File Coverage

blib/lib/Config/Model/models/Sshd.pl
Criterion Covered Total %
statement 6 6 100.0
branch n/a
condition n/a
subroutine 2 2 100.0
pod n/a
total 8 8 100.0


line stmt bran cond sub pod time code
1             #
2             # This file is part of Config-Model-OpenSsh
3             #
4             # This software is Copyright (c) 2008-2022 by Dominique Dumont.
5             #
6             # This is free software, licensed under:
7             #
8             # The GNU Lesser General Public License, Version 2.1, February 1999
9             #
10 3     3   223803 use strict;
  3         7  
  3         93  
11 3     3   15 use warnings;
  3         6  
  3         2191  
12              
13             return [
14             {
15             'accept' => [
16             '.*',
17             {
18             'summary' => 'boilerplate parameter that may hide a typo',
19             'type' => 'leaf',
20             'value_type' => 'uniline',
21             'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author'
22             }
23             ],
24             'class_description' => 'This configuration class was generated from sshd_system documentation.
25             by L<parse-man.pl|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl>
26             ',
27             'element' => [
28             'AddressFamily',
29             {
30             'choice' => [
31             'any',
32             'inet',
33             'inet6'
34             ],
35             'description' => 'Specifies which address family
36             should be used by L<sshd(8)>. Valid arguments are B<any>
37             (the default), B<inet> (use IPv4 only), or B<inet6>
38             (use IPv6 only).',
39             'type' => 'leaf',
40             'upstream_default' => 'any',
41             'value_type' => 'enum'
42             },
43             'Ciphers',
44             {
45             'description' => 'Specifies the ciphers allowed.
46             Multiple ciphers must be comma-separated. If the specified
47             list begins with a \'+\' character, then the
48             specified ciphers will be appended to the default set
49             instead of replacing them. If the specified list begins with
50             a \'-\' character, then the specified ciphers
51             (including wildcards) will be removed from the default set
52             instead of replacing them. If the specified list begins with
53             a \'^\' character, then the specified ciphers will
54             be placed at the head of the default set.
55              
56             The supported
57             ciphers are:
58              
59             3des-cbc
60             aes128-cbc
61             aes192-cbc
62             aes256-cbc
63             aes128-ctr
64             aes192-ctr
65             aes256-ctr
66             aes128-gcm@openssh.com
67             aes256-gcm@openssh.com
68             chacha20-poly1305@openssh.com
69              
70             The default
71             is:
72              
73             chacha20-poly1305@openssh.com,
74             aes128-ctr, aes192-ctr, aes256-ctr,
75             aes128-gcm@openssh.com, aes256-gcm@openssh.com
76              
77             The list of
78             available ciphers may also be obtained using "ssh -Q
79             cipher".',
80             'type' => 'leaf',
81             'value_type' => 'uniline'
82             },
83             'Compression',
84             {
85             'choice' => [
86             'yes',
87             'delayed',
88             'no'
89             ],
90             'description' => 'Specifies whether compression
91             is enabled after the user has authenticated successfully.
92             The argument must be B<yes>, B<delayed> (a legacy
93             synonym for B<yes>) or B<no>. The default is
94             B<yes>.',
95             'type' => 'leaf',
96             'upstream_default' => 'yes',
97             'value_type' => 'enum'
98             },
99             'DebianBanner',
100             {
101             'description' => 'Specifies whether the
102             distribution-specified extra version suffix is included
103             during initial protocol handshake. The default is
104             B<yes>.',
105             'type' => 'leaf',
106             'upstream_default' => 'yes',
107             'value_type' => 'boolean',
108             'write_as' => [
109             'no',
110             'yes'
111             ]
112             },
113             'FingerprintHash',
114             {
115             'choice' => [
116             'md5',
117             'sha256'
118             ],
119             'description' => 'Specifies the hash algorithm
120             used when logging key fingerprints. Valid options are:
121             B<md5> and B<sha256>. The default is
122             B<sha256>.',
123             'type' => 'leaf',
124             'upstream_default' => 'sha256',
125             'value_type' => 'enum'
126             },
127             'GSSAPICleanupCredentials',
128             {
129             'description' => 'Specifies whether to
130             automatically destroy the user\'s credentials cache on
131             logout. The default is B<yes>.',
132             'type' => 'leaf',
133             'upstream_default' => 'yes',
134             'value_type' => 'boolean',
135             'write_as' => [
136             'no',
137             'yes'
138             ]
139             },
140             'GSSAPIKeyExchange',
141             {
142             'description' => 'Specifies whether key exchange
143             based on GSSAPI is allowed. GSSAPI key exchange
144             doesn\'t rely on ssh keys to verify host identity. The
145             default is B<no>.',
146             'type' => 'leaf',
147             'upstream_default' => 'no',
148             'value_type' => 'boolean',
149             'write_as' => [
150             'no',
151             'yes'
152             ]
153             },
154             'GSSAPIStrictAcceptorCheck',
155             {
156             'description' => 'Determines whether to be strict
157             about the identity of the GSSAPI acceptor a client
158             authenticates against. If set to B<yes> then the client
159             must authenticate against the host service on the current
160             hostname. If set to B<no> then the client may
161             authenticate against any service key stored in the
162             machine\'s default store. This facility is provided to
163             assist with operation on multi homed machines. The default
164             is B<yes>.',
165             'type' => 'leaf',
166             'upstream_default' => 'yes',
167             'value_type' => 'boolean',
168             'write_as' => [
169             'no',
170             'yes'
171             ]
172             },
173             'GSSAPIStoreCredentialsOnRekey',
174             {
175             'description' => 'Controls whether the
176             user\'s GSSAPI credentials should be updated following
177             a successful connection rekeying. This option can be used to
178             accepted renewed or updated credentials from a compatible
179             client. The default is B<no>.
180              
181             For this to
182             work B<GSSAPIKeyExchange> needs to be enabled in the
183             server and also used by the client.',
184             'type' => 'leaf',
185             'upstream_default' => 'no',
186             'value_type' => 'boolean',
187             'write_as' => [
188             'no',
189             'yes'
190             ]
191             },
192             'GSSAPIKexAlgorithms',
193             {
194             'description' => "The list of key exchange
195             algorithms that are accepted by GSSAPI key exchange.
196             Possible values are
197              
198             gss-gex-sha1-,
199             gss-group1-sha1-,
200             gss-group14-sha1-,
201             gss-group14-sha256-,
202             gss-group16-sha512-,
203             gss-nistp256-sha256-,
204             gss-curve25519-sha256-
205              
206             The default is
207             \x{201c}gss-group14-sha256-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-, gss-gex-sha1-, gss-group14-sha1-\x{201d}.
208             This option only applies to connections using GSSAPI.",
209             'type' => 'leaf',
210             'value_type' => 'uniline'
211             },
212             'HostCertificate',
213             {
214             'description' => 'Specifies a file containing a
215             public host certificate. The certificate\'s public key
216             must match a private host key already specified by
217             B<HostKey>. The default behaviour of L<sshd(8)> is not to
218             load any certificates.',
219             'type' => 'leaf',
220             'value_type' => 'uniline'
221             },
222             'HostKey',
223             {
224             'description' => 'Specifies a file containing a
225             private host key used by SSH. The defaults are
226             I</etc/ssh/ssh_host_ecdsa_key>,
227             I</etc/ssh/ssh_host_ed25519_key> and
228             I</etc/ssh/ssh_host_rsa_key>.
229              
230             Note that
231             L<sshd(8)> will refuse to use a file if it is
232             group/world-accessible and that the B<HostKeyAlgorithms>
233             option restricts which of the keys are actually used by
234             L<sshd(8)>.
235              
236             It is possible
237             to have multiple host key files. It is also possible to
238             specify public host key files instead. In this case
239             operations on the private key will be delegated to an
240             L<ssh-agent(1)>.',
241             'type' => 'leaf',
242             'value_type' => 'uniline'
243             },
244             'HostKeyAgent',
245             {
246             'description' => 'Identifies the UNIX-domain
247             socket used to communicate with an agent that has access to
248             the private host keys. If the string
249             "SSH_AUTH_SOCK" is specified, the location of the
250             socket will be read from the SSH_AUTH_SOCK environment
251             variable.',
252             'type' => 'leaf',
253             'value_type' => 'uniline'
254             },
255             'HostKeyAlgorithms',
256             {
257             'description' => 'Specifies the host key
258             signature algorithms that the server offers. The default for
259             this option is:
260              
261             ssh-ed25519-cert-v01@openssh.com,
262             ecdsa-sha2-nistp256-cert-v01@openssh.com,
263             ecdsa-sha2-nistp384-cert-v01@openssh.com,
264             ecdsa-sha2-nistp521-cert-v01@openssh.com,
265             sk-ssh-ed25519-cert-v01@openssh.com,
266             sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
267             rsa-sha2-512-cert-v01@openssh.com,
268             rsa-sha2-256-cert-v01@openssh.com,
269             ssh-ed25519,
270             ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
271             sk-ssh-ed25519@openssh.com,
272             sk-ecdsa-sha2-nistp256@openssh.com,
273             rsa-sha2-512, rsa-sha2-256
274              
275             The list of
276             available signature algorithms may also be obtained using
277             "ssh -Q HostKeyAlgorithms".',
278             'type' => 'leaf',
279             'value_type' => 'uniline'
280             },
281             'IgnoreUserKnownHosts',
282             {
283             'description' => 'Specifies whether L<sshd(8)>
284             should ignore the user\'s I<~/.ssh/known_hosts>
285             during B<HostbasedAuthentication> and use only the
286             system-wide known hosts file I</etc/ssh/known_hosts>.
287             The default is B<no>.',
288             'type' => 'leaf',
289             'upstream_default' => 'no',
290             'value_type' => 'boolean',
291             'write_as' => [
292             'no',
293             'yes'
294             ]
295             },
296             'KerberosGetAFSToken',
297             {
298             'description' => 'If AFS is active and the user
299             has a Kerberos 5 TGT, attempt to acquire an AFS token before
300             accessing the user\'s home directory. The default is
301             B<no>.',
302             'type' => 'leaf',
303             'upstream_default' => 'no',
304             'value_type' => 'boolean',
305             'write_as' => [
306             'no',
307             'yes'
308             ]
309             },
310             'KerberosOrLocalPasswd',
311             {
312             'description' => 'If password authentication
313             through Kerberos fails then the password will be validated
314             via any additional local mechanism such as
315             I</etc/passwd>. The default is B<yes>.',
316             'type' => 'leaf',
317             'upstream_default' => 'yes',
318             'value_type' => 'boolean',
319             'write_as' => [
320             'no',
321             'yes'
322             ]
323             },
324             'KerberosTicketCleanup',
325             {
326             'description' => 'Specifies whether to
327             automatically destroy the user\'s ticket cache file on
328             logout. The default is B<yes>.',
329             'type' => 'leaf',
330             'upstream_default' => 'yes',
331             'value_type' => 'boolean',
332             'write_as' => [
333             'no',
334             'yes'
335             ]
336             },
337             'KexAlgorithms',
338             {
339             'description' => 'Specifies the available KEX
340             (Key Exchange) algorithms. Multiple algorithms must be
341             comma-separated. Alternately if the specified list begins
342             with a \'+\' character, then the specified
343             algorithms will be appended to the default set instead of
344             replacing them. If the specified list begins with a
345             \'-\' character, then the specified algorithms
346             (including wildcards) will be removed from the default set
347             instead of replacing them. If the specified list begins with
348             a \'^\' character, then the specified algorithms
349             will be placed at the head of the default set. The supported
350             algorithms are:
351              
352             curve25519-sha256
353             curve25519-sha256@libssh.org
354             diffie-hellman-group1-sha1
355             diffie-hellman-group14-sha1
356             diffie-hellman-group14-sha256
357             diffie-hellman-group16-sha512
358             diffie-hellman-group18-sha512
359             diffie-hellman-group-exchange-sha1
360             diffie-hellman-group-exchange-sha256
361             ecdh-sha2-nistp256
362             ecdh-sha2-nistp384
363             ecdh-sha2-nistp521
364             sntrup761x25519-sha512@openssh.com
365              
366             The default
367             is:
368              
369             sntrup761x25519-sha512@openssh.com,
370             curve25519-sha256, curve25519-sha256@libssh.org,
371             ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521,
372             diffie-hellman-group-exchange-sha256,
373             diffie-hellman-group16-sha512, diffie-hellman-group18-sha512,
374             diffie-hellman-group14-sha256
375              
376             The list of
377             available key exchange algorithms may also be obtained using
378             "ssh -Q KexAlgorithms".',
379             'type' => 'leaf',
380             'value_type' => 'uniline'
381             },
382             'ListenAddress',
383             {
384             'description' => 'Specifies the local addresses
385             L<sshd(8)> should listen on. The following forms may be
386             used:
387              
388             B<ListenAddress>I<hostname>|I<address> B<
389             ListenAddress> I<hostname>:I<port> B<
390             ListenAddress> I<IPv4_address>:I<port> B<
391             ListenAddress> [
392              
393             I<hostname>|I<address> ]:I<port>
394              
395             If I<port>
396             is not specified, sshd will listen on the address and all
397             B<Port> options specified. The default is to listen on
398             all local addresses. Multiple B<ListenAddress> options
399             are permitted.',
400             'type' => 'leaf',
401             'value_type' => 'uniline'
402             },
403             'LoginGraceTime',
404             {
405             'description' => 'The server disconnects after
406             this time if the user has not successfully logged in. If the
407             value is 0, there is no time limit. The default is 120
408             seconds.',
409             'type' => 'leaf',
410             'value_type' => 'uniline'
411             },
412             'LogVerbose',
413             {
414             'description' => 'Specify one or more overrides
415             to LogLevel. An override consists of a pattern lists that
416             matches the source file, function and line number to force
417             detailed logging for. For example, an override pattern
418             of:
419              
420             kex.c:*:1000,*:kex_exchange_identification():*, packet.c:*
421              
422             would enable
423             detailed logging for line 1000 of I<kex.c>, everything
424             in the B<kex_exchange_identification>() function, and
425             all code in the I<packet.c> file. This option is
426             intended for debugging and no overrides are enabled by
427             default.',
428             'type' => 'leaf',
429             'value_type' => 'uniline'
430             },
431             'MACs',
432             {
433             'description' => 'Specifies the
434             available MAC (message authentication code) algorithms. The
435             MAC algorithm is used for data integrity protection.
436             Multiple algorithms must be comma-separated. If the
437             specified list begins with a \'+\' character, then
438             the specified algorithms will be appended to the default set
439             instead of replacing them. If the specified list begins with
440             a \'-\' character, then the specified algorithms
441             (including wildcards) will be removed from the default set
442             instead of replacing them. If the specified list begins with
443             a \'^\' character, then the specified algorithms
444             will be placed at the head of the default set.
445              
446             The algorithms
447             that contain "-etm" calculate the MAC after
448             encryption (encrypt-then-mac). These are considered safer
449             and their use recommended. The supported MACs are:
450              
451             hmac-md5
452             hmac-md5-96
453             hmac-sha1
454             hmac-sha1-96
455             hmac-sha2-256
456             hmac-sha2-512
457             umac-64@openssh.com
458             umac-128@openssh.com
459             hmac-md5-etm@openssh.com
460             hmac-md5-96-etm@openssh.com
461             hmac-sha1-etm@openssh.com
462             hmac-sha1-96-etm@openssh.com
463             hmac-sha2-256-etm@openssh.com
464             hmac-sha2-512-etm@openssh.com
465             umac-64-etm@openssh.com
466             umac-128-etm@openssh.com
467              
468             The default
469             is:
470              
471             umac-64-etm@openssh.com, umac-128-etm@openssh.com,
472             hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com,
473             hmac-sha1-etm@openssh.com,
474             umac-64@openssh.com, umac-128@openssh.com,
475             hmac-sha2-256, hmac-sha2-512, hmac-sha1
476              
477             The list of
478             available MAC algorithms may also be obtained using
479             "ssh -Q mac".',
480             'type' => 'leaf',
481             'value_type' => 'uniline'
482             },
483             'Match',
484             {
485             'cargo' => {
486             'config_class_name' => 'Sshd::MatchBlock',
487             'type' => 'node'
488             },
489             'description' => 'Introduces a
490             conditional block. If all of the criteria on the
491             B<Match> line are satisfied, the keywords on the
492             following lines override those set in the global section of
493             the config file, until either another B<Match> line or
494             the end of the file. If a keyword appears in multiple
495             B<Match> blocks that are satisfied, only the first
496             instance of the keyword is applied.
497              
498             The arguments
499             to B<Match> are one or more criteria-pattern pairs or
500             the single token B<All> which matches all criteria. The
501             available criteria are B<User>, B<Group>,
502             B<Host>, B<LocalAddress>, B<LocalPort>, and
503             B<Address>.
504              
505             The match
506             patterns may consist of single entries or comma-separated
507             lists and may use the wildcard and negation operators
508             described in the I<PATTERNS> section of
509             L<ssh_config(5)>.
510              
511             The patterns in
512             an B<Address> criteria may additionally contain
513             addresses to match in CIDR address/masklen format, such as
514             192.0.2.0/24 or 2001:db8::/32. Note that the mask length
515             provided must be consistent with the address - it is an
516             error to specify a mask length that is too long for the
517             address or one with bits set in this host portion of the
518             address. For example, 192.0.2.0/33 and 192.0.2.0/8,
519             respectively.
520              
521             Only a subset
522             of keywords may be used on the lines following a
523             B<Match> keyword. Available keywords are
524             B<AcceptEnv>, B<AllowAgentForwarding>,
525             B<AllowGroups>, B<AllowStreamLocalForwarding>,
526             B<AllowTcpForwarding>, B<AllowUsers>,
527             B<AuthenticationMethods>, B<AuthorizedKeysCommand>,
528             B<AuthorizedKeysCommandUser>, B<AuthorizedKeysFile>,
529             B<AuthorizedPrincipalsCommand>,
530             B<AuthorizedPrincipalsCommandUser>,
531             B<AuthorizedPrincipalsFile>, B<Banner>,
532             B<CASignatureAlgorithms>, B<ChrootDirectory>,
533             B<ClientAliveCountMax>, B<ClientAliveInterval>,
534             B<DenyGroups>, B<DenyUsers>,
535             B<DisableForwarding>, B<ExposeAuthInfo>,
536             B<ForceCommand>, B<GatewayPorts>,
537             B<GSSAPIAuthentication>,
538             B<HostbasedAcceptedAlgorithms>,
539             B<HostbasedAuthentication>,
540             B<HostbasedUsesNameFromPacketOnly>, B<IgnoreRhosts>,
541             B<Include>, B<IPQoS>,
542             B<KbdInteractiveAuthentication>,
543             B<KerberosAuthentication>, B<LogLevel>,
544             B<MaxAuthTries>, B<MaxSessions>,
545             B<PasswordAuthentication>, B<PermitEmptyPasswords>,
546             B<PermitListen>, B<PermitOpen>,
547             B<PermitRootLogin>, B<PermitTTY>,
548             B<PermitTunnel>, B<PermitUserRC>,
549             B<PubkeyAcceptedAlgorithms>,
550             B<PubkeyAuthentication>, B<PubkeyAuthOptions>,
551             B<RekeyLimit>, B<RevokedKeys>, B<SetEnv>,
552             B<StreamLocalBindMask>, B<StreamLocalBindUnlink>,
553             B<TrustedUserCAKeys>, B<X11DisplayOffset>,
554             B<X11Forwarding> and B<X11UseLocalhost>.',
555             'type' => 'list'
556             },
557             'MaxStartups',
558             {
559             'description' => 'Specifies the maximum number of
560             concurrent unauthenticated connections to the SSH daemon.
561             Additional connections will be dropped until authentication
562             succeeds or the B<LoginGraceTime> expires for a
563             connection. The default is 10:30:100.
564              
565             Alternatively,
566             random early drop can be enabled by specifying the three
567             colon separated values start:rate:full (e.g.
568             "10:30:60"). L<sshd(8)> will refuse connection
569             attempts with a probability of rate/100 (30%) if there are
570             currently start (10) unauthenticated connections. The
571             probability increases linearly and all connection attempts
572             are refused if the number of unauthenticated connections
573             reaches full (60).',
574             'type' => 'leaf',
575             'upstream_default' => '10',
576             'value_type' => 'uniline'
577             },
578             'ModuliFile',
579             {
580             'description' => "Specifies the L<moduli(5)> file
581             that contains the Diffie-Hellman groups used for the
582             \x{201c}diffie-hellman-group-exchange-sha1\x{201d} and
583             \x{201c}diffie-hellman-group-exchange-sha256\x{201d} key
584             exchange methods. The default is I</etc/ssh/moduli>.",
585             'type' => 'leaf',
586             'upstream_default' => '/etc/ssh/moduli',
587             'value_type' => 'uniline'
588             },
589             'PermitUserEnvironment',
590             {
591             'description' => 'Specifies whether
592             I<~/.ssh/environment> and B<environment=> options in
593             I<~/.ssh/authorized_keys> are processed by L<sshd(8)>.
594             Valid options are B<yes>, B<no> or a pattern-list
595             specifying which environment variable names to accept (for
596             example "LANG, LC_*"). The default is B<no>.
597             Enabling environment processing may enable users to bypass
598             access restrictions in some configurations using mechanisms
599             such as LD_PRELOAD.',
600             'type' => 'leaf',
601             'upstream_default' => 'no',
602             'value_type' => 'boolean',
603             'write_as' => [
604             'no',
605             'yes'
606             ]
607             },
608             'PerSourceMaxStartups',
609             {
610             'description' => 'Specifies the number of
611             unauthenticated connections allowed from a given source
612             address, or B<none> if there is no limit. This
613             limit is applied in addition to B<MaxStartups>,
614             whichever is lower. The default is B<none>.',
615             'type' => 'leaf',
616             'upstream_default' => 'none',
617             'value_type' => 'uniline'
618             },
619             'PerSourceNetBlockSize',
620             {
621             'description' => 'Specifies the number of bits of
622             source address that are grouped together for the purposes of
623             applying PerSourceMaxStartups limits. Values for IPv4 and
624             optionally IPv6 may be specified, separated by a colon. The
625             default is B<32:128>, which means each address is
626             considered individually.',
627             'type' => 'leaf',
628             'upstream_default' => '32:128',
629             'value_type' => 'uniline'
630             },
631             'PidFile',
632             {
633             'description' => 'Specifies the file that
634             contains the process ID of the SSH daemon, or B<none> to
635             not write one. The default is I</run/sshd.pid>.',
636             'type' => 'leaf',
637             'value_type' => 'uniline'
638             },
639             'Port',
640             {
641             'description' => 'Specifies the
642             port number that L<sshd(8)> listens on. The default is 22.
643             Multiple options of this type are permitted. See also
644             B<ListenAddress>.',
645             'type' => 'leaf',
646             'value_type' => 'uniline'
647             },
648             'PrintLastLog',
649             {
650             'description' => 'Specifies whether L<sshd(8)>
651             should print the date and time of the last user login when a
652             user logs in interactively. The default is B<yes>.',
653             'type' => 'leaf',
654             'upstream_default' => 'yes',
655             'value_type' => 'boolean',
656             'write_as' => [
657             'no',
658             'yes'
659             ]
660             },
661             'PrintMotd',
662             {
663             'description' => 'Specifies whether L<sshd(8)>
664             should print I</etc/motd> when a user logs in
665             interactively. (On some systems it is also printed by the
666             shell, I</etc/profile>, or equivalent.) The default is
667             B<yes>.',
668             'type' => 'leaf',
669             'upstream_default' => 'yes',
670             'value_type' => 'boolean',
671             'write_as' => [
672             'no',
673             'yes'
674             ]
675             },
676             'SecurityKeyProvider',
677             {
678             'description' => 'Specifies a path to a library
679             that will be used when loading FIDO authenticator-hosted
680             keys, overriding the default of using the built-in USB HID
681             support.',
682             'type' => 'leaf',
683             'value_type' => 'uniline'
684             },
685             'StrictModes',
686             {
687             'description' => 'Specifies whether L<sshd(8)>
688             should check file modes and ownership of the user\'s
689             files and home directory before accepting login. This is
690             normally desirable because novices sometimes accidentally
691             leave their directory or files world-writable. The default
692             is B<yes>. Note that this does not apply to
693             B<ChrootDirectory>, whose permissions and ownership are
694             checked unconditionally.',
695             'type' => 'leaf',
696             'upstream_default' => 'yes',
697             'value_type' => 'boolean',
698             'write_as' => [
699             'no',
700             'yes'
701             ]
702             },
703             'Subsystem',
704             {
705             'cargo' => {
706             'mandatory' => '1',
707             'type' => 'leaf',
708             'value_type' => 'uniline'
709             },
710             'description' => 'Configures an external
711             subsystem (e.g. file transfer daemon). Arguments should be a
712             subsystem name and a command (with optional arguments) to
713             execute upon subsystem request.
714              
715             The command
716             B<sftp-server> implements the SFTP file transfer
717             subsystem.
718              
719             Alternately the
720             name B<internal-sftp> implements an in-process SFTP
721             server. This may simplify configurations using
722             B<ChrootDirectory> to force a different filesystem root
723             on clients.
724              
725             By default no
726             subsystems are defined.',
727             'index_type' => 'string',
728             'type' => 'hash'
729             },
730             'SyslogFacility',
731             {
732             'choice' => [
733             'DAEMON',
734             'USER',
735             'AUTH',
736             'LOCAL0',
737             'LOCAL1',
738             'LOCAL2',
739             'LOCAL3',
740             'LOCAL4',
741             'LOCAL5',
742             'LOCAL6',
743             'LOCAL7'
744             ],
745             'description' => 'Gives the facility code that is
746             used when logging messages from L<sshd(8)>. The possible values
747             are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
748             LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.',
749             'type' => 'leaf',
750             'upstream_default' => 'AUTH',
751             'value_type' => 'enum'
752             },
753             'TCPKeepAlive',
754             {
755             'description' => 'Specifies whether the system
756             should send TCP keepalive messages to the other side. If
757             they are sent, death of the connection or crash of one of
758             the machines will be properly noticed. However, this means
759             that connections will die if the route is down temporarily,
760             and some people find it annoying. On the other hand, if TCP
761             keepalives are not sent, sessions may hang indefinitely on
762             the server, leaving "ghost" users and consuming
763             server resources.
764              
765             The default is
766             B<yes> (to send TCP keepalive messages), and the server
767             will notice if the network goes down or the client host
768             crashes. This avoids infinitely hanging sessions.
769              
770             To disable TCP
771             keepalive messages, the value should be set to
772             B<no>.
773              
774             This option was
775             formerly called B<KeepAlive>.',
776             'type' => 'leaf',
777             'upstream_default' => 'yes',
778             'value_type' => 'boolean',
779             'write_as' => [
780             'no',
781             'yes'
782             ]
783             },
784             'UseDNS',
785             {
786             'description' => 'Specifies
787             whether L<sshd(8)> should look up the remote host name, and to
788             check that the resolved host name for the remote IP address
789             maps back to the very same IP address.
790              
791             If this option
792             is set to B<no> (the default) then only addresses and
793             not host names may be used in I<~/.ssh/authorized_keys>B<from> and B<sshd_config Match Host>
794             directives.',
795             'type' => 'leaf',
796             'upstream_default' => 'no',
797             'value_type' => 'boolean',
798             'write_as' => [
799             'no',
800             'yes'
801             ]
802             },
803             'UsePAM',
804             {
805             'description' => 'Enables the
806             Pluggable Authentication Module interface. If set to
807             B<yes> this will enable PAM authentication using
808             B<KbdInteractiveAuthentication> and
809             B<PasswordAuthentication> in addition to PAM account and
810             session module processing for all authentication types.
811              
812             Because PAM
813             keyboard-interactive authentication usually serves an
814             equivalent role to password authentication, you should
815             disable either B<PasswordAuthentication> or
816             B<KbdInteractiveAuthentication>.
817              
818             If
819             B<UsePAM> is enabled, you will not be able to run
820             L<sshd(8)> as a non-root user. The default is B<no>.',
821             'type' => 'leaf',
822             'upstream_default' => 'no',
823             'value_type' => 'boolean',
824             'write_as' => [
825             'no',
826             'yes'
827             ]
828             },
829             'VersionAddendum',
830             {
831             'description' => 'Optionally specifies additional
832             text to append to the SSH protocol banner sent by the server
833             upon connection. The default is B<none>.',
834             'type' => 'leaf',
835             'value_type' => 'uniline'
836             },
837             'XAuthLocation',
838             {
839             'description' => 'Specifies the full pathname of
840             the L<xauth(1)> program, or B<none> to not use one. The
841             default is I</usr/bin/xauth>.',
842             'type' => 'leaf',
843             'upstream_default' => '/usr/bin/xauth',
844             'value_type' => 'uniline'
845             }
846             ],
847             'generated_by' => 'parse-man.pl from sshd_system 9.0p1 doc',
848             'include' => [
849             'Sshd::MatchElement'
850             ],
851             'license' => 'LGPL2',
852             'name' => 'Sshd',
853             'rw_config' => {
854             'backend' => 'OpenSsh::Sshd',
855             'config_dir' => '/etc/ssh',
856             'file' => 'sshd_config',
857             'os_config_dir' => {
858             'darwin' => '/etc'
859             }
860             }
861             }
862             ]
863             ;
864