line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# |
2
|
|
|
|
|
|
|
# This file is part of Config-Model-OpenSsh |
3
|
|
|
|
|
|
|
# |
4
|
|
|
|
|
|
|
# This software is Copyright (c) 2008-2022 by Dominique Dumont. |
5
|
|
|
|
|
|
|
# |
6
|
|
|
|
|
|
|
# This is free software, licensed under: |
7
|
|
|
|
|
|
|
# |
8
|
|
|
|
|
|
|
# The GNU Lesser General Public License, Version 2.1, February 1999 |
9
|
|
|
|
|
|
|
# |
10
|
3
|
|
|
3
|
|
223803
|
use strict; |
|
3
|
|
|
|
|
7
|
|
|
3
|
|
|
|
|
93
|
|
11
|
3
|
|
|
3
|
|
15
|
use warnings; |
|
3
|
|
|
|
|
6
|
|
|
3
|
|
|
|
|
2191
|
|
12
|
|
|
|
|
|
|
|
13
|
|
|
|
|
|
|
return [ |
14
|
|
|
|
|
|
|
{ |
15
|
|
|
|
|
|
|
'accept' => [ |
16
|
|
|
|
|
|
|
'.*', |
17
|
|
|
|
|
|
|
{ |
18
|
|
|
|
|
|
|
'summary' => 'boilerplate parameter that may hide a typo', |
19
|
|
|
|
|
|
|
'type' => 'leaf', |
20
|
|
|
|
|
|
|
'value_type' => 'uniline', |
21
|
|
|
|
|
|
|
'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author' |
22
|
|
|
|
|
|
|
} |
23
|
|
|
|
|
|
|
], |
24
|
|
|
|
|
|
|
'class_description' => 'This configuration class was generated from sshd_system documentation. |
25
|
|
|
|
|
|
|
by L<parse-man.pl|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl> |
26
|
|
|
|
|
|
|
', |
27
|
|
|
|
|
|
|
'element' => [ |
28
|
|
|
|
|
|
|
'AddressFamily', |
29
|
|
|
|
|
|
|
{ |
30
|
|
|
|
|
|
|
'choice' => [ |
31
|
|
|
|
|
|
|
'any', |
32
|
|
|
|
|
|
|
'inet', |
33
|
|
|
|
|
|
|
'inet6' |
34
|
|
|
|
|
|
|
], |
35
|
|
|
|
|
|
|
'description' => 'Specifies which address family |
36
|
|
|
|
|
|
|
should be used by L<sshd(8)>. Valid arguments are B<any> |
37
|
|
|
|
|
|
|
(the default), B<inet> (use IPv4 only), or B<inet6> |
38
|
|
|
|
|
|
|
(use IPv6 only).', |
39
|
|
|
|
|
|
|
'type' => 'leaf', |
40
|
|
|
|
|
|
|
'upstream_default' => 'any', |
41
|
|
|
|
|
|
|
'value_type' => 'enum' |
42
|
|
|
|
|
|
|
}, |
43
|
|
|
|
|
|
|
'Ciphers', |
44
|
|
|
|
|
|
|
{ |
45
|
|
|
|
|
|
|
'description' => 'Specifies the ciphers allowed. |
46
|
|
|
|
|
|
|
Multiple ciphers must be comma-separated. If the specified |
47
|
|
|
|
|
|
|
list begins with a \'+\' character, then the |
48
|
|
|
|
|
|
|
specified ciphers will be appended to the default set |
49
|
|
|
|
|
|
|
instead of replacing them. If the specified list begins with |
50
|
|
|
|
|
|
|
a \'-\' character, then the specified ciphers |
51
|
|
|
|
|
|
|
(including wildcards) will be removed from the default set |
52
|
|
|
|
|
|
|
instead of replacing them. If the specified list begins with |
53
|
|
|
|
|
|
|
a \'^\' character, then the specified ciphers will |
54
|
|
|
|
|
|
|
be placed at the head of the default set. |
55
|
|
|
|
|
|
|
|
56
|
|
|
|
|
|
|
The supported |
57
|
|
|
|
|
|
|
ciphers are: |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
3des-cbc |
60
|
|
|
|
|
|
|
aes128-cbc |
61
|
|
|
|
|
|
|
aes192-cbc |
62
|
|
|
|
|
|
|
aes256-cbc |
63
|
|
|
|
|
|
|
aes128-ctr |
64
|
|
|
|
|
|
|
aes192-ctr |
65
|
|
|
|
|
|
|
aes256-ctr |
66
|
|
|
|
|
|
|
aes128-gcm@openssh.com |
67
|
|
|
|
|
|
|
aes256-gcm@openssh.com |
68
|
|
|
|
|
|
|
chacha20-poly1305@openssh.com |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
The default |
71
|
|
|
|
|
|
|
is: |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
chacha20-poly1305@openssh.com, |
74
|
|
|
|
|
|
|
aes128-ctr, aes192-ctr, aes256-ctr, |
75
|
|
|
|
|
|
|
aes128-gcm@openssh.com, aes256-gcm@openssh.com |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
The list of |
78
|
|
|
|
|
|
|
available ciphers may also be obtained using "ssh -Q |
79
|
|
|
|
|
|
|
cipher".', |
80
|
|
|
|
|
|
|
'type' => 'leaf', |
81
|
|
|
|
|
|
|
'value_type' => 'uniline' |
82
|
|
|
|
|
|
|
}, |
83
|
|
|
|
|
|
|
'Compression', |
84
|
|
|
|
|
|
|
{ |
85
|
|
|
|
|
|
|
'choice' => [ |
86
|
|
|
|
|
|
|
'yes', |
87
|
|
|
|
|
|
|
'delayed', |
88
|
|
|
|
|
|
|
'no' |
89
|
|
|
|
|
|
|
], |
90
|
|
|
|
|
|
|
'description' => 'Specifies whether compression |
91
|
|
|
|
|
|
|
is enabled after the user has authenticated successfully. |
92
|
|
|
|
|
|
|
The argument must be B<yes>, B<delayed> (a legacy |
93
|
|
|
|
|
|
|
synonym for B<yes>) or B<no>. The default is |
94
|
|
|
|
|
|
|
B<yes>.', |
95
|
|
|
|
|
|
|
'type' => 'leaf', |
96
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
97
|
|
|
|
|
|
|
'value_type' => 'enum' |
98
|
|
|
|
|
|
|
}, |
99
|
|
|
|
|
|
|
'DebianBanner', |
100
|
|
|
|
|
|
|
{ |
101
|
|
|
|
|
|
|
'description' => 'Specifies whether the |
102
|
|
|
|
|
|
|
distribution-specified extra version suffix is included |
103
|
|
|
|
|
|
|
during initial protocol handshake. The default is |
104
|
|
|
|
|
|
|
B<yes>.', |
105
|
|
|
|
|
|
|
'type' => 'leaf', |
106
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
107
|
|
|
|
|
|
|
'value_type' => 'boolean', |
108
|
|
|
|
|
|
|
'write_as' => [ |
109
|
|
|
|
|
|
|
'no', |
110
|
|
|
|
|
|
|
'yes' |
111
|
|
|
|
|
|
|
] |
112
|
|
|
|
|
|
|
}, |
113
|
|
|
|
|
|
|
'FingerprintHash', |
114
|
|
|
|
|
|
|
{ |
115
|
|
|
|
|
|
|
'choice' => [ |
116
|
|
|
|
|
|
|
'md5', |
117
|
|
|
|
|
|
|
'sha256' |
118
|
|
|
|
|
|
|
], |
119
|
|
|
|
|
|
|
'description' => 'Specifies the hash algorithm |
120
|
|
|
|
|
|
|
used when logging key fingerprints. Valid options are: |
121
|
|
|
|
|
|
|
B<md5> and B<sha256>. The default is |
122
|
|
|
|
|
|
|
B<sha256>.', |
123
|
|
|
|
|
|
|
'type' => 'leaf', |
124
|
|
|
|
|
|
|
'upstream_default' => 'sha256', |
125
|
|
|
|
|
|
|
'value_type' => 'enum' |
126
|
|
|
|
|
|
|
}, |
127
|
|
|
|
|
|
|
'GSSAPICleanupCredentials', |
128
|
|
|
|
|
|
|
{ |
129
|
|
|
|
|
|
|
'description' => 'Specifies whether to |
130
|
|
|
|
|
|
|
automatically destroy the user\'s credentials cache on |
131
|
|
|
|
|
|
|
logout. The default is B<yes>.', |
132
|
|
|
|
|
|
|
'type' => 'leaf', |
133
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
134
|
|
|
|
|
|
|
'value_type' => 'boolean', |
135
|
|
|
|
|
|
|
'write_as' => [ |
136
|
|
|
|
|
|
|
'no', |
137
|
|
|
|
|
|
|
'yes' |
138
|
|
|
|
|
|
|
] |
139
|
|
|
|
|
|
|
}, |
140
|
|
|
|
|
|
|
'GSSAPIKeyExchange', |
141
|
|
|
|
|
|
|
{ |
142
|
|
|
|
|
|
|
'description' => 'Specifies whether key exchange |
143
|
|
|
|
|
|
|
based on GSSAPI is allowed. GSSAPI key exchange |
144
|
|
|
|
|
|
|
doesn\'t rely on ssh keys to verify host identity. The |
145
|
|
|
|
|
|
|
default is B<no>.', |
146
|
|
|
|
|
|
|
'type' => 'leaf', |
147
|
|
|
|
|
|
|
'upstream_default' => 'no', |
148
|
|
|
|
|
|
|
'value_type' => 'boolean', |
149
|
|
|
|
|
|
|
'write_as' => [ |
150
|
|
|
|
|
|
|
'no', |
151
|
|
|
|
|
|
|
'yes' |
152
|
|
|
|
|
|
|
] |
153
|
|
|
|
|
|
|
}, |
154
|
|
|
|
|
|
|
'GSSAPIStrictAcceptorCheck', |
155
|
|
|
|
|
|
|
{ |
156
|
|
|
|
|
|
|
'description' => 'Determines whether to be strict |
157
|
|
|
|
|
|
|
about the identity of the GSSAPI acceptor a client |
158
|
|
|
|
|
|
|
authenticates against. If set to B<yes> then the client |
159
|
|
|
|
|
|
|
must authenticate against the host service on the current |
160
|
|
|
|
|
|
|
hostname. If set to B<no> then the client may |
161
|
|
|
|
|
|
|
authenticate against any service key stored in the |
162
|
|
|
|
|
|
|
machine\'s default store. This facility is provided to |
163
|
|
|
|
|
|
|
assist with operation on multi homed machines. The default |
164
|
|
|
|
|
|
|
is B<yes>.', |
165
|
|
|
|
|
|
|
'type' => 'leaf', |
166
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
167
|
|
|
|
|
|
|
'value_type' => 'boolean', |
168
|
|
|
|
|
|
|
'write_as' => [ |
169
|
|
|
|
|
|
|
'no', |
170
|
|
|
|
|
|
|
'yes' |
171
|
|
|
|
|
|
|
] |
172
|
|
|
|
|
|
|
}, |
173
|
|
|
|
|
|
|
'GSSAPIStoreCredentialsOnRekey', |
174
|
|
|
|
|
|
|
{ |
175
|
|
|
|
|
|
|
'description' => 'Controls whether the |
176
|
|
|
|
|
|
|
user\'s GSSAPI credentials should be updated following |
177
|
|
|
|
|
|
|
a successful connection rekeying. This option can be used to |
178
|
|
|
|
|
|
|
accepted renewed or updated credentials from a compatible |
179
|
|
|
|
|
|
|
client. The default is B<no>. |
180
|
|
|
|
|
|
|
|
181
|
|
|
|
|
|
|
For this to |
182
|
|
|
|
|
|
|
work B<GSSAPIKeyExchange> needs to be enabled in the |
183
|
|
|
|
|
|
|
server and also used by the client.', |
184
|
|
|
|
|
|
|
'type' => 'leaf', |
185
|
|
|
|
|
|
|
'upstream_default' => 'no', |
186
|
|
|
|
|
|
|
'value_type' => 'boolean', |
187
|
|
|
|
|
|
|
'write_as' => [ |
188
|
|
|
|
|
|
|
'no', |
189
|
|
|
|
|
|
|
'yes' |
190
|
|
|
|
|
|
|
] |
191
|
|
|
|
|
|
|
}, |
192
|
|
|
|
|
|
|
'GSSAPIKexAlgorithms', |
193
|
|
|
|
|
|
|
{ |
194
|
|
|
|
|
|
|
'description' => "The list of key exchange |
195
|
|
|
|
|
|
|
algorithms that are accepted by GSSAPI key exchange. |
196
|
|
|
|
|
|
|
Possible values are |
197
|
|
|
|
|
|
|
|
198
|
|
|
|
|
|
|
gss-gex-sha1-, |
199
|
|
|
|
|
|
|
gss-group1-sha1-, |
200
|
|
|
|
|
|
|
gss-group14-sha1-, |
201
|
|
|
|
|
|
|
gss-group14-sha256-, |
202
|
|
|
|
|
|
|
gss-group16-sha512-, |
203
|
|
|
|
|
|
|
gss-nistp256-sha256-, |
204
|
|
|
|
|
|
|
gss-curve25519-sha256- |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
The default is |
207
|
|
|
|
|
|
|
\x{201c}gss-group14-sha256-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-, gss-gex-sha1-, gss-group14-sha1-\x{201d}. |
208
|
|
|
|
|
|
|
This option only applies to connections using GSSAPI.", |
209
|
|
|
|
|
|
|
'type' => 'leaf', |
210
|
|
|
|
|
|
|
'value_type' => 'uniline' |
211
|
|
|
|
|
|
|
}, |
212
|
|
|
|
|
|
|
'HostCertificate', |
213
|
|
|
|
|
|
|
{ |
214
|
|
|
|
|
|
|
'description' => 'Specifies a file containing a |
215
|
|
|
|
|
|
|
public host certificate. The certificate\'s public key |
216
|
|
|
|
|
|
|
must match a private host key already specified by |
217
|
|
|
|
|
|
|
B<HostKey>. The default behaviour of L<sshd(8)> is not to |
218
|
|
|
|
|
|
|
load any certificates.', |
219
|
|
|
|
|
|
|
'type' => 'leaf', |
220
|
|
|
|
|
|
|
'value_type' => 'uniline' |
221
|
|
|
|
|
|
|
}, |
222
|
|
|
|
|
|
|
'HostKey', |
223
|
|
|
|
|
|
|
{ |
224
|
|
|
|
|
|
|
'description' => 'Specifies a file containing a |
225
|
|
|
|
|
|
|
private host key used by SSH. The defaults are |
226
|
|
|
|
|
|
|
I</etc/ssh/ssh_host_ecdsa_key>, |
227
|
|
|
|
|
|
|
I</etc/ssh/ssh_host_ed25519_key> and |
228
|
|
|
|
|
|
|
I</etc/ssh/ssh_host_rsa_key>. |
229
|
|
|
|
|
|
|
|
230
|
|
|
|
|
|
|
Note that |
231
|
|
|
|
|
|
|
L<sshd(8)> will refuse to use a file if it is |
232
|
|
|
|
|
|
|
group/world-accessible and that the B<HostKeyAlgorithms> |
233
|
|
|
|
|
|
|
option restricts which of the keys are actually used by |
234
|
|
|
|
|
|
|
L<sshd(8)>. |
235
|
|
|
|
|
|
|
|
236
|
|
|
|
|
|
|
It is possible |
237
|
|
|
|
|
|
|
to have multiple host key files. It is also possible to |
238
|
|
|
|
|
|
|
specify public host key files instead. In this case |
239
|
|
|
|
|
|
|
operations on the private key will be delegated to an |
240
|
|
|
|
|
|
|
L<ssh-agent(1)>.', |
241
|
|
|
|
|
|
|
'type' => 'leaf', |
242
|
|
|
|
|
|
|
'value_type' => 'uniline' |
243
|
|
|
|
|
|
|
}, |
244
|
|
|
|
|
|
|
'HostKeyAgent', |
245
|
|
|
|
|
|
|
{ |
246
|
|
|
|
|
|
|
'description' => 'Identifies the UNIX-domain |
247
|
|
|
|
|
|
|
socket used to communicate with an agent that has access to |
248
|
|
|
|
|
|
|
the private host keys. If the string |
249
|
|
|
|
|
|
|
"SSH_AUTH_SOCK" is specified, the location of the |
250
|
|
|
|
|
|
|
socket will be read from the SSH_AUTH_SOCK environment |
251
|
|
|
|
|
|
|
variable.', |
252
|
|
|
|
|
|
|
'type' => 'leaf', |
253
|
|
|
|
|
|
|
'value_type' => 'uniline' |
254
|
|
|
|
|
|
|
}, |
255
|
|
|
|
|
|
|
'HostKeyAlgorithms', |
256
|
|
|
|
|
|
|
{ |
257
|
|
|
|
|
|
|
'description' => 'Specifies the host key |
258
|
|
|
|
|
|
|
signature algorithms that the server offers. The default for |
259
|
|
|
|
|
|
|
this option is: |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
ssh-ed25519-cert-v01@openssh.com, |
262
|
|
|
|
|
|
|
ecdsa-sha2-nistp256-cert-v01@openssh.com, |
263
|
|
|
|
|
|
|
ecdsa-sha2-nistp384-cert-v01@openssh.com, |
264
|
|
|
|
|
|
|
ecdsa-sha2-nistp521-cert-v01@openssh.com, |
265
|
|
|
|
|
|
|
sk-ssh-ed25519-cert-v01@openssh.com, |
266
|
|
|
|
|
|
|
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, |
267
|
|
|
|
|
|
|
rsa-sha2-512-cert-v01@openssh.com, |
268
|
|
|
|
|
|
|
rsa-sha2-256-cert-v01@openssh.com, |
269
|
|
|
|
|
|
|
ssh-ed25519, |
270
|
|
|
|
|
|
|
ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, |
271
|
|
|
|
|
|
|
sk-ssh-ed25519@openssh.com, |
272
|
|
|
|
|
|
|
sk-ecdsa-sha2-nistp256@openssh.com, |
273
|
|
|
|
|
|
|
rsa-sha2-512, rsa-sha2-256 |
274
|
|
|
|
|
|
|
|
275
|
|
|
|
|
|
|
The list of |
276
|
|
|
|
|
|
|
available signature algorithms may also be obtained using |
277
|
|
|
|
|
|
|
"ssh -Q HostKeyAlgorithms".', |
278
|
|
|
|
|
|
|
'type' => 'leaf', |
279
|
|
|
|
|
|
|
'value_type' => 'uniline' |
280
|
|
|
|
|
|
|
}, |
281
|
|
|
|
|
|
|
'IgnoreUserKnownHosts', |
282
|
|
|
|
|
|
|
{ |
283
|
|
|
|
|
|
|
'description' => 'Specifies whether L<sshd(8)> |
284
|
|
|
|
|
|
|
should ignore the user\'s I<~/.ssh/known_hosts> |
285
|
|
|
|
|
|
|
during B<HostbasedAuthentication> and use only the |
286
|
|
|
|
|
|
|
system-wide known hosts file I</etc/ssh/known_hosts>. |
287
|
|
|
|
|
|
|
The default is B<no>.', |
288
|
|
|
|
|
|
|
'type' => 'leaf', |
289
|
|
|
|
|
|
|
'upstream_default' => 'no', |
290
|
|
|
|
|
|
|
'value_type' => 'boolean', |
291
|
|
|
|
|
|
|
'write_as' => [ |
292
|
|
|
|
|
|
|
'no', |
293
|
|
|
|
|
|
|
'yes' |
294
|
|
|
|
|
|
|
] |
295
|
|
|
|
|
|
|
}, |
296
|
|
|
|
|
|
|
'KerberosGetAFSToken', |
297
|
|
|
|
|
|
|
{ |
298
|
|
|
|
|
|
|
'description' => 'If AFS is active and the user |
299
|
|
|
|
|
|
|
has a Kerberos 5 TGT, attempt to acquire an AFS token before |
300
|
|
|
|
|
|
|
accessing the user\'s home directory. The default is |
301
|
|
|
|
|
|
|
B<no>.', |
302
|
|
|
|
|
|
|
'type' => 'leaf', |
303
|
|
|
|
|
|
|
'upstream_default' => 'no', |
304
|
|
|
|
|
|
|
'value_type' => 'boolean', |
305
|
|
|
|
|
|
|
'write_as' => [ |
306
|
|
|
|
|
|
|
'no', |
307
|
|
|
|
|
|
|
'yes' |
308
|
|
|
|
|
|
|
] |
309
|
|
|
|
|
|
|
}, |
310
|
|
|
|
|
|
|
'KerberosOrLocalPasswd', |
311
|
|
|
|
|
|
|
{ |
312
|
|
|
|
|
|
|
'description' => 'If password authentication |
313
|
|
|
|
|
|
|
through Kerberos fails then the password will be validated |
314
|
|
|
|
|
|
|
via any additional local mechanism such as |
315
|
|
|
|
|
|
|
I</etc/passwd>. The default is B<yes>.', |
316
|
|
|
|
|
|
|
'type' => 'leaf', |
317
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
318
|
|
|
|
|
|
|
'value_type' => 'boolean', |
319
|
|
|
|
|
|
|
'write_as' => [ |
320
|
|
|
|
|
|
|
'no', |
321
|
|
|
|
|
|
|
'yes' |
322
|
|
|
|
|
|
|
] |
323
|
|
|
|
|
|
|
}, |
324
|
|
|
|
|
|
|
'KerberosTicketCleanup', |
325
|
|
|
|
|
|
|
{ |
326
|
|
|
|
|
|
|
'description' => 'Specifies whether to |
327
|
|
|
|
|
|
|
automatically destroy the user\'s ticket cache file on |
328
|
|
|
|
|
|
|
logout. The default is B<yes>.', |
329
|
|
|
|
|
|
|
'type' => 'leaf', |
330
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
331
|
|
|
|
|
|
|
'value_type' => 'boolean', |
332
|
|
|
|
|
|
|
'write_as' => [ |
333
|
|
|
|
|
|
|
'no', |
334
|
|
|
|
|
|
|
'yes' |
335
|
|
|
|
|
|
|
] |
336
|
|
|
|
|
|
|
}, |
337
|
|
|
|
|
|
|
'KexAlgorithms', |
338
|
|
|
|
|
|
|
{ |
339
|
|
|
|
|
|
|
'description' => 'Specifies the available KEX |
340
|
|
|
|
|
|
|
(Key Exchange) algorithms. Multiple algorithms must be |
341
|
|
|
|
|
|
|
comma-separated. Alternately if the specified list begins |
342
|
|
|
|
|
|
|
with a \'+\' character, then the specified |
343
|
|
|
|
|
|
|
algorithms will be appended to the default set instead of |
344
|
|
|
|
|
|
|
replacing them. If the specified list begins with a |
345
|
|
|
|
|
|
|
\'-\' character, then the specified algorithms |
346
|
|
|
|
|
|
|
(including wildcards) will be removed from the default set |
347
|
|
|
|
|
|
|
instead of replacing them. If the specified list begins with |
348
|
|
|
|
|
|
|
a \'^\' character, then the specified algorithms |
349
|
|
|
|
|
|
|
will be placed at the head of the default set. The supported |
350
|
|
|
|
|
|
|
algorithms are: |
351
|
|
|
|
|
|
|
|
352
|
|
|
|
|
|
|
curve25519-sha256 |
353
|
|
|
|
|
|
|
curve25519-sha256@libssh.org |
354
|
|
|
|
|
|
|
diffie-hellman-group1-sha1 |
355
|
|
|
|
|
|
|
diffie-hellman-group14-sha1 |
356
|
|
|
|
|
|
|
diffie-hellman-group14-sha256 |
357
|
|
|
|
|
|
|
diffie-hellman-group16-sha512 |
358
|
|
|
|
|
|
|
diffie-hellman-group18-sha512 |
359
|
|
|
|
|
|
|
diffie-hellman-group-exchange-sha1 |
360
|
|
|
|
|
|
|
diffie-hellman-group-exchange-sha256 |
361
|
|
|
|
|
|
|
ecdh-sha2-nistp256 |
362
|
|
|
|
|
|
|
ecdh-sha2-nistp384 |
363
|
|
|
|
|
|
|
ecdh-sha2-nistp521 |
364
|
|
|
|
|
|
|
sntrup761x25519-sha512@openssh.com |
365
|
|
|
|
|
|
|
|
366
|
|
|
|
|
|
|
The default |
367
|
|
|
|
|
|
|
is: |
368
|
|
|
|
|
|
|
|
369
|
|
|
|
|
|
|
sntrup761x25519-sha512@openssh.com, |
370
|
|
|
|
|
|
|
curve25519-sha256, curve25519-sha256@libssh.org, |
371
|
|
|
|
|
|
|
ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, |
372
|
|
|
|
|
|
|
diffie-hellman-group-exchange-sha256, |
373
|
|
|
|
|
|
|
diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, |
374
|
|
|
|
|
|
|
diffie-hellman-group14-sha256 |
375
|
|
|
|
|
|
|
|
376
|
|
|
|
|
|
|
The list of |
377
|
|
|
|
|
|
|
available key exchange algorithms may also be obtained using |
378
|
|
|
|
|
|
|
"ssh -Q KexAlgorithms".', |
379
|
|
|
|
|
|
|
'type' => 'leaf', |
380
|
|
|
|
|
|
|
'value_type' => 'uniline' |
381
|
|
|
|
|
|
|
}, |
382
|
|
|
|
|
|
|
'ListenAddress', |
383
|
|
|
|
|
|
|
{ |
384
|
|
|
|
|
|
|
'description' => 'Specifies the local addresses |
385
|
|
|
|
|
|
|
L<sshd(8)> should listen on. The following forms may be |
386
|
|
|
|
|
|
|
used: |
387
|
|
|
|
|
|
|
|
388
|
|
|
|
|
|
|
B<ListenAddress>I<hostname>|I<address> B< |
389
|
|
|
|
|
|
|
ListenAddress> I<hostname>:I<port> B< |
390
|
|
|
|
|
|
|
ListenAddress> I<IPv4_address>:I<port> B< |
391
|
|
|
|
|
|
|
ListenAddress> [ |
392
|
|
|
|
|
|
|
|
393
|
|
|
|
|
|
|
I<hostname>|I<address> ]:I<port> |
394
|
|
|
|
|
|
|
|
395
|
|
|
|
|
|
|
If I<port> |
396
|
|
|
|
|
|
|
is not specified, sshd will listen on the address and all |
397
|
|
|
|
|
|
|
B<Port> options specified. The default is to listen on |
398
|
|
|
|
|
|
|
all local addresses. Multiple B<ListenAddress> options |
399
|
|
|
|
|
|
|
are permitted.', |
400
|
|
|
|
|
|
|
'type' => 'leaf', |
401
|
|
|
|
|
|
|
'value_type' => 'uniline' |
402
|
|
|
|
|
|
|
}, |
403
|
|
|
|
|
|
|
'LoginGraceTime', |
404
|
|
|
|
|
|
|
{ |
405
|
|
|
|
|
|
|
'description' => 'The server disconnects after |
406
|
|
|
|
|
|
|
this time if the user has not successfully logged in. If the |
407
|
|
|
|
|
|
|
value is 0, there is no time limit. The default is 120 |
408
|
|
|
|
|
|
|
seconds.', |
409
|
|
|
|
|
|
|
'type' => 'leaf', |
410
|
|
|
|
|
|
|
'value_type' => 'uniline' |
411
|
|
|
|
|
|
|
}, |
412
|
|
|
|
|
|
|
'LogVerbose', |
413
|
|
|
|
|
|
|
{ |
414
|
|
|
|
|
|
|
'description' => 'Specify one or more overrides |
415
|
|
|
|
|
|
|
to LogLevel. An override consists of a pattern lists that |
416
|
|
|
|
|
|
|
matches the source file, function and line number to force |
417
|
|
|
|
|
|
|
detailed logging for. For example, an override pattern |
418
|
|
|
|
|
|
|
of: |
419
|
|
|
|
|
|
|
|
420
|
|
|
|
|
|
|
kex.c:*:1000,*:kex_exchange_identification():*, packet.c:* |
421
|
|
|
|
|
|
|
|
422
|
|
|
|
|
|
|
would enable |
423
|
|
|
|
|
|
|
detailed logging for line 1000 of I<kex.c>, everything |
424
|
|
|
|
|
|
|
in the B<kex_exchange_identification>() function, and |
425
|
|
|
|
|
|
|
all code in the I<packet.c> file. This option is |
426
|
|
|
|
|
|
|
intended for debugging and no overrides are enabled by |
427
|
|
|
|
|
|
|
default.', |
428
|
|
|
|
|
|
|
'type' => 'leaf', |
429
|
|
|
|
|
|
|
'value_type' => 'uniline' |
430
|
|
|
|
|
|
|
}, |
431
|
|
|
|
|
|
|
'MACs', |
432
|
|
|
|
|
|
|
{ |
433
|
|
|
|
|
|
|
'description' => 'Specifies the |
434
|
|
|
|
|
|
|
available MAC (message authentication code) algorithms. The |
435
|
|
|
|
|
|
|
MAC algorithm is used for data integrity protection. |
436
|
|
|
|
|
|
|
Multiple algorithms must be comma-separated. If the |
437
|
|
|
|
|
|
|
specified list begins with a \'+\' character, then |
438
|
|
|
|
|
|
|
the specified algorithms will be appended to the default set |
439
|
|
|
|
|
|
|
instead of replacing them. If the specified list begins with |
440
|
|
|
|
|
|
|
a \'-\' character, then the specified algorithms |
441
|
|
|
|
|
|
|
(including wildcards) will be removed from the default set |
442
|
|
|
|
|
|
|
instead of replacing them. If the specified list begins with |
443
|
|
|
|
|
|
|
a \'^\' character, then the specified algorithms |
444
|
|
|
|
|
|
|
will be placed at the head of the default set. |
445
|
|
|
|
|
|
|
|
446
|
|
|
|
|
|
|
The algorithms |
447
|
|
|
|
|
|
|
that contain "-etm" calculate the MAC after |
448
|
|
|
|
|
|
|
encryption (encrypt-then-mac). These are considered safer |
449
|
|
|
|
|
|
|
and their use recommended. The supported MACs are: |
450
|
|
|
|
|
|
|
|
451
|
|
|
|
|
|
|
hmac-md5 |
452
|
|
|
|
|
|
|
hmac-md5-96 |
453
|
|
|
|
|
|
|
hmac-sha1 |
454
|
|
|
|
|
|
|
hmac-sha1-96 |
455
|
|
|
|
|
|
|
hmac-sha2-256 |
456
|
|
|
|
|
|
|
hmac-sha2-512 |
457
|
|
|
|
|
|
|
umac-64@openssh.com |
458
|
|
|
|
|
|
|
umac-128@openssh.com |
459
|
|
|
|
|
|
|
hmac-md5-etm@openssh.com |
460
|
|
|
|
|
|
|
hmac-md5-96-etm@openssh.com |
461
|
|
|
|
|
|
|
hmac-sha1-etm@openssh.com |
462
|
|
|
|
|
|
|
hmac-sha1-96-etm@openssh.com |
463
|
|
|
|
|
|
|
hmac-sha2-256-etm@openssh.com |
464
|
|
|
|
|
|
|
hmac-sha2-512-etm@openssh.com |
465
|
|
|
|
|
|
|
umac-64-etm@openssh.com |
466
|
|
|
|
|
|
|
umac-128-etm@openssh.com |
467
|
|
|
|
|
|
|
|
468
|
|
|
|
|
|
|
The default |
469
|
|
|
|
|
|
|
is: |
470
|
|
|
|
|
|
|
|
471
|
|
|
|
|
|
|
umac-64-etm@openssh.com, umac-128-etm@openssh.com, |
472
|
|
|
|
|
|
|
hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, |
473
|
|
|
|
|
|
|
hmac-sha1-etm@openssh.com, |
474
|
|
|
|
|
|
|
umac-64@openssh.com, umac-128@openssh.com, |
475
|
|
|
|
|
|
|
hmac-sha2-256, hmac-sha2-512, hmac-sha1 |
476
|
|
|
|
|
|
|
|
477
|
|
|
|
|
|
|
The list of |
478
|
|
|
|
|
|
|
available MAC algorithms may also be obtained using |
479
|
|
|
|
|
|
|
"ssh -Q mac".', |
480
|
|
|
|
|
|
|
'type' => 'leaf', |
481
|
|
|
|
|
|
|
'value_type' => 'uniline' |
482
|
|
|
|
|
|
|
}, |
483
|
|
|
|
|
|
|
'Match', |
484
|
|
|
|
|
|
|
{ |
485
|
|
|
|
|
|
|
'cargo' => { |
486
|
|
|
|
|
|
|
'config_class_name' => 'Sshd::MatchBlock', |
487
|
|
|
|
|
|
|
'type' => 'node' |
488
|
|
|
|
|
|
|
}, |
489
|
|
|
|
|
|
|
'description' => 'Introduces a |
490
|
|
|
|
|
|
|
conditional block. If all of the criteria on the |
491
|
|
|
|
|
|
|
B<Match> line are satisfied, the keywords on the |
492
|
|
|
|
|
|
|
following lines override those set in the global section of |
493
|
|
|
|
|
|
|
the config file, until either another B<Match> line or |
494
|
|
|
|
|
|
|
the end of the file. If a keyword appears in multiple |
495
|
|
|
|
|
|
|
B<Match> blocks that are satisfied, only the first |
496
|
|
|
|
|
|
|
instance of the keyword is applied. |
497
|
|
|
|
|
|
|
|
498
|
|
|
|
|
|
|
The arguments |
499
|
|
|
|
|
|
|
to B<Match> are one or more criteria-pattern pairs or |
500
|
|
|
|
|
|
|
the single token B<All> which matches all criteria. The |
501
|
|
|
|
|
|
|
available criteria are B<User>, B<Group>, |
502
|
|
|
|
|
|
|
B<Host>, B<LocalAddress>, B<LocalPort>, and |
503
|
|
|
|
|
|
|
B<Address>. |
504
|
|
|
|
|
|
|
|
505
|
|
|
|
|
|
|
The match |
506
|
|
|
|
|
|
|
patterns may consist of single entries or comma-separated |
507
|
|
|
|
|
|
|
lists and may use the wildcard and negation operators |
508
|
|
|
|
|
|
|
described in the I<PATTERNS> section of |
509
|
|
|
|
|
|
|
L<ssh_config(5)>. |
510
|
|
|
|
|
|
|
|
511
|
|
|
|
|
|
|
The patterns in |
512
|
|
|
|
|
|
|
an B<Address> criteria may additionally contain |
513
|
|
|
|
|
|
|
addresses to match in CIDR address/masklen format, such as |
514
|
|
|
|
|
|
|
192.0.2.0/24 or 2001:db8::/32. Note that the mask length |
515
|
|
|
|
|
|
|
provided must be consistent with the address - it is an |
516
|
|
|
|
|
|
|
error to specify a mask length that is too long for the |
517
|
|
|
|
|
|
|
address or one with bits set in this host portion of the |
518
|
|
|
|
|
|
|
address. For example, 192.0.2.0/33 and 192.0.2.0/8, |
519
|
|
|
|
|
|
|
respectively. |
520
|
|
|
|
|
|
|
|
521
|
|
|
|
|
|
|
Only a subset |
522
|
|
|
|
|
|
|
of keywords may be used on the lines following a |
523
|
|
|
|
|
|
|
B<Match> keyword. Available keywords are |
524
|
|
|
|
|
|
|
B<AcceptEnv>, B<AllowAgentForwarding>, |
525
|
|
|
|
|
|
|
B<AllowGroups>, B<AllowStreamLocalForwarding>, |
526
|
|
|
|
|
|
|
B<AllowTcpForwarding>, B<AllowUsers>, |
527
|
|
|
|
|
|
|
B<AuthenticationMethods>, B<AuthorizedKeysCommand>, |
528
|
|
|
|
|
|
|
B<AuthorizedKeysCommandUser>, B<AuthorizedKeysFile>, |
529
|
|
|
|
|
|
|
B<AuthorizedPrincipalsCommand>, |
530
|
|
|
|
|
|
|
B<AuthorizedPrincipalsCommandUser>, |
531
|
|
|
|
|
|
|
B<AuthorizedPrincipalsFile>, B<Banner>, |
532
|
|
|
|
|
|
|
B<CASignatureAlgorithms>, B<ChrootDirectory>, |
533
|
|
|
|
|
|
|
B<ClientAliveCountMax>, B<ClientAliveInterval>, |
534
|
|
|
|
|
|
|
B<DenyGroups>, B<DenyUsers>, |
535
|
|
|
|
|
|
|
B<DisableForwarding>, B<ExposeAuthInfo>, |
536
|
|
|
|
|
|
|
B<ForceCommand>, B<GatewayPorts>, |
537
|
|
|
|
|
|
|
B<GSSAPIAuthentication>, |
538
|
|
|
|
|
|
|
B<HostbasedAcceptedAlgorithms>, |
539
|
|
|
|
|
|
|
B<HostbasedAuthentication>, |
540
|
|
|
|
|
|
|
B<HostbasedUsesNameFromPacketOnly>, B<IgnoreRhosts>, |
541
|
|
|
|
|
|
|
B<Include>, B<IPQoS>, |
542
|
|
|
|
|
|
|
B<KbdInteractiveAuthentication>, |
543
|
|
|
|
|
|
|
B<KerberosAuthentication>, B<LogLevel>, |
544
|
|
|
|
|
|
|
B<MaxAuthTries>, B<MaxSessions>, |
545
|
|
|
|
|
|
|
B<PasswordAuthentication>, B<PermitEmptyPasswords>, |
546
|
|
|
|
|
|
|
B<PermitListen>, B<PermitOpen>, |
547
|
|
|
|
|
|
|
B<PermitRootLogin>, B<PermitTTY>, |
548
|
|
|
|
|
|
|
B<PermitTunnel>, B<PermitUserRC>, |
549
|
|
|
|
|
|
|
B<PubkeyAcceptedAlgorithms>, |
550
|
|
|
|
|
|
|
B<PubkeyAuthentication>, B<PubkeyAuthOptions>, |
551
|
|
|
|
|
|
|
B<RekeyLimit>, B<RevokedKeys>, B<SetEnv>, |
552
|
|
|
|
|
|
|
B<StreamLocalBindMask>, B<StreamLocalBindUnlink>, |
553
|
|
|
|
|
|
|
B<TrustedUserCAKeys>, B<X11DisplayOffset>, |
554
|
|
|
|
|
|
|
B<X11Forwarding> and B<X11UseLocalhost>.', |
555
|
|
|
|
|
|
|
'type' => 'list' |
556
|
|
|
|
|
|
|
}, |
557
|
|
|
|
|
|
|
'MaxStartups', |
558
|
|
|
|
|
|
|
{ |
559
|
|
|
|
|
|
|
'description' => 'Specifies the maximum number of |
560
|
|
|
|
|
|
|
concurrent unauthenticated connections to the SSH daemon. |
561
|
|
|
|
|
|
|
Additional connections will be dropped until authentication |
562
|
|
|
|
|
|
|
succeeds or the B<LoginGraceTime> expires for a |
563
|
|
|
|
|
|
|
connection. The default is 10:30:100. |
564
|
|
|
|
|
|
|
|
565
|
|
|
|
|
|
|
Alternatively, |
566
|
|
|
|
|
|
|
random early drop can be enabled by specifying the three |
567
|
|
|
|
|
|
|
colon separated values start:rate:full (e.g. |
568
|
|
|
|
|
|
|
"10:30:60"). L<sshd(8)> will refuse connection |
569
|
|
|
|
|
|
|
attempts with a probability of rate/100 (30%) if there are |
570
|
|
|
|
|
|
|
currently start (10) unauthenticated connections. The |
571
|
|
|
|
|
|
|
probability increases linearly and all connection attempts |
572
|
|
|
|
|
|
|
are refused if the number of unauthenticated connections |
573
|
|
|
|
|
|
|
reaches full (60).', |
574
|
|
|
|
|
|
|
'type' => 'leaf', |
575
|
|
|
|
|
|
|
'upstream_default' => '10', |
576
|
|
|
|
|
|
|
'value_type' => 'uniline' |
577
|
|
|
|
|
|
|
}, |
578
|
|
|
|
|
|
|
'ModuliFile', |
579
|
|
|
|
|
|
|
{ |
580
|
|
|
|
|
|
|
'description' => "Specifies the L<moduli(5)> file |
581
|
|
|
|
|
|
|
that contains the Diffie-Hellman groups used for the |
582
|
|
|
|
|
|
|
\x{201c}diffie-hellman-group-exchange-sha1\x{201d} and |
583
|
|
|
|
|
|
|
\x{201c}diffie-hellman-group-exchange-sha256\x{201d} key |
584
|
|
|
|
|
|
|
exchange methods. The default is I</etc/ssh/moduli>.", |
585
|
|
|
|
|
|
|
'type' => 'leaf', |
586
|
|
|
|
|
|
|
'upstream_default' => '/etc/ssh/moduli', |
587
|
|
|
|
|
|
|
'value_type' => 'uniline' |
588
|
|
|
|
|
|
|
}, |
589
|
|
|
|
|
|
|
'PermitUserEnvironment', |
590
|
|
|
|
|
|
|
{ |
591
|
|
|
|
|
|
|
'description' => 'Specifies whether |
592
|
|
|
|
|
|
|
I<~/.ssh/environment> and B<environment=> options in |
593
|
|
|
|
|
|
|
I<~/.ssh/authorized_keys> are processed by L<sshd(8)>. |
594
|
|
|
|
|
|
|
Valid options are B<yes>, B<no> or a pattern-list |
595
|
|
|
|
|
|
|
specifying which environment variable names to accept (for |
596
|
|
|
|
|
|
|
example "LANG, LC_*"). The default is B<no>. |
597
|
|
|
|
|
|
|
Enabling environment processing may enable users to bypass |
598
|
|
|
|
|
|
|
access restrictions in some configurations using mechanisms |
599
|
|
|
|
|
|
|
such as LD_PRELOAD.', |
600
|
|
|
|
|
|
|
'type' => 'leaf', |
601
|
|
|
|
|
|
|
'upstream_default' => 'no', |
602
|
|
|
|
|
|
|
'value_type' => 'boolean', |
603
|
|
|
|
|
|
|
'write_as' => [ |
604
|
|
|
|
|
|
|
'no', |
605
|
|
|
|
|
|
|
'yes' |
606
|
|
|
|
|
|
|
] |
607
|
|
|
|
|
|
|
}, |
608
|
|
|
|
|
|
|
'PerSourceMaxStartups', |
609
|
|
|
|
|
|
|
{ |
610
|
|
|
|
|
|
|
'description' => 'Specifies the number of |
611
|
|
|
|
|
|
|
unauthenticated connections allowed from a given source |
612
|
|
|
|
|
|
|
address, or B<none> if there is no limit. This |
613
|
|
|
|
|
|
|
limit is applied in addition to B<MaxStartups>, |
614
|
|
|
|
|
|
|
whichever is lower. The default is B<none>.', |
615
|
|
|
|
|
|
|
'type' => 'leaf', |
616
|
|
|
|
|
|
|
'upstream_default' => 'none', |
617
|
|
|
|
|
|
|
'value_type' => 'uniline' |
618
|
|
|
|
|
|
|
}, |
619
|
|
|
|
|
|
|
'PerSourceNetBlockSize', |
620
|
|
|
|
|
|
|
{ |
621
|
|
|
|
|
|
|
'description' => 'Specifies the number of bits of |
622
|
|
|
|
|
|
|
source address that are grouped together for the purposes of |
623
|
|
|
|
|
|
|
applying PerSourceMaxStartups limits. Values for IPv4 and |
624
|
|
|
|
|
|
|
optionally IPv6 may be specified, separated by a colon. The |
625
|
|
|
|
|
|
|
default is B<32:128>, which means each address is |
626
|
|
|
|
|
|
|
considered individually.', |
627
|
|
|
|
|
|
|
'type' => 'leaf', |
628
|
|
|
|
|
|
|
'upstream_default' => '32:128', |
629
|
|
|
|
|
|
|
'value_type' => 'uniline' |
630
|
|
|
|
|
|
|
}, |
631
|
|
|
|
|
|
|
'PidFile', |
632
|
|
|
|
|
|
|
{ |
633
|
|
|
|
|
|
|
'description' => 'Specifies the file that |
634
|
|
|
|
|
|
|
contains the process ID of the SSH daemon, or B<none> to |
635
|
|
|
|
|
|
|
not write one. The default is I</run/sshd.pid>.', |
636
|
|
|
|
|
|
|
'type' => 'leaf', |
637
|
|
|
|
|
|
|
'value_type' => 'uniline' |
638
|
|
|
|
|
|
|
}, |
639
|
|
|
|
|
|
|
'Port', |
640
|
|
|
|
|
|
|
{ |
641
|
|
|
|
|
|
|
'description' => 'Specifies the |
642
|
|
|
|
|
|
|
port number that L<sshd(8)> listens on. The default is 22. |
643
|
|
|
|
|
|
|
Multiple options of this type are permitted. See also |
644
|
|
|
|
|
|
|
B<ListenAddress>.', |
645
|
|
|
|
|
|
|
'type' => 'leaf', |
646
|
|
|
|
|
|
|
'value_type' => 'uniline' |
647
|
|
|
|
|
|
|
}, |
648
|
|
|
|
|
|
|
'PrintLastLog', |
649
|
|
|
|
|
|
|
{ |
650
|
|
|
|
|
|
|
'description' => 'Specifies whether L<sshd(8)> |
651
|
|
|
|
|
|
|
should print the date and time of the last user login when a |
652
|
|
|
|
|
|
|
user logs in interactively. The default is B<yes>.', |
653
|
|
|
|
|
|
|
'type' => 'leaf', |
654
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
655
|
|
|
|
|
|
|
'value_type' => 'boolean', |
656
|
|
|
|
|
|
|
'write_as' => [ |
657
|
|
|
|
|
|
|
'no', |
658
|
|
|
|
|
|
|
'yes' |
659
|
|
|
|
|
|
|
] |
660
|
|
|
|
|
|
|
}, |
661
|
|
|
|
|
|
|
'PrintMotd', |
662
|
|
|
|
|
|
|
{ |
663
|
|
|
|
|
|
|
'description' => 'Specifies whether L<sshd(8)> |
664
|
|
|
|
|
|
|
should print I</etc/motd> when a user logs in |
665
|
|
|
|
|
|
|
interactively. (On some systems it is also printed by the |
666
|
|
|
|
|
|
|
shell, I</etc/profile>, or equivalent.) The default is |
667
|
|
|
|
|
|
|
B<yes>.', |
668
|
|
|
|
|
|
|
'type' => 'leaf', |
669
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
670
|
|
|
|
|
|
|
'value_type' => 'boolean', |
671
|
|
|
|
|
|
|
'write_as' => [ |
672
|
|
|
|
|
|
|
'no', |
673
|
|
|
|
|
|
|
'yes' |
674
|
|
|
|
|
|
|
] |
675
|
|
|
|
|
|
|
}, |
676
|
|
|
|
|
|
|
'SecurityKeyProvider', |
677
|
|
|
|
|
|
|
{ |
678
|
|
|
|
|
|
|
'description' => 'Specifies a path to a library |
679
|
|
|
|
|
|
|
that will be used when loading FIDO authenticator-hosted |
680
|
|
|
|
|
|
|
keys, overriding the default of using the built-in USB HID |
681
|
|
|
|
|
|
|
support.', |
682
|
|
|
|
|
|
|
'type' => 'leaf', |
683
|
|
|
|
|
|
|
'value_type' => 'uniline' |
684
|
|
|
|
|
|
|
}, |
685
|
|
|
|
|
|
|
'StrictModes', |
686
|
|
|
|
|
|
|
{ |
687
|
|
|
|
|
|
|
'description' => 'Specifies whether L<sshd(8)> |
688
|
|
|
|
|
|
|
should check file modes and ownership of the user\'s |
689
|
|
|
|
|
|
|
files and home directory before accepting login. This is |
690
|
|
|
|
|
|
|
normally desirable because novices sometimes accidentally |
691
|
|
|
|
|
|
|
leave their directory or files world-writable. The default |
692
|
|
|
|
|
|
|
is B<yes>. Note that this does not apply to |
693
|
|
|
|
|
|
|
B<ChrootDirectory>, whose permissions and ownership are |
694
|
|
|
|
|
|
|
checked unconditionally.', |
695
|
|
|
|
|
|
|
'type' => 'leaf', |
696
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
697
|
|
|
|
|
|
|
'value_type' => 'boolean', |
698
|
|
|
|
|
|
|
'write_as' => [ |
699
|
|
|
|
|
|
|
'no', |
700
|
|
|
|
|
|
|
'yes' |
701
|
|
|
|
|
|
|
] |
702
|
|
|
|
|
|
|
}, |
703
|
|
|
|
|
|
|
'Subsystem', |
704
|
|
|
|
|
|
|
{ |
705
|
|
|
|
|
|
|
'cargo' => { |
706
|
|
|
|
|
|
|
'mandatory' => '1', |
707
|
|
|
|
|
|
|
'type' => 'leaf', |
708
|
|
|
|
|
|
|
'value_type' => 'uniline' |
709
|
|
|
|
|
|
|
}, |
710
|
|
|
|
|
|
|
'description' => 'Configures an external |
711
|
|
|
|
|
|
|
subsystem (e.g. file transfer daemon). Arguments should be a |
712
|
|
|
|
|
|
|
subsystem name and a command (with optional arguments) to |
713
|
|
|
|
|
|
|
execute upon subsystem request. |
714
|
|
|
|
|
|
|
|
715
|
|
|
|
|
|
|
The command |
716
|
|
|
|
|
|
|
B<sftp-server> implements the SFTP file transfer |
717
|
|
|
|
|
|
|
subsystem. |
718
|
|
|
|
|
|
|
|
719
|
|
|
|
|
|
|
Alternately the |
720
|
|
|
|
|
|
|
name B<internal-sftp> implements an in-process SFTP |
721
|
|
|
|
|
|
|
server. This may simplify configurations using |
722
|
|
|
|
|
|
|
B<ChrootDirectory> to force a different filesystem root |
723
|
|
|
|
|
|
|
on clients. |
724
|
|
|
|
|
|
|
|
725
|
|
|
|
|
|
|
By default no |
726
|
|
|
|
|
|
|
subsystems are defined.', |
727
|
|
|
|
|
|
|
'index_type' => 'string', |
728
|
|
|
|
|
|
|
'type' => 'hash' |
729
|
|
|
|
|
|
|
}, |
730
|
|
|
|
|
|
|
'SyslogFacility', |
731
|
|
|
|
|
|
|
{ |
732
|
|
|
|
|
|
|
'choice' => [ |
733
|
|
|
|
|
|
|
'DAEMON', |
734
|
|
|
|
|
|
|
'USER', |
735
|
|
|
|
|
|
|
'AUTH', |
736
|
|
|
|
|
|
|
'LOCAL0', |
737
|
|
|
|
|
|
|
'LOCAL1', |
738
|
|
|
|
|
|
|
'LOCAL2', |
739
|
|
|
|
|
|
|
'LOCAL3', |
740
|
|
|
|
|
|
|
'LOCAL4', |
741
|
|
|
|
|
|
|
'LOCAL5', |
742
|
|
|
|
|
|
|
'LOCAL6', |
743
|
|
|
|
|
|
|
'LOCAL7' |
744
|
|
|
|
|
|
|
], |
745
|
|
|
|
|
|
|
'description' => 'Gives the facility code that is |
746
|
|
|
|
|
|
|
used when logging messages from L<sshd(8)>. The possible values |
747
|
|
|
|
|
|
|
are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, |
748
|
|
|
|
|
|
|
LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.', |
749
|
|
|
|
|
|
|
'type' => 'leaf', |
750
|
|
|
|
|
|
|
'upstream_default' => 'AUTH', |
751
|
|
|
|
|
|
|
'value_type' => 'enum' |
752
|
|
|
|
|
|
|
}, |
753
|
|
|
|
|
|
|
'TCPKeepAlive', |
754
|
|
|
|
|
|
|
{ |
755
|
|
|
|
|
|
|
'description' => 'Specifies whether the system |
756
|
|
|
|
|
|
|
should send TCP keepalive messages to the other side. If |
757
|
|
|
|
|
|
|
they are sent, death of the connection or crash of one of |
758
|
|
|
|
|
|
|
the machines will be properly noticed. However, this means |
759
|
|
|
|
|
|
|
that connections will die if the route is down temporarily, |
760
|
|
|
|
|
|
|
and some people find it annoying. On the other hand, if TCP |
761
|
|
|
|
|
|
|
keepalives are not sent, sessions may hang indefinitely on |
762
|
|
|
|
|
|
|
the server, leaving "ghost" users and consuming |
763
|
|
|
|
|
|
|
server resources. |
764
|
|
|
|
|
|
|
|
765
|
|
|
|
|
|
|
The default is |
766
|
|
|
|
|
|
|
B<yes> (to send TCP keepalive messages), and the server |
767
|
|
|
|
|
|
|
will notice if the network goes down or the client host |
768
|
|
|
|
|
|
|
crashes. This avoids infinitely hanging sessions. |
769
|
|
|
|
|
|
|
|
770
|
|
|
|
|
|
|
To disable TCP |
771
|
|
|
|
|
|
|
keepalive messages, the value should be set to |
772
|
|
|
|
|
|
|
B<no>. |
773
|
|
|
|
|
|
|
|
774
|
|
|
|
|
|
|
This option was |
775
|
|
|
|
|
|
|
formerly called B<KeepAlive>.', |
776
|
|
|
|
|
|
|
'type' => 'leaf', |
777
|
|
|
|
|
|
|
'upstream_default' => 'yes', |
778
|
|
|
|
|
|
|
'value_type' => 'boolean', |
779
|
|
|
|
|
|
|
'write_as' => [ |
780
|
|
|
|
|
|
|
'no', |
781
|
|
|
|
|
|
|
'yes' |
782
|
|
|
|
|
|
|
] |
783
|
|
|
|
|
|
|
}, |
784
|
|
|
|
|
|
|
'UseDNS', |
785
|
|
|
|
|
|
|
{ |
786
|
|
|
|
|
|
|
'description' => 'Specifies |
787
|
|
|
|
|
|
|
whether L<sshd(8)> should look up the remote host name, and to |
788
|
|
|
|
|
|
|
check that the resolved host name for the remote IP address |
789
|
|
|
|
|
|
|
maps back to the very same IP address. |
790
|
|
|
|
|
|
|
|
791
|
|
|
|
|
|
|
If this option |
792
|
|
|
|
|
|
|
is set to B<no> (the default) then only addresses and |
793
|
|
|
|
|
|
|
not host names may be used in I<~/.ssh/authorized_keys>B<from> and B<sshd_config Match Host> |
794
|
|
|
|
|
|
|
directives.', |
795
|
|
|
|
|
|
|
'type' => 'leaf', |
796
|
|
|
|
|
|
|
'upstream_default' => 'no', |
797
|
|
|
|
|
|
|
'value_type' => 'boolean', |
798
|
|
|
|
|
|
|
'write_as' => [ |
799
|
|
|
|
|
|
|
'no', |
800
|
|
|
|
|
|
|
'yes' |
801
|
|
|
|
|
|
|
] |
802
|
|
|
|
|
|
|
}, |
803
|
|
|
|
|
|
|
'UsePAM', |
804
|
|
|
|
|
|
|
{ |
805
|
|
|
|
|
|
|
'description' => 'Enables the |
806
|
|
|
|
|
|
|
Pluggable Authentication Module interface. If set to |
807
|
|
|
|
|
|
|
B<yes> this will enable PAM authentication using |
808
|
|
|
|
|
|
|
B<KbdInteractiveAuthentication> and |
809
|
|
|
|
|
|
|
B<PasswordAuthentication> in addition to PAM account and |
810
|
|
|
|
|
|
|
session module processing for all authentication types. |
811
|
|
|
|
|
|
|
|
812
|
|
|
|
|
|
|
Because PAM |
813
|
|
|
|
|
|
|
keyboard-interactive authentication usually serves an |
814
|
|
|
|
|
|
|
equivalent role to password authentication, you should |
815
|
|
|
|
|
|
|
disable either B<PasswordAuthentication> or |
816
|
|
|
|
|
|
|
B<KbdInteractiveAuthentication>. |
817
|
|
|
|
|
|
|
|
818
|
|
|
|
|
|
|
If |
819
|
|
|
|
|
|
|
B<UsePAM> is enabled, you will not be able to run |
820
|
|
|
|
|
|
|
L<sshd(8)> as a non-root user. The default is B<no>.', |
821
|
|
|
|
|
|
|
'type' => 'leaf', |
822
|
|
|
|
|
|
|
'upstream_default' => 'no', |
823
|
|
|
|
|
|
|
'value_type' => 'boolean', |
824
|
|
|
|
|
|
|
'write_as' => [ |
825
|
|
|
|
|
|
|
'no', |
826
|
|
|
|
|
|
|
'yes' |
827
|
|
|
|
|
|
|
] |
828
|
|
|
|
|
|
|
}, |
829
|
|
|
|
|
|
|
'VersionAddendum', |
830
|
|
|
|
|
|
|
{ |
831
|
|
|
|
|
|
|
'description' => 'Optionally specifies additional |
832
|
|
|
|
|
|
|
text to append to the SSH protocol banner sent by the server |
833
|
|
|
|
|
|
|
upon connection. The default is B<none>.', |
834
|
|
|
|
|
|
|
'type' => 'leaf', |
835
|
|
|
|
|
|
|
'value_type' => 'uniline' |
836
|
|
|
|
|
|
|
}, |
837
|
|
|
|
|
|
|
'XAuthLocation', |
838
|
|
|
|
|
|
|
{ |
839
|
|
|
|
|
|
|
'description' => 'Specifies the full pathname of |
840
|
|
|
|
|
|
|
the L<xauth(1)> program, or B<none> to not use one. The |
841
|
|
|
|
|
|
|
default is I</usr/bin/xauth>.', |
842
|
|
|
|
|
|
|
'type' => 'leaf', |
843
|
|
|
|
|
|
|
'upstream_default' => '/usr/bin/xauth', |
844
|
|
|
|
|
|
|
'value_type' => 'uniline' |
845
|
|
|
|
|
|
|
} |
846
|
|
|
|
|
|
|
], |
847
|
|
|
|
|
|
|
'generated_by' => 'parse-man.pl from sshd_system 9.0p1 doc', |
848
|
|
|
|
|
|
|
'include' => [ |
849
|
|
|
|
|
|
|
'Sshd::MatchElement' |
850
|
|
|
|
|
|
|
], |
851
|
|
|
|
|
|
|
'license' => 'LGPL2', |
852
|
|
|
|
|
|
|
'name' => 'Sshd', |
853
|
|
|
|
|
|
|
'rw_config' => { |
854
|
|
|
|
|
|
|
'backend' => 'OpenSsh::Sshd', |
855
|
|
|
|
|
|
|
'config_dir' => '/etc/ssh', |
856
|
|
|
|
|
|
|
'file' => 'sshd_config', |
857
|
|
|
|
|
|
|
'os_config_dir' => { |
858
|
|
|
|
|
|
|
'darwin' => '/etc' |
859
|
|
|
|
|
|
|
} |
860
|
|
|
|
|
|
|
} |
861
|
|
|
|
|
|
|
} |
862
|
|
|
|
|
|
|
] |
863
|
|
|
|
|
|
|
; |
864
|
|
|
|
|
|
|
|