|
channel to request a response from the client. The default |
430
|
|
|
|
|
|
|
is 0, indicating that these messages will not be sent to the |
431
|
|
|
|
|
|
|
client.', |
432
|
|
|
|
|
|
|
'type' => 'leaf', |
433
|
|
|
|
|
|
|
'upstream_default' => '0', |
434
|
|
|
|
|
|
|
'value_type' => 'integer' |
435
|
|
|
|
|
|
|
}, |
436
|
|
|
|
|
|
|
'DenyGroups', |
437
|
|
|
|
|
|
|
{ |
438
|
|
|
|
|
|
|
'cargo' => { |
439
|
|
|
|
|
|
|
'type' => 'leaf', |
440
|
|
|
|
|
|
|
'value_type' => 'uniline' |
441
|
|
|
|
|
|
|
}, |
442
|
|
|
|
|
|
|
'description' => 'This keyword can be followed by |
443
|
|
|
|
|
|
|
a list of group name patterns, separated by spaces. Login is |
444
|
|
|
|
|
|
|
disallowed for users whose primary group or supplementary |
445
|
|
|
|
|
|
|
group list matches one of the patterns. Only group names are |
446
|
|
|
|
|
|
|
valid; a numerical group ID is not recognized. By default, |
447
|
|
|
|
|
|
|
login is allowed for all groups. The allow/deny groups |
448
|
|
|
|
|
|
|
directives are processed in the following order: |
449
|
|
|
|
|
|
|
B<DenyGroups>, B<AllowGroups>. |
450
|
|
|
|
|
|
|
|
451
|
|
|
|
|
|
|
See PATTERNS in |
452
|
|
|
|
|
|
|
L<ssh_config(5)> for more information on patterns.', |
453
|
|
|
|
|
|
|
'type' => 'list' |
454
|
|
|
|
|
|
|
}, |
455
|
|
|
|
|
|
|
'DenyUsers', |
456
|
|
|
|
|
|
|
{ |
457
|
|
|
|
|
|
|
'cargo' => { |
458
|
|
|
|
|
|
|
'type' => 'leaf', |
459
|
|
|
|
|
|
|
'value_type' => 'uniline' |
460
|
|
|
|
|
|
|
}, |
461
|
|
|
|
|
|
|
'description' => 'This keyword can be followed by |
462
|
|
|
|
|
|
|
a list of user name patterns, separated by spaces. Login is |
463
|
|
|
|
|
|
|
disallowed for user names that match one of the patterns. |
464
|
|
|
|
|
|
|
Only user names are valid; a numerical user ID is not |
465
|
|
|
|
|
|
|
recognized. By default, login is allowed for all users. If |
466
|
|
|
|
|
|
|
the pattern takes the form USER@HOST then USER and HOST are |
467
|
|
|
|
|
|
|
separately checked, restricting logins to particular users |
468
|
|
|
|
|
|
|
from particular hosts. HOST criteria may additionally |
469
|
|
|
|
|
|
|
contain addresses to match in CIDR address/masklen format. |
470
|
|
|
|
|
|
|
The allow/deny users directives are processed in the |
471
|
|
|
|
|
|
|
following order: B<DenyUsers>, B<AllowUsers>. |
472
|
|
|
|
|
|
|
|
473
|
|
|
|
|
|
|
See PATTERNS in |
474
|
|
|
|
|
|
|
L<ssh_config(5)> for more information on patterns.', |
475
|
|
|
|
|
|
|
'type' => 'list' |
476
|
|
|
|
|
|
|
}, |
477
|
|
|
|
|
|
|
'DisableForwarding', |
478
|
|
|
|
|
|
|
{ |
479
|
|
|
|
|
|
|
'description' => 'Disables all forwarding |
480
|
|
|
|
|
|
|
features, including X11, L<ssh-agent(1)>, TCP and StreamLocal. |
481
|
|
|
|
|
|
|
This option overrides all other forwarding-related options |
482
|
|
|
|
|
|
|
and may simplify restricted configurations.', |
483
|
|
|
|
|
|
|
'type' => 'leaf', |
484
|
|
|
|
|
|
|
'value_type' => 'uniline' |
485
|
|
|
|
|
|
|
}, |
486
|
|
|
|
|
|
|
'ExposeAuthInfo', |
487
|
|
|
|
|
|
|
{ |
488
|
|
|
|
|
|
|
'description' => 'Writes a temporary file |
489
|
|
|
|
|
|
|
containing a list of authentication methods and public |
490
|
|
|
|
|
|
|
credentials (e.g. keys) used to authenticate the user. The |
491
|
|
|
|
|
|
|
location of the file is exposed to the user session through |
492
|
|
|
|
|
|
|
the SSH_USER_AUTH environment variable. The default is |
493
|
|
|
|
|
|
|
B<no>.', |
494
|
|
|
|
|
|
|
'type' => 'leaf', |
495
|
|
|
|
|
|
|
'upstream_default' => 'no', |
496
|
|
|
|
|
|
|
'value_type' => 'boolean', |
497
|
|
|
|
|
|
|
'write_as' => [ |
498
|
|
|
|
|
|
|
'no', |
499
|
|
|
|
|
|
|
'yes' |
500
|
|
|
|
|
|
|
] |
501
|
|
|
|
|
|
|
}, |
502
|
|
|
|
|
|
|
'ForceCommand', |
503
|
|
|
|
|
|
|
{ |
504
|
|
|
|
|
|
|
'description' => 'Forces the execution of the |
505
|
|
|
|
|
|
|
command specified by B<ForceCommand>, ignoring any |
506
|
|
|
|
|
|
|
command supplied by the client and I<~/.ssh/rc> if |
507
|
|
|
|
|
|
|
present. The command is invoked by using the user\'s |
508
|
|
|
|
|
|
|
login shell with the -c option. This applies to shell, |
509
|
|
|
|
|
|
|
command, or subsystem execution. It is most useful inside a |
510
|
|
|
|
|
|
|
B<Match> block. The command originally supplied by the |
511
|
|
|
|
|
|
|
client is available in the SSH_ORIGINAL_COMMAND environment |
512
|
|
|
|
|
|
|
variable. Specifying a command of B<internal-sftp> will |
513
|
|
|
|
|
|
|
force the use of an in-process SFTP server that requires no |
514
|
|
|
|
|
|
|
support files when used with B<ChrootDirectory>. The |
515
|
|
|
|
|
|
|
default is B<none>.', |
516
|
|
|
|
|
|
|
'type' => 'leaf', |
517
|
|
|
|
|
|
|
'upstream_default' => 'none', |
518
|
|
|
|
|
|
|
'value_type' => 'uniline' |
519
|
|
|
|
|
|
|
}, |
520
|
|
|
|
|
|
|
'GatewayPorts', |
521
|
|
|
|
|
|
|
{ |
522
|
|
|
|
|
|
|
'choice' => [ |
523
|
|
|
|
|
|
|
'no', |
524
|
|
|
|
|
|
|
'yes', |
525
|
|
|
|
|
|
|
'clientspecified' |
526
|
|
|
|
|
|
|
], |
527
|
|
|
|
|
|
|
'description' => 'Specifies whether remote hosts |
528
|
|
|
|
|
|
|
are allowed to connect to ports forwarded for the client. By |
529
|
|
|
|
|
|
|
default, L<sshd(8)> binds remote port forwardings to the |
530
|
|
|
|
|
|
|
loopback address. This prevents other remote hosts from |
531
|
|
|
|
|
|
|
connecting to forwarded ports. B<GatewayPorts> can be |
532
|
|
|
|
|
|
|
used to specify that sshd should allow remote port |
533
|
|
|
|
|
|
|
forwardings to bind to non-loopback addresses, thus allowing |
534
|
|
|
|
|
|
|
other hosts to connect. The argument may be B<no> to |
535
|
|
|
|
|
|
|
force remote port forwardings to be available to the local |
536
|
|
|
|
|
|
|
host only, B<yes> to force remote port forwardings to |
537
|
|
|
|
|
|
|
bind to the wildcard address, or B<clientspecified> to |
538
|
|
|
|
|
|
|
allow the client to select the address to which the |
539
|
|
|
|
|
|
|
forwarding is bound. The default is B<no>.', |
540
|
|
|
|
|
|
|
'type' => 'leaf', |
541
|
|
|
|
|
|
|
'upstream_default' => 'no', |
542
|
|
|
|
|
|
|
'value_type' => 'enum' |
543
|
|
|
|
|
|
|
}, |
544
|
|
|
|
|
|
|
'GSSAPIAuthentication', |
545
|
|
|
|
|
|
|
{ |
546
|
|
|
|
|
|
|
'description' => 'Specifies whether user |
547
|
|
|
|
|
|
|
authentication based on GSSAPI is allowed. The default is |
548
|
|
|
|
|
|
|
B<no>.', |
549
|
|
|
|
|
|
|
'type' => 'leaf', |
550
|
|
|
|
|
|
|
'upstream_default' => 'no', |
551
|
|
|
|
|
|
|
'value_type' => 'boolean', |
552
|
|
|
|
|
|
|
'write_as' => [ |
553
|
|
|
|
|
|
|
'no', |
554
|
|
|
|
|
|
|
'yes' |
555
|
|
|
|
|
|
|
] |
556
|
|
|
|
|
|
|
}, |
557
|
|
|
|
|
|
|
'HostbasedAcceptedAlgorithms', |
558
|
|
|
|
|
|
|
{ |
559
|
|
|
|
|
|
|
'description' => 'Specifies the signature |
560
|
|
|
|
|
|
|
algorithms that will be accepted for hostbased |
561
|
|
|
|
|
|
|
authentication as a list of comma-separated patterns. |
562
|
|
|
|
|
|
|
Alternately if the specified list begins with a |
563
|
|
|
|
|
|
|
\'+\' character, then the specified signature |
564
|
|
|
|
|
|
|
algorithms will be appended to the default set instead of |
565
|
|
|
|
|
|
|
replacing them. If the specified list begins with a |
566
|
|
|
|
|
|
|
\'-\' character, then the specified signature |
567
|
|
|
|
|
|
|
algorithms (including wildcards) will be removed from the |
568
|
|
|
|
|
|
|
default set instead of replacing them. If the specified list |
569
|
|
|
|
|
|
|
begins with a \'^\' character, then the specified |
570
|
|
|
|
|
|
|
signature algorithms will be placed at the head of the |
571
|
|
|
|
|
|
|
default set. The default for this option is: |
572
|
|
|
|
|
|
|
|
573
|
|
|
|
|
|
|
ssh-ed25519-cert-v01@openssh.com, |
574
|
|
|
|
|
|
|
ecdsa-sha2-nistp256-cert-v01@openssh.com, |
575
|
|
|
|
|
|
|
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
576
|
|
|
|
|
|
|
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
577
|
|
|
|
|
|
|
sk-ssh-ed25519-cert-v01@openssh.com, |
578
|
|
|
|
|
|
|
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, |
579
|
|
|
|
|
|
|
rsa-sha2-512-cert-v01@openssh.com, |
580
|
|
|
|
|
|
|
rsa-sha2-256-cert-v01@openssh.com, |
581
|
|
|
|
|
|
|
ssh-ed25519, |
582
|
|
|
|
|
|
|
ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, |
583
|
|
|
|
|
|
|
sk-ssh-ed25519@openssh.com, |
584
|
|
|
|
|
|
|
sk-ecdsa-sha2-nistp256@openssh.com, |
585
|
|
|
|
|
|
|
rsa-sha2-512, rsa-sha2-256 |
586
|
|
|
|
|
|
|
|
587
|
|
|
|
|
|
|
The list of |
588
|
|
|
|
|
|
|
available signature algorithms may also be obtained using |
589
|
|
|
|
|
|
|
"ssh -Q HostbasedAcceptedAlgorithms". This was |
590
|
|
|
|
|
|
|
formerly named HostbasedAcceptedKeyTypes.', |
591
|
|
|
|
|
|
|
'type' => 'leaf', |
592
|
|
|
|
|
|
|
'value_type' => 'uniline' |
593
|
|
|
|
|
|
|
}, |
594
|
|
|
|
|
|
|
'HostbasedAuthentication', |
595
|
|
|
|
|
|
|
{ |
596
|
|
|
|
|
|
|
'description' => 'Specifies whether rhosts or |
597
|
|
|
|
|
|
|
/etc/hosts.equiv authentication together with successful |
598
|
|
|
|
|
|
|
public key client host authentication is allowed (host-based |
599
|
|
|
|
|
|
|
authentication). The default is B<no>.', |
600
|
|
|
|
|
|
|
'type' => 'leaf', |
601
|
|
|
|
|
|
|
'upstream_default' => 'no', |
602
|
|
|
|
|
|
|
'value_type' => 'boolean', |
603
|
|
|
|
|
|
|
'write_as' => [ |
604
|
|
|
|
|
|
|
'no', |
605
|
|
|
|
|
|
|
'yes' |
606
|
|
|
|
|
|
|
] |
607
|
|
|
|
|
|
|
}, |
608
|
|
|
|
|
|
|
'HostbasedUsesNameFromPacketOnly', |
609
|
|
|
|
|
|
|
{ |
610
|
|
|
|
|
|
|
'description' => 'Specifies whether or not the |
611
|
|
|
|
|
|
|
server will attempt to perform a reverse name lookup when |
612
|
|
|
|
|
|
|
matching the name in the I<~/.shosts>, I<~/.rhosts>, |
613
|
|
|
|
|
|
|
and I</etc/hosts.equiv> files during |
614
|
|
|
|
|
|
|
B<HostbasedAuthentication>. A setting of B<yes> |
615
|
|
|
|
|
|
|
means that L<sshd(8)> uses the name supplied by the client |
616
|
|
|
|
|
|
|
rather than attempting to resolve the name from the TCP |
617
|
|
|
|
|
|
|
connection itself. The default is B<no>.', |
618
|
|
|
|
|
|
|
'type' => 'leaf', |
619
|
|
|
|
|
|
|
'upstream_default' => 'no', |
620
|
|
|
|
|
|
|
'value_type' => 'boolean', |
621
|
|
|
|
|
|
|
'write_as' => [ |
622
|
|
|
|
|
|
|
'no', |
623
|
|
|
|
|
|
|
'yes' |
624
|
|
|
|
|
|
|
] |
625
|
|
|
|
|
|
|
}, |
626
|
|
|
|
|
|
|
'IgnoreRhosts', |
627
|
|
|
|
|
|
|
{ |
628
|
|
|
|
|
|
|
'description' => 'Specifies whether to ignore |
629
|
|
|
|
|
|
|
per-user I<.rhosts> and I<.shosts> files during |
630
|
|
|
|
|
|
|
B<HostbasedAuthentication>. The system-wide |
631
|
|
|
|
|
|
|
I</etc/hosts.equiv> and I</etc/ssh/shosts.equiv> are |
632
|
|
|
|
|
|
|
still used regardless of this setting. |
633
|
|
|
|
|
|
|
|
634
|
|
|
|
|
|
|
Accepted values |
635
|
|
|
|
|
|
|
are B<yes> (the default) to ignore all per-user files, |
636
|
|
|
|
|
|
|
B<shosts-only> to allow the use of I<.shosts> but to |
637
|
|
|
|
|
|
|
ignore I<.rhosts> or B<no> to allow both |
638
|
|
|
|
|
|
|
I<.shosts> and I<rhosts>.', |
639
|
|
|
|
|
|
|
'type' => 'leaf', |
640
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
641
|
|
|
|
|
|
|
'value_type' => 'boolean', |
642
|
|
|
|
|
|
|
'write_as' => [ |
643
|
|
|
|
|
|
|
'no', |
644
|
|
|
|
|
|
|
'yes' |
645
|
|
|
|
|
|
|
] |
646
|
|
|
|
|
|
|
}, |
647
|
|
|
|
|
|
|
'Include', |
648
|
|
|
|
|
|
|
{ |
649
|
|
|
|
|
|
|
'cargo' => { |
650
|
|
|
|
|
|
|
'type' => 'leaf', |
651
|
|
|
|
|
|
|
'value_type' => 'uniline' |
652
|
|
|
|
|
|
|
}, |
653
|
|
|
|
|
|
|
'description' => 'Include the specified |
654
|
|
|
|
|
|
|
configuration file(s). Multiple pathnames may be specified |
655
|
|
|
|
|
|
|
and each pathname may contain L<glob(7)> wildcards that will be |
656
|
|
|
|
|
|
|
expanded and processed in lexical order. Files without |
657
|
|
|
|
|
|
|
absolute paths are assumed to be in I</etc/ssh>. An |
658
|
|
|
|
|
|
|
B<Include> directive may appear inside a B<Match> |
659
|
|
|
|
|
|
|
block to perform conditional inclusion.', |
660
|
|
|
|
|
|
|
'type' => 'list' |
661
|
|
|
|
|
|
|
}, |
662
|
|
|
|
|
|
|
'IPQoS', |
663
|
|
|
|
|
|
|
{ |
664
|
|
|
|
|
|
|
'assert' => { |
665
|
|
|
|
|
|
|
'1_or_2' => { |
666
|
|
|
|
|
|
|
'code' => 'return 1 unless defined $_; |
667
|
|
|
|
|
|
|
my @v = (/(\\w+)/g); |
668
|
|
|
|
|
|
|
return (@v < 3) ? 1 : 0; |
669
|
|
|
|
|
|
|
', |
670
|
|
|
|
|
|
|
'msg' => 'value must not have more than 2 fields.' |
671
|
|
|
|
|
|
|
}, |
672
|
|
|
|
|
|
|
'accepted_values' => { |
673
|
|
|
|
|
|
|
'code' => 'return 1 unless defined $_; |
674
|
|
|
|
|
|
|
my @v = (/(\\S+)/g); |
675
|
|
|
|
|
|
|
my @good = grep {/^(af[1-4][1-3]|cs[0-7]|ef|lowdelay|throughput|reliability|\\d+)/} @v ; |
676
|
|
|
|
|
|
|
return @good == @v ? 1 : 0; |
677
|
|
|
|
|
|
|
', |
678
|
|
|
|
|
|
|
'msg' => 'Unexpected value "$_". Expected 1 or 2 occurences of: "af11", "af12", "af13", "af21", "af22", |
679
|
|
|
|
|
|
|
"af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", |
680
|
|
|
|
|
|
|
"cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", |
681
|
|
|
|
|
|
|
"throughput", "reliability", or numeric value. |
682
|
|
|
|
|
|
|
' |
683
|
|
|
|
|
|
|
} |
684
|
|
|
|
|
|
|
}, |
685
|
|
|
|
|
|
|
'description' => 'Specifies the |
686
|
|
|
|
|
|
|
IPv4 type-of-service or DSCP class for the connection. |
687
|
|
|
|
|
|
|
Accepted values are B<af11>, B<af12>, B<af13>, |
688
|
|
|
|
|
|
|
B<af21>, B<af22>, B<af23>, B<af31>, |
689
|
|
|
|
|
|
|
B<af32>, B<af33>, B<af41>, B<af42>, |
690
|
|
|
|
|
|
|
B<af43>, B<cs0>, B<cs1>, B<cs2>, B<cs3>, |
691
|
|
|
|
|
|
|
B<cs4>, B<cs5>, B<cs6>, B<cs7>, B<ef>, |
692
|
|
|
|
|
|
|
B<le>, B<lowdelay>, B<throughput>, |
693
|
|
|
|
|
|
|
B<reliability>, a numeric value, or B<none> to use |
694
|
|
|
|
|
|
|
the operating system default. This option may take one or |
695
|
|
|
|
|
|
|
two arguments, separated by whitespace. If one argument is |
696
|
|
|
|
|
|
|
specified, it is used as the packet class unconditionally. |
697
|
|
|
|
|
|
|
If two values are specified, the first is automatically |
698
|
|
|
|
|
|
|
selected for interactive sessions and the second for |
699
|
|
|
|
|
|
|
non-interactive sessions. The default is B<lowdelay> for |
700
|
|
|
|
|
|
|
interactive sessions and B<throughput> for |
701
|
|
|
|
|
|
|
non-interactive sessions.', |
702
|
|
|
|
|
|
|
'type' => 'leaf', |
703
|
|
|
|
|
|
|
'upstream_default' => 'af21 cs1', |
704
|
|
|
|
|
|
|
'value_type' => 'uniline' |
705
|
|
|
|
|
|
|
}, |
706
|
|
|
|
|
|
|
'KbdInteractiveAuthentication', |
707
|
|
|
|
|
|
|
{ |
708
|
|
|
|
|
|
|
'description' => 'Specifies whether to allow |
709
|
|
|
|
|
|
|
keyboard-interactive authentication. The default is |
710
|
|
|
|
|
|
|
B<yes>. The argument to this keyword must be B<yes> |
711
|
|
|
|
|
|
|
or B<no>. B<ChallengeResponseAuthentication> is a |
712
|
|
|
|
|
|
|
deprecated alias for this.', |
713
|
|
|
|
|
|
|
'migrate_from' => { |
714
|
|
|
|
|
|
|
'formula' => '$old', |
715
|
|
|
|
|
|
|
'variables' => { |
716
|
|
|
|
|
|
|
'old' => '- ChallengeResponseAuthentication' |
717
|
|
|
|
|
|
|
} |
718
|
|
|
|
|
|
|
}, |
719
|
|
|
|
|
|
|
'type' => 'leaf', |
720
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
721
|
|
|
|
|
|
|
'value_type' => 'boolean', |
722
|
|
|
|
|
|
|
'write_as' => [ |
723
|
|
|
|
|
|
|
'no', |
724
|
|
|
|
|
|
|
'yes' |
725
|
|
|
|
|
|
|
] |
726
|
|
|
|
|
|
|
}, |
727
|
|
|
|
|
|
|
'KerberosAuthentication', |
728
|
|
|
|
|
|
|
{ |
729
|
|
|
|
|
|
|
'description' => 'Specifies whether the password |
730
|
|
|
|
|
|
|
provided by the user for B<PasswordAuthentication> will |
731
|
|
|
|
|
|
|
be validated through the Kerberos KDC. To use this option, |
732
|
|
|
|
|
|
|
the server needs a Kerberos servtab which allows the |
733
|
|
|
|
|
|
|
verification of the KDC\'s identity. The default is |
734
|
|
|
|
|
|
|
B<no>.', |
735
|
|
|
|
|
|
|
'type' => 'leaf', |
736
|
|
|
|
|
|
|
'upstream_default' => 'no', |
737
|
|
|
|
|
|
|
'value_type' => 'boolean', |
738
|
|
|
|
|
|
|
'write_as' => [ |
739
|
|
|
|
|
|
|
'no', |
740
|
|
|
|
|
|
|
'yes' |
741
|
|
|
|
|
|
|
] |
742
|
|
|
|
|
|
|
}, |
743
|
|
|
|
|
|
|
'LogLevel', |
744
|
|
|
|
|
|
|
{ |
745
|
|
|
|
|
|
|
'choice' => [ |
746
|
|
|
|
|
|
|
'QUIET', |
747
|
|
|
|
|
|
|
'FATAL', |
748
|
|
|
|
|
|
|
'ERROR', |
749
|
|
|
|
|
|
|
'INFO', |
750
|
|
|
|
|
|
|
'VERBOSE', |
751
|
|
|
|
|
|
|
'DEBUG', |
752
|
|
|
|
|
|
|
'DEBUG1', |
753
|
|
|
|
|
|
|
'DEBUG2', |
754
|
|
|
|
|
|
|
'DEBUG3' |
755
|
|
|
|
|
|
|
], |
756
|
|
|
|
|
|
|
'description' => 'Gives the verbosity level that |
757
|
|
|
|
|
|
|
is used when logging messages from L<sshd(8)>. The possible |
758
|
|
|
|
|
|
|
values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, |
759
|
|
|
|
|
|
|
DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and |
760
|
|
|
|
|
|
|
DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher |
761
|
|
|
|
|
|
|
levels of debugging output. Logging with a DEBUG level |
762
|
|
|
|
|
|
|
violates the privacy of users and is not recommended.', |
763
|
|
|
|
|
|
|
'type' => 'leaf', |
764
|
|
|
|
|
|
|
'upstream_default' => 'INFO', |
765
|
|
|
|
|
|
|
'value_type' => 'enum' |
766
|
|
|
|
|
|
|
}, |
767
|
|
|
|
|
|
|
'MaxAuthTries', |
768
|
|
|
|
|
|
|
{ |
769
|
|
|
|
|
|
|
'description' => 'Specifies the maximum number of |
770
|
|
|
|
|
|
|
authentication attempts permitted per connection. Once the |
771
|
|
|
|
|
|
|
number of failures reaches half this value, additional |
772
|
|
|
|
|
|
|
failures are logged. The default is 6.', |
773
|
|
|
|
|
|
|
'type' => 'leaf', |
774
|
|
|
|
|
|
|
'upstream_default' => '6', |
775
|
|
|
|
|
|
|
'value_type' => 'integer' |
776
|
|
|
|
|
|
|
}, |
777
|
|
|
|
|
|
|
'MaxSessions', |
778
|
|
|
|
|
|
|
{ |
779
|
|
|
|
|
|
|
'description' => 'Specifies the maximum number of |
780
|
|
|
|
|
|
|
open shell, login or subsystem (e.g. sftp) sessions |
781
|
|
|
|
|
|
|
permitted per network connection. Multiple sessions may be |
782
|
|
|
|
|
|
|
established by clients that support connection multiplexing. |
783
|
|
|
|
|
|
|
Setting B<MaxSessions> to 1 will effectively disable |
784
|
|
|
|
|
|
|
session multiplexing, whereas setting it to 0 will prevent |
785
|
|
|
|
|
|
|
all shell, login and subsystem sessions while still |
786
|
|
|
|
|
|
|
permitting forwarding. The default is 10.', |
787
|
|
|
|
|
|
|
'type' => 'leaf', |
788
|
|
|
|
|
|
|
'upstream_default' => '10', |
789
|
|
|
|
|
|
|
'value_type' => 'integer' |
790
|
|
|
|
|
|
|
}, |
791
|
|
|
|
|
|
|
'PasswordAuthentication', |
792
|
|
|
|
|
|
|
{ |
793
|
|
|
|
|
|
|
'description' => 'Specifies whether password |
794
|
|
|
|
|
|
|
authentication is allowed. The default is B<yes>.', |
795
|
|
|
|
|
|
|
'type' => 'leaf', |
796
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
797
|
|
|
|
|
|
|
'value_type' => 'boolean', |
798
|
|
|
|
|
|
|
'write_as' => [ |
799
|
|
|
|
|
|
|
'no', |
800
|
|
|
|
|
|
|
'yes' |
801
|
|
|
|
|
|
|
] |
802
|
|
|
|
|
|
|
}, |
803
|
|
|
|
|
|
|
'PermitEmptyPasswords', |
804
|
|
|
|
|
|
|
{ |
805
|
|
|
|
|
|
|
'description' => 'When password authentication is |
806
|
|
|
|
|
|
|
allowed, it specifies whether the server allows login to |
807
|
|
|
|
|
|
|
accounts with empty password strings. The default is |
808
|
|
|
|
|
|
|
B<no>.', |
809
|
|
|
|
|
|
|
'type' => 'leaf', |
810
|
|
|
|
|
|
|
'upstream_default' => 'no', |
811
|
|
|
|
|
|
|
'value_type' => 'boolean', |
812
|
|
|
|
|
|
|
'write_as' => [ |
813
|
|
|
|
|
|
|
'no', |
814
|
|
|
|
|
|
|
'yes' |
815
|
|
|
|
|
|
|
] |
816
|
|
|
|
|
|
|
}, |
817
|
|
|
|
|
|
|
'PermitListen', |
818
|
|
|
|
|
|
|
{ |
819
|
|
|
|
|
|
|
'cargo' => { |
820
|
|
|
|
|
|
|
'type' => 'leaf', |
821
|
|
|
|
|
|
|
'value_type' => 'uniline' |
822
|
|
|
|
|
|
|
}, |
823
|
|
|
|
|
|
|
'description' => "Specifies the addresses/ports |
824
|
|
|
|
|
|
|
on which a remote TCP port forwarding may listen. The listen |
825
|
|
|
|
|
|
|
specification must be one of the following forms: |
826
|
|
|
|
|
|
|
|
827
|
|
|
|
|
|
|
B<PermitListen>I<port> B< |
828
|
|
|
|
|
|
|
PermitListen> I<host>:I<port> |
829
|
|
|
|
|
|
|
|
830
|
|
|
|
|
|
|
Multiple |
831
|
|
|
|
|
|
|
permissions may be specified by separating them with |
832
|
|
|
|
|
|
|
whitespace. An argument of B<any> can be used to remove |
833
|
|
|
|
|
|
|
all restrictions and permit any listen requests. An argument |
834
|
|
|
|
|
|
|
of B<none> can be used to prohibit all listen requests. |
835
|
|
|
|
|
|
|
The host name may contain wildcards as described in the |
836
|
|
|
|
|
|
|
PATTERNS section in L<ssh_config(5)>. The wildcard |
837
|
|
|
|
|
|
|
'*' can also be used in place of a port number |
838
|
|
|
|
|
|
|
to allow all ports. By default all port forwarding listen |
839
|
|
|
|
|
|
|
requests are permitted. Note that the B<GatewayPorts> |
840
|
|
|
|
|
|
|
option may further restrict which addresses may be listened |
841
|
|
|
|
|
|
|
on. Note also that L<ssh(1)> will request a listen host of |
842
|
|
|
|
|
|
|
B<localhost> if no listen host was specifically |
843
|
|
|
|
|
|
|
requested, and this name is treated differently to explicit |
844
|
|
|
|
|
|
|
localhost addresses of \x{201c}127.0.0.1\x{201d} and |
845
|
|
|
|
|
|
|
\x{201c}::1\x{201d}.", |
846
|
|
|
|
|
|
|
'type' => 'list' |
847
|
|
|
|
|
|
|
}, |
848
|
|
|
|
|
|
|
'PermitOpen', |
849
|
|
|
|
|
|
|
{ |
850
|
|
|
|
|
|
|
'cargo' => { |
851
|
|
|
|
|
|
|
'type' => 'leaf', |
852
|
|
|
|
|
|
|
'value_type' => 'uniline' |
853
|
|
|
|
|
|
|
}, |
854
|
|
|
|
|
|
|
'description' => 'Specifies the destinations to |
855
|
|
|
|
|
|
|
which TCP port forwarding is permitted. The forwarding |
856
|
|
|
|
|
|
|
specification must be one of the following forms: |
857
|
|
|
|
|
|
|
|
858
|
|
|
|
|
|
|
B<PermitOpen>I<host>:I<port> B< |
859
|
|
|
|
|
|
|
PermitOpen> I<IPv4_addr>:I<port> B< |
860
|
|
|
|
|
|
|
PermitOpen> I<[IPv6_addr]>:I<port> |
861
|
|
|
|
|
|
|
|
862
|
|
|
|
|
|
|
Multiple |
863
|
|
|
|
|
|
|
forwards may be specified by separating them with |
864
|
|
|
|
|
|
|
whitespace. An argument of B<any> can be used to remove |
865
|
|
|
|
|
|
|
all restrictions and permit any forwarding requests. An |
866
|
|
|
|
|
|
|
argument of B<none> can be used to prohibit all |
867
|
|
|
|
|
|
|
forwarding requests. The wildcard \'*\' can be |
868
|
|
|
|
|
|
|
used for host or port to allow all hosts or ports |
869
|
|
|
|
|
|
|
respectively. Otherwise, no pattern matching or address |
870
|
|
|
|
|
|
|
lookups are performed on supplied names. By default all port |
871
|
|
|
|
|
|
|
forwarding requests are permitted.', |
872
|
|
|
|
|
|
|
'type' => 'list' |
873
|
|
|
|
|
|
|
}, |
874
|
|
|
|
|
|
|
'PermitRootLogin', |
875
|
|
|
|
|
|
|
{ |
876
|
|
|
|
|
|
|
'choice' => [ |
877
|
|
|
|
|
|
|
'yes', |
878
|
|
|
|
|
|
|
'prohibit-password', |
879
|
|
|
|
|
|
|
'forced-commands-only', |
880
|
|
|
|
|
|
|
'no' |
881
|
|
|
|
|
|
|
], |
882
|
|
|
|
|
|
|
'description' => 'Specifies whether root can log |
883
|
|
|
|
|
|
|
in using L<ssh(1)>. The argument must be B<yes>, |
884
|
|
|
|
|
|
|
B<prohibit-password>, B<forced-commands-only>, or |
885
|
|
|
|
|
|
|
B<no>. The default is B<prohibit-password>. |
886
|
|
|
|
|
|
|
|
887
|
|
|
|
|
|
|
If this option |
888
|
|
|
|
|
|
|
is set to B<prohibit-password> (or its deprecated alias, |
889
|
|
|
|
|
|
|
B<without-password>), password and keyboard-interactive |
890
|
|
|
|
|
|
|
authentication are disabled for root. |
891
|
|
|
|
|
|
|
|
892
|
|
|
|
|
|
|
If this option |
893
|
|
|
|
|
|
|
is set to B<forced-commands-only>, root login with |
894
|
|
|
|
|
|
|
public key authentication will be allowed, but only if the |
895
|
|
|
|
|
|
|
I<command> option has been specified (which may be |
896
|
|
|
|
|
|
|
useful for taking remote backups even if root login is |
897
|
|
|
|
|
|
|
normally not allowed). All other authentication methods are |
898
|
|
|
|
|
|
|
disabled for root. |
899
|
|
|
|
|
|
|
|
900
|
|
|
|
|
|
|
If this option |
901
|
|
|
|
|
|
|
is set to B<no>, root is not allowed to log in.', |
902
|
|
|
|
|
|
|
'type' => 'leaf', |
903
|
|
|
|
|
|
|
'value_type' => 'enum' |
904
|
|
|
|
|
|
|
}, |
905
|
|
|
|
|
|
|
'PermitTTY', |
906
|
|
|
|
|
|
|
{ |
907
|
|
|
|
|
|
|
'description' => 'Specifies whether L<pty(4)> |
908
|
|
|
|
|
|
|
allocation is permitted. The default is B<yes>.', |
909
|
|
|
|
|
|
|
'type' => 'leaf', |
910
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
911
|
|
|
|
|
|
|
'value_type' => 'boolean', |
912
|
|
|
|
|
|
|
'write_as' => [ |
913
|
|
|
|
|
|
|
'no', |
914
|
|
|
|
|
|
|
'yes' |
915
|
|
|
|
|
|
|
] |
916
|
|
|
|
|
|
|
}, |
917
|
|
|
|
|
|
|
'PermitTunnel', |
918
|
|
|
|
|
|
|
{ |
919
|
|
|
|
|
|
|
'choice' => [ |
920
|
|
|
|
|
|
|
'yes', |
921
|
|
|
|
|
|
|
'point-to-point', |
922
|
|
|
|
|
|
|
'ethernet', |
923
|
|
|
|
|
|
|
'no' |
924
|
|
|
|
|
|
|
], |
925
|
|
|
|
|
|
|
'description' => 'Specifies whether L<tun(4)> device |
926
|
|
|
|
|
|
|
forwarding is allowed. The argument must be B<yes>, |
927
|
|
|
|
|
|
|
B<point-to-point> (layer 3), B<ethernet> (layer 2), |
928
|
|
|
|
|
|
|
or B<no>. Specifying B<yes> permits both |
929
|
|
|
|
|
|
|
B<point-to-point> and B<ethernet>. The default is |
930
|
|
|
|
|
|
|
B<no>. |
931
|
|
|
|
|
|
|
|
932
|
|
|
|
|
|
|
Independent of |
933
|
|
|
|
|
|
|
this setting, the permissions of the selected L<tun(4)> device |
934
|
|
|
|
|
|
|
must allow access to the user.', |
935
|
|
|
|
|
|
|
'type' => 'leaf', |
936
|
|
|
|
|
|
|
'upstream_default' => 'no', |
937
|
|
|
|
|
|
|
'value_type' => 'enum' |
938
|
|
|
|
|
|
|
}, |
939
|
|
|
|
|
|
|
'PermitUserRC', |
940
|
|
|
|
|
|
|
{ |
941
|
|
|
|
|
|
|
'description' => 'Specifies whether any |
942
|
|
|
|
|
|
|
I<~/.ssh/rc> file is executed. The default is |
943
|
|
|
|
|
|
|
B<yes>.', |
944
|
|
|
|
|
|
|
'type' => 'leaf', |
945
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
946
|
|
|
|
|
|
|
'value_type' => 'boolean', |
947
|
|
|
|
|
|
|
'write_as' => [ |
948
|
|
|
|
|
|
|
'no', |
949
|
|
|
|
|
|
|
'yes' |
950
|
|
|
|
|
|
|
] |
951
|
|
|
|
|
|
|
}, |
952
|
|
|
|
|
|
|
'PubkeyAcceptedAlgorithms', |
953
|
|
|
|
|
|
|
{ |
954
|
|
|
|
|
|
|
'description' => 'Specifies the signature |
955
|
|
|
|
|
|
|
algorithms that will be accepted for public key |
956
|
|
|
|
|
|
|
authentication as a list of comma-separated patterns. |
957
|
|
|
|
|
|
|
Alternately if the specified list begins with a |
958
|
|
|
|
|
|
|
\'+\' character, then the specified algorithms |
959
|
|
|
|
|
|
|
will be appended to the default set instead of replacing |
960
|
|
|
|
|
|
|
them. If the specified list begins with a \'-\' |
961
|
|
|
|
|
|
|
character, then the specified algorithms (including |
962
|
|
|
|
|
|
|
wildcards) will be removed from the default set instead of |
963
|
|
|
|
|
|
|
replacing them. If the specified list begins with a |
964
|
|
|
|
|
|
|
\'^\' character, then the specified algorithms |
965
|
|
|
|
|
|
|
will be placed at the head of the default set. The default |
966
|
|
|
|
|
|
|
for this option is: |
967
|
|
|
|
|
|
|
|
968
|
|
|
|
|
|
|
ssh-ed25519-cert-v01@openssh.com, |
969
|
|
|
|
|
|
|
ecdsa-sha2-nistp256-cert-v01@openssh.com, |
970
|
|
|
|
|
|
|
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
971
|
|
|
|
|
|
|
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
972
|
|
|
|
|
|
|
sk-ssh-ed25519-cert-v01@openssh.com, |
973
|
|
|
|
|
|
|
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, |
974
|
|
|
|
|
|
|
rsa-sha2-512-cert-v01@openssh.com, |
975
|
|
|
|
|
|
|
rsa-sha2-256-cert-v01@openssh.com, |
976
|
|
|
|
|
|
|
ssh-ed25519, |
977
|
|
|
|
|
|
|
ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, |
978
|
|
|
|
|
|
|
sk-ssh-ed25519@openssh.com, |
979
|
|
|
|
|
|
|
sk-ecdsa-sha2-nistp256@openssh.com, |
980
|
|
|
|
|
|
|
rsa-sha2-512, rsa-sha2-256 |
981
|
|
|
|
|
|
|
|
982
|
|
|
|
|
|
|
The list of |
983
|
|
|
|
|
|
|
available signature algorithms may also be obtained using |
984
|
|
|
|
|
|
|
"ssh -Q PubkeyAcceptedAlgorithms".', |
985
|
|
|
|
|
|
|
'type' => 'leaf', |
986
|
|
|
|
|
|
|
'value_type' => 'uniline' |
987
|
|
|
|
|
|
|
}, |
988
|
|
|
|
|
|
|
'PubkeyAuthOptions', |
989
|
|
|
|
|
|
|
{ |
990
|
|
|
|
|
|
|
'choice' => [ |
991
|
|
|
|
|
|
|
'none', |
992
|
|
|
|
|
|
|
'touch-required', |
993
|
|
|
|
|
|
|
'verify-required' |
994
|
|
|
|
|
|
|
], |
995
|
|
|
|
|
|
|
'description' => 'Sets one or more public key |
996
|
|
|
|
|
|
|
authentication options. The supported keywords are: |
997
|
|
|
|
|
|
|
B<none> (the default; indicating no additional options |
998
|
|
|
|
|
|
|
are enabled), B<touch-required> and |
999
|
|
|
|
|
|
|
B<verify-required>. |
1000
|
|
|
|
|
|
|
|
1001
|
|
|
|
|
|
|
The |
1002
|
|
|
|
|
|
|
B<touch-required> option causes public key |
1003
|
|
|
|
|
|
|
authentication using a FIDO authenticator algorithm (i.e. |
1004
|
|
|
|
|
|
|
B<ecdsa-sk> or B<ed25519-sk>) to always require the |
1005
|
|
|
|
|
|
|
signature to attest that a physically present user |
1006
|
|
|
|
|
|
|
explicitly confirmed the authentication (usually by touching |
1007
|
|
|
|
|
|
|
the authenticator). By default, L<sshd(8)> requires user |
1008
|
|
|
|
|
|
|
presence unless overridden with an authorized_keys option. |
1009
|
|
|
|
|
|
|
The B<touch-required> flag disables this override. |
1010
|
|
|
|
|
|
|
|
1011
|
|
|
|
|
|
|
The |
1012
|
|
|
|
|
|
|
B<verify-required> option requires a FIDO key signature |
1013
|
|
|
|
|
|
|
attest that the user was verified, e.g. via a PIN. |
1014
|
|
|
|
|
|
|
|
1015
|
|
|
|
|
|
|
Neither the |
1016
|
|
|
|
|
|
|
B<touch-required> or B<verify-required> options have |
1017
|
|
|
|
|
|
|
any effect for other, non-FIDO, public key types.', |
1018
|
|
|
|
|
|
|
'type' => 'leaf', |
1019
|
|
|
|
|
|
|
'value_type' => 'enum' |
1020
|
|
|
|
|
|
|
}, |
1021
|
|
|
|
|
|
|
'PubkeyAuthentication', |
1022
|
|
|
|
|
|
|
{ |
1023
|
|
|
|
|
|
|
'description' => 'Specifies whether public key |
1024
|
|
|
|
|
|
|
authentication is allowed. The default is B<yes>.', |
1025
|
|
|
|
|
|
|
'type' => 'leaf', |
1026
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
1027
|
|
|
|
|
|
|
'value_type' => 'boolean', |
1028
|
|
|
|
|
|
|
'write_as' => [ |
1029
|
|
|
|
|
|
|
'no', |
1030
|
|
|
|
|
|
|
'yes' |
1031
|
|
|
|
|
|
|
] |
1032
|
|
|
|
|
|
|
}, |
1033
|
|
|
|
|
|
|
'RekeyLimit', |
1034
|
|
|
|
|
|
|
{ |
1035
|
|
|
|
|
|
|
'description' => 'Specifies the maximum amount of |
1036
|
|
|
|
|
|
|
data that may be transmitted before the session key is |
1037
|
|
|
|
|
|
|
renegotiated, optionally followed by a maximum amount of |
1038
|
|
|
|
|
|
|
time that may pass before the session key is renegotiated. |
1039
|
|
|
|
|
|
|
The first argument is specified in bytes and may have a |
1040
|
|
|
|
|
|
|
suffix of \'K\', \'M\', or |
1041
|
|
|
|
|
|
|
\'G\' to indicate Kilobytes, Megabytes, or |
1042
|
|
|
|
|
|
|
Gigabytes, respectively. The default is between |
1043
|
|
|
|
|
|
|
\'1G\' and \'4G\', depending on the |
1044
|
|
|
|
|
|
|
cipher. The optional second value is specified in seconds |
1045
|
|
|
|
|
|
|
and may use any of the units documented in the I<TIME |
1046
|
|
|
|
|
|
|
FORMATS> section. The default value for B<RekeyLimit> |
1047
|
|
|
|
|
|
|
is B<default none>, which means that rekeying is |
1048
|
|
|
|
|
|
|
performed after the cipher\'s default amount of data |
1049
|
|
|
|
|
|
|
has been sent or received and no time based rekeying is |
1050
|
|
|
|
|
|
|
done.', |
1051
|
|
|
|
|
|
|
'type' => 'leaf', |
1052
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1053
|
|
|
|
|
|
|
}, |
1054
|
|
|
|
|
|
|
'RevokedKeys', |
1055
|
|
|
|
|
|
|
{ |
1056
|
|
|
|
|
|
|
'description' => 'Specifies revoked public keys |
1057
|
|
|
|
|
|
|
file, or B<none> to not use one. Keys listed in this |
1058
|
|
|
|
|
|
|
file will be refused for public key authentication. Note |
1059
|
|
|
|
|
|
|
that if this file is not readable, then public key |
1060
|
|
|
|
|
|
|
authentication will be refused for all users. Keys may be |
1061
|
|
|
|
|
|
|
specified as a text file, listing one public key per line, |
1062
|
|
|
|
|
|
|
or as an OpenSSH Key Revocation List (KRL) as generated by |
1063
|
|
|
|
|
|
|
L<ssh-keygen(1)>. For more information on KRLs, see the KEY |
1064
|
|
|
|
|
|
|
REVOCATION LISTS section in L<ssh-keygen(1)>.', |
1065
|
|
|
|
|
|
|
'type' => 'leaf', |
1066
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1067
|
|
|
|
|
|
|
}, |
1068
|
|
|
|
|
|
|
'SetEnv', |
1069
|
|
|
|
|
|
|
{ |
1070
|
|
|
|
|
|
|
'description' => "Specifies one |
1071
|
|
|
|
|
|
|
or more environment variables to set in child sessions |
1072
|
|
|
|
|
|
|
started by L<sshd(8)> as \x{201c}NAME=VALUE\x{201d}. The |
1073
|
|
|
|
|
|
|
environment value may be quoted (e.g. if it contains |
1074
|
|
|
|
|
|
|
whitespace characters). Environment variables set by |
1075
|
|
|
|
|
|
|
B<SetEnv> override the default environment and any |
1076
|
|
|
|
|
|
|
variables specified by the user via B<AcceptEnv> or |
1077
|
|
|
|
|
|
|
B<PermitUserEnvironment>.", |
1078
|
|
|
|
|
|
|
'type' => 'leaf', |
1079
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1080
|
|
|
|
|
|
|
}, |
1081
|
|
|
|
|
|
|
'StreamLocalBindMask', |
1082
|
|
|
|
|
|
|
{ |
1083
|
|
|
|
|
|
|
'description' => 'Sets the octal file creation |
1084
|
|
|
|
|
|
|
mode mask (umask) used when creating a Unix-domain socket |
1085
|
|
|
|
|
|
|
file for local or remote port forwarding. This option is |
1086
|
|
|
|
|
|
|
only used for port forwarding to a Unix-domain socket |
1087
|
|
|
|
|
|
|
file. |
1088
|
|
|
|
|
|
|
|
1089
|
|
|
|
|
|
|
The default |
1090
|
|
|
|
|
|
|
value is 0177, which creates a Unix-domain socket file that |
1091
|
|
|
|
|
|
|
is readable and writable only by the owner. Note that not |
1092
|
|
|
|
|
|
|
all operating systems honor the file mode on Unix-domain |
1093
|
|
|
|
|
|
|
socket files.', |
1094
|
|
|
|
|
|
|
'type' => 'leaf', |
1095
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1096
|
|
|
|
|
|
|
}, |
1097
|
|
|
|
|
|
|
'StreamLocalBindUnlink', |
1098
|
|
|
|
|
|
|
{ |
1099
|
|
|
|
|
|
|
'description' => 'Specifies whether to remove an |
1100
|
|
|
|
|
|
|
existing Unix-domain socket file for local or remote port |
1101
|
|
|
|
|
|
|
forwarding before creating a new one. If the socket file |
1102
|
|
|
|
|
|
|
already exists and B<StreamLocalBindUnlink> is not |
1103
|
|
|
|
|
|
|
enabled, B<sshd> will be unable to forward the port to |
1104
|
|
|
|
|
|
|
the Unix-domain socket file. This option is only used for |
1105
|
|
|
|
|
|
|
port forwarding to a Unix-domain socket file. |
1106
|
|
|
|
|
|
|
|
1107
|
|
|
|
|
|
|
The argument |
1108
|
|
|
|
|
|
|
must be B<yes> or B<no>. The default is |
1109
|
|
|
|
|
|
|
B<no>.', |
1110
|
|
|
|
|
|
|
'type' => 'leaf', |
1111
|
|
|
|
|
|
|
'upstream_default' => 'no', |
1112
|
|
|
|
|
|
|
'value_type' => 'boolean', |
1113
|
|
|
|
|
|
|
'write_as' => [ |
1114
|
|
|
|
|
|
|
'no', |
1115
|
|
|
|
|
|
|
'yes' |
1116
|
|
|
|
|
|
|
] |
1117
|
|
|
|
|
|
|
}, |
1118
|
|
|
|
|
|
|
'TrustedUserCAKeys', |
1119
|
|
|
|
|
|
|
{ |
1120
|
|
|
|
|
|
|
'description' => 'Specifies a file containing |
1121
|
|
|
|
|
|
|
public keys of certificate authorities that are trusted to |
1122
|
|
|
|
|
|
|
sign user certificates for authentication, or B<none> to |
1123
|
|
|
|
|
|
|
not use one. Keys are listed one per line; empty lines and |
1124
|
|
|
|
|
|
|
comments starting with \'#\' are allowed. If a |
1125
|
|
|
|
|
|
|
certificate is presented for authentication and has its |
1126
|
|
|
|
|
|
|
signing CA key listed in this file, then it may be used for |
1127
|
|
|
|
|
|
|
authentication for any user listed in the |
1128
|
|
|
|
|
|
|
certificate\'s principals list. Note that certificates |
1129
|
|
|
|
|
|
|
that lack a list of principals will not be permitted for |
1130
|
|
|
|
|
|
|
authentication using B<TrustedUserCAKeys>. For more |
1131
|
|
|
|
|
|
|
details on certificates, see the CERTIFICATES section in |
1132
|
|
|
|
|
|
|
L<ssh-keygen(1)>.', |
1133
|
|
|
|
|
|
|
'type' => 'leaf', |
1134
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1135
|
|
|
|
|
|
|
}, |
1136
|
|
|
|
|
|
|
'X11DisplayOffset', |
1137
|
|
|
|
|
|
|
{ |
1138
|
|
|
|
|
|
|
'description' => 'Specifies the first display |
1139
|
|
|
|
|
|
|
number available for L<sshd(8)>\'s X11 forwarding. This |
1140
|
|
|
|
|
|
|
prevents sshd from interfering with real X11 servers. The |
1141
|
|
|
|
|
|
|
default is 10.', |
1142
|
|
|
|
|
|
|
'type' => 'leaf', |
1143
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1144
|
|
|
|
|
|
|
}, |
1145
|
|
|
|
|
|
|
'X11Forwarding', |
1146
|
|
|
|
|
|
|
{ |
1147
|
|
|
|
|
|
|
'description' => 'Specifies whether X11 |
1148
|
|
|
|
|
|
|
forwarding is permitted. The argument must be B<yes> or |
1149
|
|
|
|
|
|
|
B<no>. The default is B<no>. |
1150
|
|
|
|
|
|
|
|
1151
|
|
|
|
|
|
|
When X11 |
1152
|
|
|
|
|
|
|
forwarding is enabled, there may be additional exposure to |
1153
|
|
|
|
|
|
|
the server and to client displays if the L<sshd(8)> proxy |
1154
|
|
|
|
|
|
|
display is configured to listen on the wildcard address (see |
1155
|
|
|
|
|
|
|
B<X11UseLocalhost>), though this is not the default. |
1156
|
|
|
|
|
|
|
Additionally, the authentication spoofing and authentication |
1157
|
|
|
|
|
|
|
data verification and substitution occur on the client side. |
1158
|
|
|
|
|
|
|
The security risk of using X11 forwarding is that the |
1159
|
|
|
|
|
|
|
client\'s X11 display server may be exposed to attack |
1160
|
|
|
|
|
|
|
when the SSH client requests forwarding (see the warnings |
1161
|
|
|
|
|
|
|
for B<ForwardX11> in L<ssh_config(5)>). A system |
1162
|
|
|
|
|
|
|
administrator may have a stance in which they want to |
1163
|
|
|
|
|
|
|
protect clients that may expose themselves to attack by |
1164
|
|
|
|
|
|
|
unwittingly requesting X11 forwarding, which can warrant a |
1165
|
|
|
|
|
|
|
B<no> setting. |
1166
|
|
|
|
|
|
|
|
1167
|
|
|
|
|
|
|
Note that |
1168
|
|
|
|
|
|
|
disabling X11 forwarding does not prevent users from |
1169
|
|
|
|
|
|
|
forwarding X11 traffic, as users can always install their |
1170
|
|
|
|
|
|
|
own forwarders.', |
1171
|
|
|
|
|
|
|
'type' => 'leaf', |
1172
|
|
|
|
|
|
|
'upstream_default' => 'no', |
1173
|
|
|
|
|
|
|
'value_type' => 'boolean', |
1174
|
|
|
|
|
|
|
'write_as' => [ |
1175
|
|
|
|
|
|
|
'no', |
1176
|
|
|
|
|
|
|
'yes' |
1177
|
|
|
|
|
|
|
] |
1178
|
|
|
|
|
|
|
}, |
1179
|
|
|
|
|
|
|
'X11UseLocalhost', |
1180
|
|
|
|
|
|
|
{ |
1181
|
|
|
|
|
|
|
'description' => 'Specifies whether L<sshd(8)> |
1182
|
|
|
|
|
|
|
should bind the X11 forwarding server to the loopback |
1183
|
|
|
|
|
|
|
address or to the wildcard address. By default, sshd binds |
1184
|
|
|
|
|
|
|
the forwarding server to the loopback address and sets the |
1185
|
|
|
|
|
|
|
hostname part of the DISPLAY environment variable to |
1186
|
|
|
|
|
|
|
B<localhost>. This prevents remote hosts from connecting |
1187
|
|
|
|
|
|
|
to the proxy display. However, some older X11 clients may |
1188
|
|
|
|
|
|
|
not function with this configuration. B<X11UseLocalhost> |
1189
|
|
|
|
|
|
|
may be set to B<no> to specify that the forwarding |
1190
|
|
|
|
|
|
|
server should be bound to the wildcard address. The argument |
1191
|
|
|
|
|
|
|
must be B<yes> or B<no>. The default is |
1192
|
|
|
|
|
|
|
B<yes>.', |
1193
|
|
|
|
|
|
|
'type' => 'leaf', |
1194
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
1195
|
|
|
|
|
|
|
'value_type' => 'boolean', |
1196
|
|
|
|
|
|
|
'write_as' => [ |
1197
|
|
|
|
|
|
|
'no', |
1198
|
|
|
|
|
|
|
'yes' |
1199
|
|
|
|
|
|
|
] |
1200
|
|
|
|
|
|
|
}, |
1201
|
|
|
|
|
|
|
'AuthorizedKeysFile2', |
1202
|
|
|
|
|
|
|
{ |
1203
|
|
|
|
|
|
|
'cargo' => { |
1204
|
|
|
|
|
|
|
'type' => 'leaf', |
1205
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1206
|
|
|
|
|
|
|
}, |
1207
|
|
|
|
|
|
|
'description' => 'This parameter is now ignored by Ssh', |
1208
|
|
|
|
|
|
|
'status' => 'deprecated', |
1209
|
|
|
|
|
|
|
'type' => 'list' |
1210
|
|
|
|
|
|
|
}, |
1211
|
|
|
|
|
|
|
'ChallengeResponseAuthentication', |
1212
|
|
|
|
|
|
|
{ |
1213
|
|
|
|
|
|
|
'status' => 'deprecated', |
1214
|
|
|
|
|
|
|
'type' => 'leaf', |
1215
|
|
|
|
|
|
|
'value_type' => 'boolean' |
1216
|
|
|
|
|
|
|
}, |
1217
|
|
|
|
|
|
|
'KeyRegenerationInterval', |
1218
|
|
|
|
|
|
|
{ |
1219
|
|
|
|
|
|
|
'status' => 'deprecated', |
1220
|
|
|
|
|
|
|
'type' => 'leaf', |
1221
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1222
|
|
|
|
|
|
|
}, |
1223
|
|
|
|
|
|
|
'Protocol', |
1224
|
|
|
|
|
|
|
{ |
1225
|
|
|
|
|
|
|
'status' => 'deprecated', |
1226
|
|
|
|
|
|
|
'type' => 'leaf', |
1227
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1228
|
|
|
|
|
|
|
}, |
1229
|
|
|
|
|
|
|
'RDomain', |
1230
|
|
|
|
|
|
|
{ |
1231
|
|
|
|
|
|
|
'status' => 'deprecated', |
1232
|
|
|
|
|
|
|
'type' => 'leaf', |
1233
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1234
|
|
|
|
|
|
|
}, |
1235
|
|
|
|
|
|
|
'RSAAuthentication', |
1236
|
|
|
|
|
|
|
{ |
1237
|
|
|
|
|
|
|
'status' => 'deprecated', |
1238
|
|
|
|
|
|
|
'type' => 'leaf', |
1239
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1240
|
|
|
|
|
|
|
}, |
1241
|
|
|
|
|
|
|
'RhostsRSAAuthentication', |
1242
|
|
|
|
|
|
|
{ |
1243
|
|
|
|
|
|
|
'status' => 'deprecated', |
1244
|
|
|
|
|
|
|
'type' => 'leaf', |
1245
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1246
|
|
|
|
|
|
|
}, |
1247
|
|
|
|
|
|
|
'UsePrivilegeSeparation', |
1248
|
|
|
|
|
|
|
{ |
1249
|
|
|
|
|
|
|
'status' => 'deprecated', |
1250
|
|
|
|
|
|
|
'type' => 'leaf', |
1251
|
|
|
|
|
|
|
'value_type' => 'uniline' |
1252
|
|
|
|
|
|
|
} |
1253
|
|
|
|
|
|
|
], |
1254
|
|
|
|
|
|
|
'generated_by' => 'parse-man.pl from sshd_system 9.0p1 doc', |
1255
|
|
|
|
|
|
|
'license' => 'LGPL2', |
1256
|
|
|
|
|
|
|
'name' => 'Sshd::MatchElement' |
1257
|
|
|
|
|
|
|
} |
1258
|
|
|
|
|
|
|
] |
1259
|
|
|
|
|
|
|
; |
1260
|
|
|
|
|
|
|
|