File Coverage

blib/lib/Config/Model/models/Ssh/HostElement.pl

Criterion	Covered	Total	%
statement	12	12	100.0
branch			n/a
condition			n/a
subroutine	4	4	100.0
pod			n/a
total	16	16	100.0

line	stmt	sub	time	code
1				#
2				# This file is part of Config-Model-OpenSsh
3				#
4				# This software is Copyright (c) 2008-2022 by Dominique Dumont.
5				#
6				# This is free software, licensed under:
7				#
8				# The GNU Lesser General Public License, Version 2.1, February 1999
9				#
10	2	2	8080	use strict;
	2	1	6
	2		62
	1		3379
	1		2
	1		22
11	2	2	11	use warnings;
	2	1	5
	2		4141
	1		6
	1		2
	1		2048
12
13				return [
14				{
15				'accept' => [
16				'.*',
17				{
18				'summary' => 'boilerplate parameter that may hide a typo',
19				'type' => 'leaf',
20				'value_type' => 'uniline',
21				'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author'
22				}
23				],
24				'class_description' => 'This configuration class was generated from ssh_system documentation.
25				by L<parse-man.pl\|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl>
26				',
27				'element' => [
28				'AddKeysToAgent',
29				{
30				'choice' => [
31				'ask',
32				'confirm',
33				'no',
34				'yes'
35				],
36				'description' => 'Specifies whether keys should be automatically added to a running ssh-agent1.
37				If this option is set to B<yes> and a key is loaded from a file, the key and
38				its passphrase are added to the agent with the default lifetime, as if by
39				ssh-add1. If this option is set to B<ask> L<ssh(1)> will require confirmation
40				using the B<SSH_ASKPASS> program before adding a key (see ssh-add1 for
41				details). If this option is set to B<confirm> each use of the key must be
42				confirmed, as if the -B<c> option was specified to ssh-add1. If this option is
43				set to B<no> no keys are added to the agent. Alternately, this option may be
44				specified as a time interval using the format described in the I<TIME FORMATS>
45				section of sshd_config5 to specify the key\'s lifetime in ssh-agent1, after
46				which it will automatically be removed. The argument must be B<no> (the
47				default), B<yes> B<confirm> (optionally followed by a time interval), B<ask> or
48				a time interval.',
49				'type' => 'leaf',
50				'upstream_default' => 'no',
51				'value_type' => 'enum'
52				},
53				'AddressFamily',
54				{
55				'choice' => [
56				'any',
57				'inet',
58				'inet6'
59				],
60				'description' => 'Specifies which address family to use when connecting. Valid arguments are
61				B<any> (the default), B<inet> (use IPv4 only), or B<inet6> (use IPv6 only).',
62				'type' => 'leaf',
63				'upstream_default' => 'any',
64				'value_type' => 'enum'
65				},
66				'BatchMode',
67				{
68				'description' => 'If set to B<yes> user interaction such as password prompts and host key
69				confirmation requests will be disabled. In addition, the B<ServerAliveInterval>
70				option will be set to 300 seconds by default (Debian-specific). This option is
71				useful in scripts and other batch jobs where no user is present to interact
72				with L<ssh(1)>, and where it is desirable to detect a broken network swiftly.
73				The argument must be B<yes> or B<no> (the default).',
74				'type' => 'leaf',
75				'upstream_default' => 'no',
76				'value_type' => 'boolean',
77				'write_as' => [
78				'no',
79				'yes'
80				]
81				},
82				'BindAddress',
83				{
84				'description' => 'Use the specified address on the local machine as the source address of the
85				connection. Only useful on systems with more than one address.',
86				'type' => 'leaf',
87				'value_type' => 'uniline'
88				},
89				'BindInterface',
90				{
91				'description' => 'Use the address of the specified interface on the local machine as the source
92				address of the connection.',
93				'type' => 'leaf',
94				'value_type' => 'uniline'
95				},
96				'CanonicalDomains',
97				{
98				'description' => 'When B<CanonicalizeHostname> is enabled, this option specifies the list of
99				domain suffixes in which to search for the specified destination host.',
100				'type' => 'leaf',
101				'value_type' => 'uniline'
102				},
103				'CanonicalizeFallbackLocal',
104				{
105				'description' => 'Specifies whether to fail with an error when hostname canonicalization fails.
106				The default, B<yes> will attempt to look up the unqualified hostname using the
107				system resolver\'s search rules. A value of B<no> will cause L<ssh(1)> to fail
108				instantly if B<CanonicalizeHostname> is enabled and the target hostname cannot
109				be found in any of the domains specified by B<CanonicalDomains>',
110				'type' => 'leaf',
111				'upstream_default' => 'yes',
112				'value_type' => 'boolean',
113				'write_as' => [
114				'no',
115				'yes'
116				]
117				},
118				'CanonicalizeHostname',
119				{
120				'choice' => [
121				'always',
122				'no',
123				'none',
124				'yes'
125				],
126				'description' => 'Controls whether explicit hostname canonicalization is performed. The default,
127				B<no> is not to perform any name rewriting and let the system resolver handle
128				all hostname lookups. If set to B<yes> then, for connections that do not use a
129				B<ProxyCommand> or B<ProxyJump> L<ssh(1)> will attempt to canonicalize the
130				hostname specified on the command line using the B<CanonicalDomains> suffixes
131				and B<CanonicalizePermittedCNAMEs> rules. If B<CanonicalizeHostname> is set to
132				B<always> then canonicalization is applied to proxied connections too.
133
134				If this option is enabled, then the configuration files are processed again
135				using the new target name to pick up any new configuration in matching B<Host>
136				and B<Match> stanzas. A value of B<none> disables the use of a B<ProxyJump>
137				host.',
138				'type' => 'leaf',
139				'upstream_default' => 'no',
140				'value_type' => 'enum'
141				},
142				'CanonicalizeMaxDots',
143				{
144				'description' => 'Specifies the maximum number of dot characters in a hostname before
145				canonicalization is disabled. The default, 1, allows a single dot (i.e.
146				hostname.subdomain).',
147				'type' => 'leaf',
148				'upstream_default' => '1',
149				'value_type' => 'integer'
150				},
151				'CanonicalizePermittedCNAMEs',
152				{
153				'description' => 'Specifies rules to determine whether CNAMEs should be followed when
154
155				canonicalizing hostnames. The rules consist of one or more arguments of
156				I<source_domain_list : > B<> I<target_domain_list> where I<source_domain_list>
157				is a pattern-list of domains that may follow CNAMEs in canonicalization, and
158				I<target_domain_list> is a pattern-list of domains that they may resolve to.
159
160				For example, Qq .a.example.com:.b.example.com,*.c.example.com will allow
161				hostnames matching Qq *.a.example.com to be canonicalized to names in the Qq
162				.b.example.com or Qq .c.example.com domains.
163
164				A single argument of Qq none causes no CNAMEs to be considered for
165				canonicalization. This is the default behaviour.',
166				'type' => 'leaf',
167				'value_type' => 'uniline'
168				},
169				'CASignatureAlgorithms',
170				{
171				'description' => 'Specifies which algorithms are allowed for signing of certificates by
172				certificate authorities (CAs). The default is: ssh-ed25519,
173				ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
174				sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,
175				rsa-sha2-256
176
177				If the specified list begins with a \'+\' character, then the specified
178				algorithms will be appended to the default set instead of replacing them. If
179				the specified list begins with a \'-\' character, then the specified algorithms
180				(including wildcards) will be removed from the default set instead of replacing
181				them.
182
183				L<ssh(1)> will not accept host certificates signed using algorithms other than
184				those specified.',
185				'type' => 'leaf',
186				'value_type' => 'uniline'
187				},
188				'CertificateFile',
189				{
190				'description' => 'Specifies a file from which the user\'s certificate is read. A corresponding
191				private key must be provided separately in order to use this certificate either
192				from an B<IdentityFile> directive or -B<i> flag to L<ssh(1)>, via ssh-agent1,
193				or via a B<PKCS11Provider> or B<SecurityKeyProvider>
194
195				Arguments to B<CertificateFile> may use the tilde syntax to refer to a user\'s
196				home directory, the tokens described in the I<TOKENS> section and environment
197				variables as described in the I<ENVIRONMENT VARIABLES> section.
198
199				It is possible to have multiple certificate files specified in configuration
200				files; these certificates will be tried in sequence. Multiple
201				B<CertificateFile> directives will add to the list of certificates used for
202				authentication.',
203				'type' => 'leaf',
204				'value_type' => 'uniline'
205				},
206				'CheckHostIP',
207				{
208				'description' => 'If set to B<yes> L<ssh(1)> will additionally check the host IP address in the
209				known_hosts file. This allows it to detect if a host key changed due to DNS
210				spoofing and will add addresses of destination hosts to ~/.ssh/known_hosts in
211				the process, regardless of the setting of B<StrictHostKeyChecking> If the
212				option is set to B<no> (the default), the check will not be executed.',
213				'type' => 'leaf',
214				'upstream_default' => 'no',
215				'value_type' => 'boolean',
216				'write_as' => [
217				'no',
218				'yes'
219				]
220				},
221				'Ciphers',
222				{
223				'description' => 'Specifies the ciphers allowed and their order of preference. Multiple ciphers
224				must be comma-separated. If the specified list begins with a \'+\' character,
225				then the specified ciphers will be appended to the default set instead of
226				replacing them. If the specified list begins with a \'-\' character, then the
227				specified ciphers (including wildcards) will be removed from the default set
228				instead of replacing them. If the specified list begins with a \'^\' character,
229				then the specified ciphers will be placed at the head of the default set.
230
231				The supported ciphers are: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr
232				aes192-ctr aes256-ctr
233				aes128-gcm@openssh.comaes256-gcm@openssh.comchacha20-poly1305@openssh.com
234
235				The default is: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr,
236				aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
237
238				The list of available ciphers may also be obtained using Qq ssh -Q cipher .',
239				'type' => 'leaf',
240				'value_type' => 'uniline'
241				},
242				'ClearAllForwardings',
243				{
244				'description' => 'Specifies that all local, remote, and dynamic port forwardings specified in the
245				configuration files or on the command line be cleared. This option is primarily
246				useful when used from the L<ssh(1)> command line to clear port forwardings set
247				in configuration files, and is automatically set by L<scp(1)> and L<sftp(1)>.
248				The argument must be B<yes> or B<no> (the default).',
249				'type' => 'leaf',
250				'upstream_default' => 'no',
251				'value_type' => 'boolean',
252				'write_as' => [
253				'no',
254				'yes'
255				]
256				},
257				'Compression',
258				{
259				'description' => 'Specifies whether to use compression. The argument must be B<yes> or B<no> (the
260				default).',
261				'type' => 'leaf',
262				'upstream_default' => 'no',
263				'value_type' => 'boolean',
264				'write_as' => [
265				'no',
266				'yes'
267				]
268				},
269				'ConnectionAttempts',
270				{
271				'description' => 'Specifies the number of tries (one per second) to make before exiting. The
272				argument must be an integer. This may be useful in scripts if the connection
273				sometimes fails. The default is 1.',
274				'type' => 'leaf',
275				'upstream_default' => '1',
276				'value_type' => 'integer'
277				},
278				'ConnectTimeout',
279				{
280				'description' => 'Specifies the timeout (in seconds) used when connecting to the SSH server,
281				instead of using the default system TCP timeout. This timeout is applied both
282				to establishing the connection and to performing the initial SSH protocol
283				handshake and key exchange.',
284				'type' => 'leaf',
285				'value_type' => 'integer'
286				},
287				'ControlMaster',
288				{
289				'choice' => [
290				'ask',
291				'auto',
292				'autoask',
293				'no',
294				'yes'
295				],
296				'description' => 'Enables the sharing of multiple sessions over a single network connection. When
297				set to B<yes> L<ssh(1)> will listen for connections on a control socket
298				specified using the B<ControlPath> argument. Additional sessions can connect to
299				this socket using the same B<ControlPath> with B<ControlMaster> set to B<no>
300				(the default). These sessions will try to reuse the master instance\'s network
301				connection rather than initiating new ones, but will fall back to connecting
302				normally if the control socket does not exist, or is not listening.
303
304				Setting this to B<ask> will cause L<ssh(1)> to listen for control connections,
305				but require confirmation using ssh-askpass1. If the B<ControlPath> cannot be
306				opened, L<ssh(1)> will continue without connecting to a master instance.
307
308				X11 and ssh-agent1 forwarding is supported over these multiplexed connections,
309				however the display and agent forwarded will be the one belonging to the master
310				connection i.e. it is not possible to forward multiple displays or agents.
311
312				Two additional options allow for opportunistic multiplexing: try to use a
313				master connection but fall back to creating a new one if one does not already
314				exist. These options are: B<auto> and B<autoask> The latter requires
315				confirmation like the B<ask> option.',
316				'type' => 'leaf',
317				'upstream_default' => 'no',
318				'value_type' => 'enum'
319				},
320				'ControlPath',
321				{
322				'description' => 'Specify the path to the control socket used for connection sharing as described
323				in the B<ControlMaster> section above or the string B<none> to disable
324				connection sharing. Arguments to B<ControlPath> may use the tilde syntax to
325				refer to a user\'s home directory, the tokens described in the I<TOKENS> section
326				and environment variables as described in the I<ENVIRONMENT VARIABLES> section.
327				It is recommended that any B<ControlPath> used for opportunistic connection
328				sharing include at least %h, %p, and %r (or alternatively %C) and be placed in
329				a directory that is not writable by other users. This ensures that shared
330				connections are uniquely identified.',
331				'type' => 'leaf',
332				'value_type' => 'uniline'
333				},
334				'ControlPersist',
335				{
336				'description' => 'When used in conjunction with B<ControlMaster> specifies that the master
337				connection should remain open in the background (waiting for future client
338				connections) after the initial client connection has been closed. If set to
339				B<no> (the default), then the master connection will not be placed into the
340				background, and will close as soon as the initial client connection is closed.
341				If set to B<yes> or 0, then the master connection will remain in the background
342				indefinitely (until killed or closed via a mechanism such as the Qq ssh -O exit
343				) . If set to a time in seconds, or a time in any of the formats documented in
344				sshd_config5, then the backgrounded master connection will automatically
345				terminate after it has remained idle (with no client connections) for the
346				specified time.',
347				'type' => 'leaf',
348				'value_type' => 'uniline'
349				},
350				'DynamicForward',
351				{
352				'cargo' => {
353				'type' => 'leaf',
354				'value_type' => 'uniline'
355				},
356				'description' => 'Specifies that a TCP port on the local machine be forwarded over the secure
357				channel, and the application protocol is then used to determine where to
358				connect to from the remote machine.
359
360				The argument must be [I<bind_address : port> ] IPv6 addresses can be specified
361				by enclosing addresses in square brackets. By default, the local port is bound
362				in accordance with the B<GatewayPorts> setting. However, an explicit
363				I<bind_address> may be used to bind the connection to a specific address. The
364				I<bind_address> of B<localhost> indicates that the listening port be bound for
365				local use only, while an empty address or \'*\' indicates that the port should be
366				available from all interfaces.
367
368				Currently the SOCKS4 and SOCKS5 protocols are supported, and L<ssh(1)> will act
369				as a SOCKS server. Multiple forwardings may be specified, and additional
370				forwardings can be given on the command line. Only the superuser can forward
371				privileged ports.',
372				'type' => 'list'
373				},
374				'EnableEscapeCommandline',
375				{
376				'description' => 'Enables the command line option in the B<EscapeChar> menu for interactive
377				sessions (default \'~C\' ) . By default, the command line is disabled.',
378				'type' => 'leaf',
379				'value_type' => 'uniline'
380				},
381				'EnableSSHKeysign',
382				{
383				'description' => 'Setting this option to B<yes> in the global client configuration file
384				/etc/ssh/ssh_config enables the use of the helper program ssh-keysign8 during
385				B<HostbasedAuthentication> The argument must be B<yes> or B<no> (the default).
386				This option should be placed in the non-hostspecific section. See ssh-keysign8
387				for more information.',
388				'type' => 'leaf',
389				'upstream_default' => 'no',
390				'value_type' => 'boolean',
391				'write_as' => [
392				'no',
393				'yes'
394				]
395				},
396				'EscapeChar',
397				{
398				'description' => 'Sets the escape character (default: \'~\' ) . The escape character can also be
399				set on the command line. The argument should be a single character, \'^\'
400				followed by a letter, or B<none> to disable the escape character entirely
401				(making the connection transparent for binary data).',
402				'type' => 'leaf',
403				'value_type' => 'uniline'
404				},
405				'ExitOnForwardFailure',
406				{
407				'description' => 'Specifies whether L<ssh(1)> should terminate the connection if it cannot set up
408				all requested dynamic, tunnel, local, and remote port forwardings, (e.g. if
409				either end is unable to bind and listen on a specified port). Note that
410				B<ExitOnForwardFailure> does not apply to connections made over port
411				forwardings and will not, for example, cause L<ssh(1)> to exit if TCP
412				connections to the ultimate forwarding destination fail. The argument must be
413				B<yes> or B<no> (the default).',
414				'type' => 'leaf',
415				'upstream_default' => 'no',
416				'value_type' => 'boolean',
417				'write_as' => [
418				'no',
419				'yes'
420				]
421				},
422				'FingerprintHash',
423				{
424				'choice' => [
425				'md5',
426				'sha256'
427				],
428				'description' => 'Specifies the hash algorithm used when displaying key fingerprints. Valid
429				options are: B<md5> and B<sha256> (the default).',
430				'type' => 'leaf',
431				'upstream_default' => 'sha256',
432				'value_type' => 'enum'
433				},
434				'ForkAfterAuthentication',
435				{
436				'description' => 'Requests B<ssh> to go to background just before command execution. This is
437				useful if B<ssh> is going to ask for passwords or passphrases, but the user
438				wants it in the background. This implies the B<StdinNull> configuration option
439				being set to \'\'yes\'\' The recommended way to start X11 programs at a remote site
440				is with something like B<ssh -f host xterm> which is the same as B<ssh host
441				xterm> if the B<ForkAfterAuthentication> configuration option is set to \'\'yes\'\'
442
443				If the B<ExitOnForwardFailure> configuration option is set to \'\'yes\'\' then a
444				client started with the B<ForkAfterAuthentication> configuration option being
445				set to \'\'yes\'\' will wait for all remote port forwards to be successfully
446				established before placing itself in the background. The argument to this
447				keyword must be B<yes> (same as the -B<f> option) or B<no> (the default).',
448				'type' => 'leaf',
449				'upstream_default' => 'no',
450				'value_type' => 'boolean',
451				'write_as' => [
452				'no',
453				'yes'
454				]
455				},
456				'ForwardAgent',
457				{
458				'description' => 'Specifies whether the connection to the authentication agent (if any) will be
459				forwarded to the remote machine. The argument may be B<yes> B<no> (the
460				default), an explicit path to an agent socket or the name of an environment
461				variable (beginning with \'$\' in which to find the path.
462
463				Agent forwarding should be enabled with caution. Users with the ability to
464				bypass file permissions on the remote host (for the agent\'s Unix-domain socket)
465				can access the local agent through the forwarded connection. An attacker cannot
466				obtain key material from the agent, however they can perform operations on the
467				keys that enable them to authenticate using the identities loaded into the
468				agent.',
469				'type' => 'leaf',
470				'upstream_default' => 'no',
471				'value_type' => 'boolean',
472				'write_as' => [
473				'no',
474				'yes'
475				]
476				},
477				'ForwardX11',
478				{
479				'description' => 'Specifies whether X11 connections will be automatically redirected over the
480				secure channel and B<DISPLAY> set. The argument must be B<yes> or B<no> (the
481				default).
482
483				X11 forwarding should be enabled with caution. Users with the ability to bypass
484				file permissions on the remote host (for the user\'s X11 authorization database)
485				can access the local X11 display through the forwarded connection. An attacker
486				may then be able to perform activities such as keystroke monitoring if the
487				B<ForwardX11Trusted> option is also enabled.',
488				'type' => 'leaf',
489				'upstream_default' => 'no',
490				'value_type' => 'boolean',
491				'write_as' => [
492				'no',
493				'yes'
494				]
495				},
496				'ForwardX11Timeout',
497				{
498				'description' => 'Specify a timeout for untrusted X11 forwarding using the format described in
499				the I<TIME FORMATS> section of sshd_config5. X11 connections received by
500				L<ssh(1)> after this time will be refused. Setting B<ForwardX11Timeout> to zero
501				will disable the timeout and permit X11 forwarding for the life of the
502				connection. The default is to disable untrusted X11 forwarding after twenty
503				minutes has elapsed.',
504				'type' => 'leaf',
505				'value_type' => 'integer'
506				},
507				'ForwardX11Trusted',
508				{
509				'description' => 'If this option is set to B<yes> (the Debian-specific default), remote X11
510				clients will have full access to the original X11 display.
511
512				If this option is set to B<no> (the upstream default), remote X11 clients will
513				be considered untrusted and prevented from stealing or tampering with data
514				belonging to trusted X11 clients. Furthermore, the L<xauth(1)> token used for
515				the session will be set to expire after 20 minutes. Remote clients will be
516				refused access after this time.
517
518				See the X11 SECURITY extension specification for full details on the
519				restrictions imposed on untrusted clients.',
520				'type' => 'leaf',
521				'value_type' => 'boolean',
522				'write_as' => [
523				'no',
524				'yes'
525				]
526				},
527				'GatewayPorts',
528				{
529				'description' => 'Specifies whether remote hosts are allowed to connect to local forwarded ports.
530				By default, L<ssh(1)> binds local port forwardings to the loopback address.
531				This prevents other remote hosts from connecting to forwarded ports.
532				B<GatewayPorts> can be used to specify that ssh should bind local port
533				forwardings to the wildcard address, thus allowing remote hosts to connect to
534				forwarded ports. The argument must be B<yes> or B<no> (the default).',
535				'type' => 'leaf',
536				'upstream_default' => 'no',
537				'value_type' => 'boolean',
538				'write_as' => [
539				'no',
540				'yes'
541				]
542				},
543				'GlobalKnownHostsFile',
544				{
545				'default' => '/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2',
546				'description' => 'Specifies one or more files to use for the global host key database, separated
547				by whitespace. The default is /etc/ssh/ssh_known_hosts
548				/etc/ssh/ssh_known_hosts2',
549				'type' => 'leaf',
550				'value_type' => 'uniline'
551				},
552				'GSSAPIAuthentication',
553				{
554				'description' => 'Specifies whether user authentication based on GSSAPI is allowed. The default
555				is B<no>',
556				'type' => 'leaf',
557				'upstream_default' => 'no',
558				'value_type' => 'boolean',
559				'write_as' => [
560				'no',
561				'yes'
562				]
563				},
564				'GSSAPIClientIdentity',
565				{
566				'description' => 'If set, specifies the GSSAPI client identity that ssh should use when
567				connecting to the server. The default is unset, which means that the default
568				identity will be used.',
569				'type' => 'leaf',
570				'value_type' => 'uniline'
571				},
572				'GSSAPIDelegateCredentials',
573				{
574				'description' => 'Forward (delegate) credentials to the server. The default is B<no>',
575				'type' => 'leaf',
576				'upstream_default' => 'no',
577				'value_type' => 'boolean',
578				'write_as' => [
579				'no',
580				'yes'
581				]
582				},
583				'GSSAPIKeyExchange',
584				{
585				'description' => 'Specifies whether key exchange based on GSSAPI may be used. When using GSSAPI
586				key exchange the server need not have a host key. The default is \'\'no\'\'',
587				'type' => 'leaf',
588				'value_type' => 'uniline'
589				},
590				'GSSAPIRenewalForcesRekey',
591				{
592				'description' => 'If set to \'\'yes\'\' then renewal of the client\'s GSSAPI credentials will force
593				the rekeying of the ssh connection. With a compatible server, this will
594				delegate the renewed credentials to a session on the server.
595
596				Checks are made to ensure that credentials are only propagated when the new
597				credentials match the old ones on the originating client and where the
598				receiving server still has the old set in its cache.
599
600				The default is \'\'no\'\'
601
602				For this to work B<GSSAPIKeyExchange> needs to be enabled in the server and
603				also used by the client.',
604				'type' => 'leaf',
605				'value_type' => 'uniline'
606				},
607				'GSSAPIServerIdentity',
608				{
609				'description' => 'If set, specifies the GSSAPI server identity that ssh should expect when
610				connecting to the server. The default is unset, which means that the expected
611				GSSAPI server identity will be determined from the target hostname.',
612				'type' => 'leaf',
613				'value_type' => 'uniline'
614				},
615				'GSSAPITrustDns',
616				{
617				'description' => 'Set to \'\'yes\'\' to indicate that the DNS is trusted to securely canonicalize the
618				name of the host being connected to. If \'\'no\'\' the hostname entered on the
619				command line will be passed untouched to the GSSAPI library. The default is
620				\'\'no\'\'',
621				'type' => 'leaf',
622				'value_type' => 'uniline'
623				},
624				'GSSAPIKexAlgorithms',
625				{
626				'description' => 'The list of key exchange algorithms that are offered for GSSAPI key exchange.
627				Possible values are gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1-,
628				gss-group14-sha256-, gss-group16-sha512-, gss-nistp256-sha256-,
629				gss-curve25519-sha256-
630
631				The default is \'\'gss-group14-sha256-, gss-group16-sha512-,
632				gss-nistp256-sha256-, gss-curve25519-sha256-, gss-gex-sha1-,
633				gss-group14-sha1-\'\' This option only applies to connections using GSSAPI.',
634				'type' => 'leaf',
635				'value_type' => 'uniline'
636				},
637				'HashKnownHosts',
638				{
639				'description' => 'Indicates that L<ssh(1)> should hash host names and addresses when they are
640				added to ~/.ssh/known_hosts These hashed names may be used normally by
641				L<ssh(1)> and L<sshd(8)>, but they do not visually reveal identifying
642				information if the file\'s contents are disclosed. The default is B<no> Note
643				that existing names and addresses in known hosts files will not be converted
644				automatically, but may be manually hashed using ssh-keygen1. Use of this option
645				may break facilities such as tab-completion that rely on being able to read
646				unhashed host names from ~/.ssh/known_hosts',
647				'type' => 'leaf',
648				'upstream_default' => 'no',
649				'value_type' => 'boolean',
650				'write_as' => [
651				'no',
652				'yes'
653				]
654				},
655				'HostbasedAcceptedAlgorithms',
656				{
657				'description' => 'Specifies the signature algorithms that will be used for hostbased
658				authentication as a comma-separated list of patterns. Alternately if the
659				specified list begins with a \'+\' character, then the specified signature
660				algorithms will be appended to the default set instead of replacing them. If
661				the specified list begins with a \'-\' character, then the specified signature
662				algorithms (including wildcards) will be removed from the default set instead
663				of replacing them. If the specified list begins with a \'^\' character, then the
664				specified signature algorithms will be placed at the head of the default set.
665				The default for this option is: ssh-ed25519-cert-v01@openssh.com,
666				ecdsa-sha2-nistp256-cert-v01@openssh.com,
667				ecdsa-sha2-nistp384-cert-v01@openssh.com,
668				ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com,
669				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
670				rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,
671				ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com,
672				sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512, rsa-sha2-256
673
674				The -B<Q> option of L<ssh(1)> may be used to list supported signature
675				algorithms. This was formerly named HostbasedKeyTypes.',
676				'migrate_from' => {
677				'formula' => '$old',
678				'variables' => {
679				'old' => '- HostbasedKeyTypes'
680				}
681				},
682				'type' => 'leaf',
683				'value_type' => 'uniline'
684				},
685				'HostbasedAuthentication',
686				{
687				'description' => 'Specifies whether to try rhosts based authentication with public key
688				authentication. The argument must be B<yes> or B<no> (the default).',
689				'type' => 'leaf',
690				'upstream_default' => 'no',
691				'value_type' => 'boolean',
692				'write_as' => [
693				'no',
694				'yes'
695				]
696				},
697				'HostKeyAlgorithms',
698				{
699				'description' => 'Specifies the host key signature algorithms that the client wants to use in
700				order of preference. Alternately if the specified list begins with a \'+\'
701				character, then the specified signature algorithms will be appended to the
702				default set instead of replacing them. If the specified list begins with a \'-\'
703				character, then the specified signature algorithms (including wildcards) will
704				be removed from the default set instead of replacing them. If the specified
705				list begins with a \'^\' character, then the specified signature algorithms will
706				be placed at the head of the default set. The default for this option is:
707				ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com,
708				ecdsa-sha2-nistp384-cert-v01@openssh.com,
709				ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com,
710				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
711				rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,
712				ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp256@openssh.com,
713				sk-ssh-ed25519@openssh.com, rsa-sha2-512, rsa-sha2-256
714
715				If hostkeys are known for the destination host then this default is modified to
716				prefer their algorithms.
717
718				The list of available signature algorithms may also be obtained using Qq ssh -Q
719				HostKeyAlgorithms .',
720				'type' => 'leaf',
721				'value_type' => 'uniline'
722				},
723				'HostKeyAlias',
724				{
725				'description' => 'Specifies an alias that should be used instead of the real host name when
726				looking up or saving the host key in the host key database files and when
727				validating host certificates. This option is useful for tunneling SSH
728				connections or for multiple servers running on a single host.',
729				'type' => 'leaf',
730				'value_type' => 'uniline'
731				},
732				'Hostname',
733				{
734				'description' => 'Specifies the real host name to log into. This can be used to specify nicknames
735				or abbreviations for hosts. Arguments to B<Hostname> accept the tokens
736				described in the I<TOKENS> section. Numeric IP addresses are also permitted
737				(both on the command line and in B<Hostname> specifications). The default is
738				the name given on the command line.',
739				'type' => 'leaf',
740				'value_type' => 'uniline'
741				},
742				'IdentitiesOnly',
743				{
744				'description' => 'Specifies that L<ssh(1)> should only use the configured authentication identity
745				and certificate files (either the default files, or those explicitly configured
746				in the B<ssh_config> files or passed on the L<ssh(1)> command-line), even if
747				ssh-agent1 or a B<PKCS11Provider> or B<SecurityKeyProvider> offers more
748				identities. The argument to this keyword must be B<yes> or B<no> (the default).
749				This option is intended for situations where ssh-agent offers many different
750				identities.',
751				'type' => 'leaf',
752				'upstream_default' => 'no',
753				'value_type' => 'boolean',
754				'write_as' => [
755				'no',
756				'yes'
757				]
758				},
759				'IdentityAgent',
760				{
761				'description' => 'Specifies the UNIX socket used to communicate with the authentication agent.
762
763				This option overrides the B<SSH_AUTH_SOCK> environment variable and can be used
764				to select a specific agent. Setting the socket name to B<none> disables the use
765				of an authentication agent. If the string Qq SSH_AUTH_SOCK is specified, the
766				location of the socket will be read from the B<SSH_AUTH_SOCK> environment
767				variable. Otherwise if the specified value begins with a \'$\' character, then it
768				will be treated as an environment variable containing the location of the
769				socket.
770
771				Arguments to B<IdentityAgent> may use the tilde syntax to refer to a user\'s
772				home directory, the tokens described in the I<TOKENS> section and environment
773				variables as described in the I<ENVIRONMENT VARIABLES> section.',
774				'type' => 'leaf',
775				'value_type' => 'uniline'
776				},
777				'IdentityFile',
778				{
779				'cargo' => {
780				'type' => 'leaf',
781				'value_type' => 'uniline',
782				'warn_if_match' => {
783				'\\.pub$' => {
784				'fix' => 's/\\.pub$//;',
785				'msg' => 'identity file must be the private key'
786				}
787				}
788				},
789				'description' => 'Specifies a file from which the user\'s DSA, ECDSA, authenticator-hosted ECDSA,
790				Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
791				You can also specify a public key file to use the corresponding private key
792				that is loaded in ssh-agent1 when the private key file is not present locally.
793				The default is ~/.ssh/id_rsa ~/.ssh/id_ecdsa ~/.ssh/id_ecdsa_sk
794				~/.ssh/id_ed25519 ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa Additionally, any
795				identities represented by the authentication agent will be used for
796				authentication unless B<IdentitiesOnly> is set. If no certificates have been
797				explicitly specified by B<CertificateFile> L<ssh(1)> will try to load
798				certificate information from the filename obtained by appending -cert.pub to
799				the path of a specified B<IdentityFile>
800
801				Arguments to B<IdentityFile> may use the tilde syntax to refer to a user\'s home
802				directory or the tokens described in the I<TOKENS> section.
803
804				It is possible to have multiple identity files specified in configuration
805				files; all these identities will be tried in sequence. Multiple B<IdentityFile>
806				directives will add to the list of identities tried (this behaviour differs
807				from that of other configuration directives).
808
809				B<IdentityFile> may be used in conjunction with B<IdentitiesOnly> to select
810				which identities in an agent are offered during authentication. B<IdentityFile>
811				may also be used in conjunction with B<CertificateFile> in order to provide any
812				certificate also needed for authentication with the identity.',
813				'type' => 'list'
814				},
815				'IgnoreUnknown',
816				{
817				'description' => 'Specifies a pattern-list of unknown options to be ignored if they are
818				encountered in configuration parsing. This may be used to suppress errors if
819				B<ssh_config> contains options that are unrecognised by L<ssh(1)>. It is
820				recommended that B<IgnoreUnknown> be listed early in the configuration file as
821				it will not be applied to unknown options that appear before it.',
822				'type' => 'leaf',
823				'value_type' => 'uniline'
824				},
825				'Include',
826				{
827				'cargo' => {
828				'type' => 'leaf',
829				'value_type' => 'uniline'
830				},
831				'description' => 'Include the specified configuration file(s). Multiple pathnames may be
832				specified and each pathname may contain L<glob(7)> wildcards and, for user
833				configurations, shell-like \'~\' references to user home directories. Wildcards
834				will be expanded and processed in lexical order. Files without absolute paths
835				are assumed to be in ~/.ssh if included in a user configuration file or
836				/etc/ssh if included from the system configuration file. B<Include> directive
837				may appear inside a B<Match> or B<Host> block to perform conditional inclusion.',
838				'type' => 'list'
839				},
840				'IPQoS',
841				{
842				'assert' => {
843				'1_or_2' => {
844				'code' => 'return 1 unless defined $_;
845				my @v = (/(\\w+)/g);
846				return (@v < 3) ? 1 : 0;
847				',
848				'msg' => 'value must not have more than 2 fields.'
849				},
850				'accepted_values' => {
851				'code' => 'return 1 unless defined $_;
852				my @v = (/(\\S+)/g);
853				my @good = grep {/^(af[1-4][1-3]\|cs[0-7]\|ef\|lowdelay\|throughput\|reliability\|\\d+)/} @v ;
854				return @good == @v ? 1 : 0;
855				',
856				'msg' => 'Unexpected value "$_". Expected 1 or 2 occurences of: "af11", "af12", "af13", "af21", "af22",
857				"af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1",
858				"cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay",
859				"throughput", "reliability", or numeric value.
860				'
861				}
862				},
863				'description' => 'Specifies the IPv4 type-of-service or DSCP class for connections. Accepted
864				values are B<af11> B<af12> B<af13> B<af21> B<af22> B<af23> B<af31> B<af32>
865				B<af33> B<af41> B<af42> B<af43> B<cs0> B<cs1> B<cs2> B<cs3> B<cs4> B<cs5>
866				B<cs6> B<cs7> B<ef> B<le> B<lowdelay> B<throughput> B<reliability> a numeric
867				value, or B<none> to use the operating system default. This option may take one
868				or two arguments, separated by whitespace. If one argument is specified, it is
869				used as the packet class unconditionally. If two values are specified, the
870				first is automatically selected for interactive sessions and the second for
871				non-interactive sessions. The default is B<lowdelay> for interactive sessions
872				and B<throughput> for non-interactive sessions.',
873				'type' => 'leaf',
874				'upstream_default' => 'af21 cs1',
875				'value_type' => 'uniline'
876				},
877				'KbdInteractiveAuthentication',
878				{
879				'description' => 'Specifies whether to use keyboard-interactive authentication. The argument to
880				this keyword must be B<yes> (the default) or B<no>
881				B<ChallengeResponseAuthentication> is a deprecated alias for this.',
882				'type' => 'leaf',
883				'upstream_default' => 'yes',
884				'value_type' => 'boolean',
885				'write_as' => [
886				'no',
887				'yes'
888				]
889				},
890				'KbdInteractiveDevices',
891				{
892				'cargo' => {
893				'type' => 'leaf',
894				'value_type' => 'uniline'
895				},
896				'description' => 'Specifies the list of methods to use in keyboard-interactive authentication.
897				Multiple method names must be comma-separated. The default is to use the server
898				specified list. The methods available vary depending on what the server
899				supports. For an OpenSSH server, it may be zero or more of: B<bsdauth> and
900				B<pam>',
901				'type' => 'list'
902				},
903				'KexAlgorithms',
904				{
905				'description' => 'Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must
906				be comma-separated. If the specified list begins with a \'+\' character, then the
907				specified algorithms will be appended to the default set instead of replacing
908				them. If the specified list begins with a \'-\' character, then the specified
909				algorithms (including wildcards) will be removed from the default set instead
910				of replacing them. If the specified list begins with a \'^\' character, then the
911				specified algorithms will be placed at the head of the default set. The default
912				is: sntrup761x25519-sha512@openssh.com, curve25519-sha256,
913				curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384,
914				ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256,
915				diffie-hellman-group16-sha512, diffie-hellman-group18-sha512,
916				diffie-hellman-group14-sha256
917
918				The list of available key exchange algorithms may also be obtained using Qq ssh
919				-Q kex .',
920				'type' => 'leaf',
921				'value_type' => 'uniline'
922				},
923				'KnownHostsCommand',
924				{
925				'description' => 'Specifies a command to use to obtain a list of host keys, in addition to those
926				listed in B<UserKnownHostsFile> and B<GlobalKnownHostsFile> This command is
927				executed after the files have been read. It may write host key lines to
928				standard output in identical format to the usual files (described in the
929				I<VERIFYING HOST KEYS> section in L<ssh(1)>). Arguments to B<KnownHostsCommand>
930				accept the tokens described in the I<TOKENS> section. The command may be
931				invoked multiple times per connection: once when preparing the preference list
932				of host key algorithms to use, again to obtain the host key for the requested
933				host name and, if B<CheckHostIP> is enabled, one more time to obtain the host
934				key matching the server\'s address. If the command exits abnormally or returns a
935				non-zero exit status then the connection is terminated.',
936				'type' => 'leaf',
937				'value_type' => 'uniline'
938				},
939				'LocalCommand',
940				{
941				'description' => 'Specifies a command to execute on the local machine after successfully
942				connecting to the server. The command string extends to the end of the line,
943				and is executed with the user\'s shell. Arguments to B<LocalCommand> accept the
944				tokens described in the I<TOKENS> section.
945
946				The command is run synchronously and does not have access to the session of the
947				L<ssh(1)> that spawned it. It should not be used for interactive commands.
948
949				This directive is ignored unless B<PermitLocalCommand> has been enabled.',
950				'type' => 'leaf',
951				'value_type' => 'uniline'
952				},
953				'LocalForward',
954				{
955				'cargo' => {
956				'config_class_name' => 'Ssh::PortForward',
957				'type' => 'node'
958				},
959				'description' => 'Specifies that a TCP port on the local machine be forwarded over the secure
960				channel to the specified host and port from the remote machine. The first
961				argument specifies the listener and may be [I<bind_address : port> ] or a Unix
962				domain socket path. The second argument is the destination and may be I<host :
963				> B<> I<hostport> or a Unix domain socket path if the remote host supports it.
964
965				IPv6 addresses can be specified by enclosing addresses in square brackets.
966				Multiple forwardings may be specified, and additional forwardings can be given
967				on the command line. Only the superuser can forward privileged ports. By
968				default, the local port is bound in accordance with the B<GatewayPorts>
969				setting. However, an explicit I<bind_address> may be used to bind the
970				connection to a specific address. The I<bind_address> of B<localhost> indicates
971				that the listening port be bound for local use only, while an empty address or
972				\'*\' indicates that the port should be available from all interfaces. Unix
973				domain socket paths may use the tokens described in the I<TOKENS> section and
974				environment variables as described in the I<ENVIRONMENT VARIABLES> section.',
975				'type' => 'list'
976				},
977				'LogLevel',
978				{
979				'choice' => [
980				'DEBUG',
981				'DEBUG1',
982				'DEBUG2',
983				'DEBUG3',
984				'ERROR',
985				'FATAL',
986				'INFO',
987				'QUIET',
988				'VERBOSE'
989				],
990				'description' => 'Gives the verbosity level that is used when logging messages from L<ssh(1)>.
991				The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1,
992				DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent.
993				DEBUG2 and DEBUG3 each specify higher levels of verbose output.',
994				'type' => 'leaf',
995				'upstream_default' => 'INFO',
996				'value_type' => 'enum'
997				},
998				'LogVerbose',
999				{
1000				'description' => 'Specify one or more overrides to LogLevel. An override consists of a pattern
1001				lists that matches the source file, function and line number to force detailed
1002				logging for. For example, an override pattern of:
1003				kex.c::1000,:kex_exchange_identification():, packet.c:
1004
1005				would enable detailed logging for line 1000 of kex.c everything in the Fn
1006				kex_exchange_identification function, and all code in the packet.c file. This
1007				option is intended for debugging and no overrides are enabled by default.',
1008				'type' => 'leaf',
1009				'value_type' => 'uniline'
1010				},
1011				'MACs',
1012				{
1013				'description' => 'Specifies the MAC (message authentication code) algorithms
1014
1015				in order of preference. The MAC algorithm is used for data integrity
1016				protection. Multiple algorithms must be comma-separated. If the specified list
1017				begins with a \'+\' character, then the specified algorithms will be appended to
1018				the default set instead of replacing them. If the specified list begins with a
1019				\'-\' character, then the specified algorithms (including wildcards) will be
1020				removed from the default set instead of replacing them. If the specified list
1021				begins with a \'^\' character, then the specified algorithms will be placed at
1022				the head of the default set.
1023
1024				The algorithms that contain Qq -etm calculate the MAC after encryption
1025				(encrypt-then-mac). These are considered safer and their use recommended.
1026
1027				The default is: umac-64-etm@openssh.com, umac-128-etm@openssh.com,
1028				hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com,
1029				hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com,
1030				hmac-sha2-256, hmac-sha2-512, hmac-sha1
1031
1032				The list of available MAC algorithms may also be obtained using Qq ssh -Q mac .',
1033				'type' => 'leaf',
1034				'value_type' => 'uniline'
1035				},
1036				'NoHostAuthenticationForLocalhost',
1037				{
1038				'description' => 'Disable host authentication for localhost (loopback addresses). The argument to
1039				this keyword must be B<yes> or B<no> (the default).',
1040				'type' => 'leaf',
1041				'upstream_default' => 'no',
1042				'value_type' => 'boolean',
1043				'write_as' => [
1044				'no',
1045				'yes'
1046				]
1047				},
1048				'NumberOfPasswordPrompts',
1049				{
1050				'description' => 'Specifies the number of password prompts before giving up. The argument to this
1051				keyword must be an integer. The default is 3.',
1052				'type' => 'leaf',
1053				'upstream_default' => '3',
1054				'value_type' => 'integer'
1055				},
1056				'PasswordAuthentication',
1057				{
1058				'description' => 'Specifies whether to use password authentication. The argument to this keyword
1059				must be B<yes> (the default) or B<no>',
1060				'type' => 'leaf',
1061				'upstream_default' => 'yes',
1062				'value_type' => 'boolean',
1063				'write_as' => [
1064				'no',
1065				'yes'
1066				]
1067				},
1068				'PermitLocalCommand',
1069				{
1070				'description' => 'Allow local command execution via the B<LocalCommand> option or using the B<!>
1071				I<command> escape sequence in L<ssh(1)>. The argument must be B<yes> or B<no>
1072				(the default).',
1073				'type' => 'leaf',
1074				'upstream_default' => 'no',
1075				'value_type' => 'boolean',
1076				'write_as' => [
1077				'no',
1078				'yes'
1079				]
1080				},
1081				'PermitRemoteOpen',
1082				{
1083				'cargo' => {
1084				'type' => 'leaf',
1085				'value_type' => 'uniline'
1086				},
1087				'description' => 'Specifies the destinations to which remote TCP port forwarding is permitted
1088				when B<RemoteForward> is used as a SOCKS proxy. The forwarding specification
1089				must be one of the following forms:
1090
1091				B<PermitRemoteOpen> I<host : port> B<PermitRemoteOpen> I<IPv4_addr : port>
1092				B<PermitRemoteOpen> I<[ IPv6_addr ] : port>
1093
1094				Multiple forwards may be specified by separating them with whitespace. An
1095				argument of B<any> can be used to remove all restrictions and permit any
1096				forwarding requests. An argument of B<none> can be used to prohibit all
1097				forwarding requests. The wildcard \'*\' can be used for host or port to allow all
1098				hosts or ports respectively. Otherwise, no pattern matching or address lookups
1099				are performed on supplied names.',
1100				'type' => 'list'
1101				},
1102				'PKCS11Provider',
1103				{
1104				'description' => 'Specifies which PKCS#11 provider to use or B<none> to indicate that no provider
1105				should be used (the default). The argument to this keyword is a path to the
1106				PKCS#11 shared library L<ssh(1)> should use to communicate with a PKCS#11 token
1107				providing keys for user authentication.',
1108				'type' => 'leaf',
1109				'value_type' => 'uniline'
1110				},
1111				'Port',
1112				{
1113				'description' => 'Specifies the port number to connect on the remote host. The default is 22.',
1114				'type' => 'leaf',
1115				'value_type' => 'uniline'
1116				},
1117				'PreferredAuthentications',
1118				{
1119				'cargo' => {
1120				'type' => 'leaf',
1121				'value_type' => 'uniline',
1122				'warn_unless_match' => {
1123				'^(gssapi-with-mic\|hostbased\|publickey\|keyboard-interactive\|password)$' => {
1124				'msg' => 'Unexpected authentication method: \'C<$_>\'. Expected one of
1125				C<gssapi-with-mic>, C<hostbased>, C<publickey>,
1126				C<keyboard-interactive> or C<password>
1127				'
1128				}
1129				}
1130				},
1131				'description' => 'Specifies the order in which the client should try authentication methods. This
1132				allows a client to prefer one method (e.g. B<keyboard-interactive> over another
1133				method (e.g. B<password )> The default is: gssapi-with-mic, hostbased,
1134				publickey, keyboard-interactive, password',
1135				'type' => 'list'
1136				},
1137				'ProxyCommand',
1138				{
1139				'description' => 'Specifies the command to use to connect to the server. The command string
1140				extends to the end of the line, and is executed using the user\'s shell \'exec\'
1141				directive to avoid a lingering shell process.
1142
1143				Arguments to B<ProxyCommand> accept the tokens described in the I<TOKENS>
1144				section. The command can be basically anything, and should read from its
1145				standard input and write to its standard output. It should eventually connect
1146				an L<sshd(8)> server running on some machine, or execute B<sshd -i> somewhere.
1147				Host key management will be done using the B<Hostname> of the host being
1148				connected (defaulting to the name typed by the user). Setting the command to
1149				B<none> disables this option entirely. Note that B<CheckHostIP> is not
1150				available for connects with a proxy command.
1151
1152				This directive is useful in conjunction with L<nc(1)> and its proxy support.
1153				For example, the following directive would connect via an HTTP proxy at
1154				192.0.2.0: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p',
1155				'type' => 'leaf',
1156				'value_type' => 'uniline'
1157				},
1158				'ProxyJump',
1159				{
1160				'cargo' => {
1161				'type' => 'leaf',
1162				'value_type' => 'uniline'
1163				},
1164				'description' => 'Specifies one or more jump proxies as either [I<user > B<@> ] I<host> [: B<>
1165				I<port> ] or an ssh URI . Multiple proxies may be separated by comma characters
1166				and will be visited sequentially. Setting this option will cause L<ssh(1)> to
1167				connect to the target host by first making a L<ssh(1)> connection to the
1168				specified B<ProxyJump> host and then establishing a TCP forwarding to the
1169				ultimate target from there. Setting the host to B<none> disables this option
1170				entirely.
1171
1172				Note that this option will compete with the B<ProxyCommand> option - whichever
1173				is specified first will prevent later instances of the other from taking
1174				effect.
1175
1176				Note also that the configuration for the destination host (either supplied via
1177				the command-line or the configuration file) is not generally applied to jump
1178				hosts. ~/.ssh/config should be used if specific configuration is required for
1179				jump hosts.',
1180				'type' => 'list'
1181				},
1182				'ProxyUseFdpass',
1183				{
1184				'description' => 'Specifies that B<ProxyCommand> will pass a connected file descriptor back to
1185				L<ssh(1)> instead of continuing to execute and pass data. The default is B<no>',
1186				'type' => 'leaf',
1187				'upstream_default' => 'no',
1188				'value_type' => 'boolean',
1189				'write_as' => [
1190				'no',
1191				'yes'
1192				]
1193				},
1194				'PubkeyAcceptedAlgorithms',
1195				{
1196				'description' => 'Specifies the signature algorithms that will be used for public key
1197				authentication as a comma-separated list of patterns. If the specified list
1198				begins with a \'+\' character, then the algorithms after it will be appended to
1199				the default instead of replacing it. If the specified list begins with a \'-\'
1200				character, then the specified algorithms (including wildcards) will be removed
1201				from the default set instead of replacing them. If the specified list begins
1202				with a \'^\' character, then the specified algorithms will be placed at the head
1203				of the default set. The default for this option is:
1204				ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com,
1205				ecdsa-sha2-nistp384-cert-v01@openssh.com,
1206				ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com,
1207				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
1208				rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,
1209				ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com,
1210				sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512, rsa-sha2-256
1211
1212				The list of available signature algorithms may also be obtained using Qq ssh -Q
1213				PubkeyAcceptedAlgorithms .',
1214				'migrate_from' => {
1215				'formula' => '$old',
1216				'variables' => {
1217				'old' => '- PubkeyAcceptedKeyTypes'
1218				}
1219				},
1220				'type' => 'leaf',
1221				'value_type' => 'uniline'
1222				},
1223				'PubkeyAuthentication',
1224				{
1225				'choice' => [
1226				'host-bound',
1227				'no',
1228				'unbound',
1229				'yes'
1230				],
1231				'description' => 'Specifies whether to try public key authentication. The argument to this
1232				keyword must be B<yes> (the default), B<no> B<unbound> or B<host-bound> The
1233				final two options enable public key authentication while respectively disabling
1234				or enabling the OpenSSH host-bound authentication protocol extension required
1235				for restricted ssh-agent1 forwarding.',
1236				'type' => 'leaf',
1237				'upstream_default' => 'yes',
1238				'value_type' => 'enum'
1239				},
1240				'RekeyLimit',
1241				{
1242				'description' => 'Specifies the maximum amount of data that may be transmitted or received before
1243				the session key is renegotiated, optionally followed by a maximum amount of
1244				time that may pass before the session key is renegotiated. The first argument
1245				is specified in bytes and may have a suffix of \'K\' \'M\' or \'G\' to indicate
1246				Kilobytes, Megabytes, or Gigabytes, respectively. The default is between \'1G\'
1247				and \'4G\' depending on the cipher. The optional second value is specified in
1248				seconds and may use any of the units documented in the TIME FORMATS section of
1249				sshd_config5. The default value for B<RekeyLimit> is B<default none> which
1250				means that rekeying is performed after the cipher\'s default amount of data has
1251				been sent or received and no time based rekeying is done.',
1252				'type' => 'leaf',
1253				'value_type' => 'uniline'
1254				},
1255				'RemoteCommand',
1256				{
1257				'description' => 'Specifies a command to execute on the remote machine after successfully
1258				connecting to the server. The command string extends to the end of the line,
1259				and is executed with the user\'s shell. Arguments to B<RemoteCommand> accept the
1260				tokens described in the I<TOKENS> section.',
1261				'type' => 'leaf',
1262				'value_type' => 'uniline'
1263				},
1264				'RemoteForward',
1265				{
1266				'cargo' => {
1267				'config_class_name' => 'Ssh::PortForward',
1268				'type' => 'node'
1269				},
1270				'description' => 'Specifies that a TCP port on the remote machine be forwarded over the secure
1271				channel. The remote port may either be forwarded to a specified host and port
1272				from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
1273				client to connect to arbitrary destinations from the local machine. The first
1274				argument is the listening specification and may be [I<bind_address : port> ]
1275				or, if the remote host supports it, a Unix domain socket path. If forwarding to
1276				a specific destination then the second argument must be I<host : > B<>
1277				I<hostport> or a Unix domain socket path, otherwise if no destination argument
1278				is specified then the remote forwarding will be established as a SOCKS proxy.
1279				When acting as a SOCKS proxy, the destination of the connection can be
1280				restricted by B<PermitRemoteOpen>
1281
1282				IPv6 addresses can be specified by enclosing addresses in square brackets.
1283				Multiple forwardings may be specified, and additional forwardings can be given
1284				on the command line. Privileged ports can be forwarded only when logging in as
1285				root on the remote machine. Unix domain socket paths may use the tokens
1286				described in the I<TOKENS> section and environment variables as described in
1287				the I<ENVIRONMENT VARIABLES> section.
1288
1289				If the I<port> argument is 0, the listen port will be dynamically allocated on
1290				the server and reported to the client at run time.
1291
1292				If the I<bind_address> is not specified, the default is to only bind to
1293				loopback addresses. If the I<bind_address> is \'*\' or an empty string, then the
1294				forwarding is requested to listen on all interfaces. Specifying a remote
1295				I<bind_address> will only succeed if the server\'s B<GatewayPorts> option is
1296				enabled (see sshd_config5).',
1297				'type' => 'list'
1298				},
1299				'RequestTTY',
1300				{
1301				'choice' => [
1302				'auto',
1303				'force',
1304				'no',
1305				'yes'
1306				],
1307				'description' => 'Specifies whether to request a pseudo-tty for the session. The argument may be
1308				one of: B<no> (never request a TTY), B<yes> (always request a TTY when standard
1309				input is a TTY), B<force> (always request a TTY) or B<auto> (request a TTY when
1310				opening a login session). This option mirrors the -B<t> and -B<T> flags for
1311				L<ssh(1)>.',
1312				'type' => 'leaf',
1313				'value_type' => 'enum'
1314				},
1315				'RequiredRSASize',
1316				{
1317				'description' => 'Specifies the minimum RSA key size (in bits) that L<ssh(1)> will accept. User
1318				authentication keys smaller than this limit will be ignored. Servers that
1319				present host keys smaller than this limit will cause the connection to be
1320				terminated. The default is B<1024> bits. Note that this limit may only be
1321				raised from the default.',
1322				'type' => 'leaf',
1323				'upstream_default' => '1024',
1324				'value_type' => 'integer'
1325				},
1326				'RevokedHostKeys',
1327				{
1328				'description' => 'Specifies revoked host public keys. Keys listed in this file will be refused
1329				for host authentication. Note that if this file does not exist or is not
1330				readable, then host authentication will be refused for all hosts. Keys may be
1331				specified as a text file, listing one public key per line, or as an OpenSSH Key
1332				Revocation List (KRL) as generated by ssh-keygen1. For more information on
1333				KRLs, see the KEY REVOCATION LISTS section in ssh-keygen1. Arguments to
1334				B<RevokedHostKeys> may use the tilde syntax to refer to a user\'s home
1335				directory, the tokens described in the I<TOKENS> section and environment
1336				variables as described in the I<ENVIRONMENT VARIABLES> section.',
1337				'type' => 'leaf',
1338				'value_type' => 'uniline'
1339				},
1340				'SecurityKeyProvider',
1341				{
1342				'description' => 'Specifies a path to a library that will be used when loading any FIDO
1343				authenticator-hosted keys, overriding the default of using the built-in USB HID
1344				support.
1345
1346				If the specified value begins with a \'$\' character, then it will be treated as
1347				an environment variable containing the path to the library.',
1348				'type' => 'leaf',
1349				'value_type' => 'uniline'
1350				},
1351				'SendEnv',
1352				{
1353				'cargo' => {
1354				'type' => 'leaf',
1355				'value_type' => 'uniline'
1356				},
1357				'description' => 'Specifies what variables from the local L<environ(7)> should be sent to the
1358				server. The server must also support it, and the server must be configured to
1359				accept these environment variables. Note that the B<TERM> environment variable
1360				is always sent whenever a pseudo-terminal is requested as it is required by the
1361				protocol. Refer to B<AcceptEnv> in sshd_config5 for how to configure the
1362				server. Variables are specified by name, which may contain wildcard characters.
1363				Multiple environment variables may be separated by whitespace or spread across
1364				multiple B<SendEnv> directives.
1365
1366				See I<PATTERNS> for more information on patterns.
1367
1368				It is possible to clear previously set B<SendEnv> variable names by prefixing
1369				patterns with - The default is not to send any environment variables.',
1370				'type' => 'list'
1371				},
1372				'ServerAliveCountMax',
1373				{
1374				'description' => 'Sets the number of server alive messages (see below) which may be sent without
1375				L<ssh(1)> receiving any messages back from the server. If this threshold is
1376				reached while server alive messages are being sent, ssh will disconnect from
1377				the server, terminating the session. It is important to note that the use of
1378				server alive messages is very different from B<TCPKeepAlive> (below). The
1379				server alive messages are sent through the encrypted channel and therefore will
1380				not be spoofable. The TCP keepalive option enabled by B<TCPKeepAlive> is
1381				spoofable. The server alive mechanism is valuable when the client or server
1382				depend on knowing when a connection has become unresponsive.
1383
1384				The default value is 3. If, for example, B<ServerAliveInterval> (see below) is
1385				set to 15 and B<ServerAliveCountMax> is left at the default, if the server
1386				becomes unresponsive, ssh will disconnect after approximately 45 seconds.',
1387				'type' => 'leaf',
1388				'upstream_default' => '3',
1389				'value_type' => 'integer'
1390				},
1391				'ServerAliveInterval',
1392				{
1393				'description' => 'Sets a timeout interval in seconds after which if no data has been received
1394				from the server, L<ssh(1)> will send a message through the encrypted channel to
1395				request a response from the server. The default is 0, indicating that these
1396				messages will not be sent to the server, or 300 if the B<BatchMode> option is
1397				set (Debian-specific). B<ProtocolKeepAlives> and B<SetupTimeOut> are
1398				Debian-specific compatibility aliases for this option.',
1399				'type' => 'leaf',
1400				'upstream_default' => '0',
1401				'value_type' => 'integer'
1402				},
1403				'SessionType',
1404				{
1405				'choice' => [
1406				'default',
1407				'none',
1408				'subsystem'
1409				],
1410				'description' => 'May be used to either request invocation of a subsystem on the remote system,
1411				or to prevent the execution of a remote command at all. The latter is useful
1412				for just forwarding ports. The argument to this keyword must be B<none> (same
1413				as the -B<N> option), B<subsystem> (same as the -B<s> option) or B<default>
1414				(shell or command execution).',
1415				'type' => 'leaf',
1416				'value_type' => 'enum'
1417				},
1418				'SetEnv',
1419				{
1420				'description' => 'Directly specify one or more environment variables and their contents to be
1421				sent to the server. Similarly to B<SendEnv> with the exception of the B<TERM>
1422				variable, the server must be prepared to accept the environment variable.',
1423				'type' => 'leaf',
1424				'value_type' => 'uniline'
1425				},
1426				'StdinNull',
1427				{
1428				'description' => 'Redirects stdin from /dev/null (actually, prevents reading from stdin). Either
1429				this or the equivalent -B<n> option must be used when B<ssh> is run in the
1430				background. The argument to this keyword must be B<yes> (same as the -B<n>
1431				option) or B<no> (the default).',
1432				'type' => 'leaf',
1433				'upstream_default' => 'no',
1434				'value_type' => 'boolean',
1435				'write_as' => [
1436				'no',
1437				'yes'
1438				]
1439				},
1440				'StreamLocalBindMask',
1441				{
1442				'description' => 'Sets the octal file creation mode mask (umask) used when creating a Unix-domain
1443				socket file for local or remote port forwarding. This option is only used for
1444				port forwarding to a Unix-domain socket file.
1445
1446				The default value is 0177, which creates a Unix-domain socket file that is
1447				readable and writable only by the owner. Note that not all operating systems
1448				honor the file mode on Unix-domain socket files.',
1449				'type' => 'leaf',
1450				'value_type' => 'uniline'
1451				},
1452				'StreamLocalBindUnlink',
1453				{
1454				'description' => 'Specifies whether to remove an existing Unix-domain socket file for local or
1455				remote port forwarding before creating a new one. If the socket file already
1456				exists and B<StreamLocalBindUnlink> is not enabled, B<ssh> will be unable to
1457				forward the port to the Unix-domain socket file. This option is only used for
1458				port forwarding to a Unix-domain socket file.
1459
1460				The argument must be B<yes> or B<no> (the default).',
1461				'type' => 'leaf',
1462				'upstream_default' => 'no',
1463				'value_type' => 'boolean',
1464				'write_as' => [
1465				'no',
1466				'yes'
1467				]
1468				},
1469				'StrictHostKeyChecking',
1470				{
1471				'choice' => [
1472				'yes',
1473				'accept-new',
1474				'no',
1475				'off',
1476				'ask'
1477				],
1478				'description' => 'If this flag is set to B<yes> L<ssh(1)> will never automatically add host keys
1479				to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key
1480				has changed. This provides maximum protection against man-in-the-middle (MITM)
1481				attacks, though it can be annoying when the /etc/ssh/ssh_known_hosts file is
1482				poorly maintained or when connections to new hosts are frequently made. This
1483				option forces the user to manually add all new hosts.
1484
1485				If this flag is set to B<accept-new> then ssh will automatically add new host
1486				keys to the user\'s known_hosts file, but will not permit connections to hosts
1487				with changed host keys. If this flag is set to B<no> or B<off> ssh will
1488				automatically add new host keys to the user known hosts files and allow
1489				connections to hosts with changed hostkeys to proceed, subject to some
1490				restrictions. If this flag is set to B<ask> (the default), new host keys will
1491				be added to the user known host files only after the user has confirmed that is
1492				what they really want to do, and ssh will refuse to connect to hosts whose host
1493				key has changed. The host keys of known hosts will be verified automatically in
1494				all cases.',
1495				'type' => 'leaf',
1496				'upstream_default' => 'ask',
1497				'value_type' => 'enum'
1498				},
1499				'SyslogFacility',
1500				{
1501				'choice' => [
1502				'AUTH',
1503				'DAEMON',
1504				'LOCAL0',
1505				'LOCAL1',
1506				'LOCAL2',
1507				'LOCAL3',
1508				'LOCAL4',
1509				'LOCAL5',
1510				'LOCAL6',
1511				'LOCAL7',
1512				'USER'
1513				],
1514				'description' => 'Gives the facility code that is used when logging messages from L<ssh(1)>. The
1515				possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
1516				LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is USER.',
1517				'type' => 'leaf',
1518				'upstream_default' => 'USER',
1519				'value_type' => 'enum'
1520				},
1521				'TCPKeepAlive',
1522				{
1523				'description' => 'Specifies whether the system should send TCP keepalive messages to the other
1524				side. If they are sent, death of the connection or crash of one of the machines
1525				will be properly noticed. This option only uses TCP keepalives (as opposed to
1526				using ssh level keepalives), so takes a long time to notice when the connection
1527				dies. As such, you probably want the B<ServerAliveInterval> option as well.
1528				However, this means that connections will die if the route is down temporarily,
1529				and some people find it annoying.
1530
1531				The default is B<yes> (to send TCP keepalive messages), and the client will
1532				notice if the network goes down or the remote host dies. This is important in
1533				scripts, and many users want it too.
1534
1535				To disable TCP keepalive messages, the value should be set to B<no> See also
1536				B<ServerAliveInterval> for protocol-level keepalives.',
1537				'type' => 'leaf',
1538				'upstream_default' => 'yes',
1539				'value_type' => 'boolean',
1540				'write_as' => [
1541				'no',
1542				'yes'
1543				]
1544				},
1545				'Tag',
1546				{
1547				'description' => 'Specify a configuration tag name that may be later used by a B<Match> directive
1548				to select a block of configuration.',
1549				'type' => 'leaf',
1550				'value_type' => 'uniline'
1551				},
1552				'Tunnel',
1553				{
1554				'choice' => [
1555				'ethernet',
1556				'no',
1557				'point-to-point',
1558				'yes'
1559				],
1560				'description' => 'Request L<tun(4)> device forwarding between the client and the server. The
1561				argument must be B<yes> B<point-to-point> (layer 3), B<ethernet> (layer 2), or
1562				B<no> (the default). Specifying B<yes> requests the default tunnel mode, which
1563				is B<point-to-point>',
1564				'type' => 'leaf',
1565				'upstream_default' => 'no',
1566				'value_type' => 'enum'
1567				},
1568				'TunnelDevice',
1569				{
1570				'description' => 'Specifies the L<tun(4)> devices to open on the client (I<local_tun> ) and the
1571				server (I<remote_tun> )
1572
1573				The argument must be I<local_tun > [: I<remote_tun> ] The devices may be
1574				specified by numerical ID or the keyword B<any> which uses the next available
1575				tunnel device. If I<remote_tun> is not specified, it defaults to B<any> The
1576				default is B<any:any>',
1577				'type' => 'leaf',
1578				'upstream_default' => 'any:any',
1579				'value_type' => 'uniline'
1580				},
1581				'UpdateHostKeys',
1582				{
1583				'choice' => [
1584				'ask',
1585				'no',
1586				'yes'
1587				],
1588				'description' => 'Specifies whether L<ssh(1)> should accept notifications of additional hostkeys
1589				from the server sent after authentication has completed and add them to
1590				B<UserKnownHostsFile> The argument must be B<yes> B<no> or B<ask> This option
1591				allows learning alternate hostkeys for a server and supports graceful key
1592				rotation by allowing a server to send replacement public keys before old ones
1593				are removed.
1594
1595				Additional hostkeys are only accepted if the key used to authenticate the host
1596				was already trusted or explicitly accepted by the user, the host was
1597				authenticated via B<UserKnownHostsFile> (i.e. not B<GlobalKnownHostsFile> and
1598				the host was authenticated using a plain key and not a certificate.
1599
1600				B<UpdateHostKeys> is enabled by default if the user has not overridden the
1601				default B<UserKnownHostsFile> setting and has not enabled B<VerifyHostKeyDNS>
1602				otherwise B<UpdateHostKeys> will be set to B<no>
1603
1604				If B<UpdateHostKeys> is set to B<ask> then the user is asked to confirm the
1605				modifications to the known_hosts file. Confirmation is currently incompatible
1606				with B<ControlPersist> and will be disabled if it is enabled.
1607
1608				Presently, only L<sshd(8)> from OpenSSH 6.8 and greater support the Qq
1609				hostkeys@openssh.com protocol extension used to inform the client of all the
1610				server\'s hostkeys.',
1611				'type' => 'leaf',
1612				'value_type' => 'enum'
1613				},
1614				'User',
1615				{
1616				'description' => 'Specifies the user to log in as. This can be useful when a different user name
1617				is used on different machines. This saves the trouble of having to remember to
1618				give the user name on the command line.',
1619				'type' => 'leaf',
1620				'value_type' => 'uniline'
1621				},
1622				'UserKnownHostsFile',
1623				{
1624				'cargo' => {
1625				'type' => 'leaf',
1626				'value_type' => 'uniline'
1627				},
1628				'description' => 'Specifies one or more files to use for the user host key database, separated by
1629				whitespace. Each filename may use tilde notation to refer to the user\'s home
1630				directory, the tokens described in the I<TOKENS> section and environment
1631				variables as described in the I<ENVIRONMENT VARIABLES> section. A value of
1632				B<none> causes L<ssh(1)> to ignore any user-specific known hosts files. The
1633				default is ~/.ssh/known_hosts ~/.ssh/known_hosts2',
1634				'type' => 'list'
1635				},
1636				'VerifyHostKeyDNS',
1637				{
1638				'choice' => [
1639				'ask',
1640				'no',
1641				'yes'
1642				],
1643				'description' => 'Specifies whether to verify the remote key using DNS and SSHFP resource
1644				records. If this option is set to B<yes> the client will implicitly trust keys
1645				that match a secure fingerprint from DNS. Insecure fingerprints will be handled
1646				as if this option was set to B<ask> If this option is set to B<ask> information
1647				on fingerprint match will be displayed, but the user will still need to confirm
1648				new host keys according to the B<StrictHostKeyChecking> option. The default is
1649				B<no>
1650
1651				See also I<VERIFYING HOST KEYS> in L<ssh(1)>.',
1652				'type' => 'leaf',
1653				'upstream_default' => 'no',
1654				'value_type' => 'enum'
1655				},
1656				'VisualHostKey',
1657				{
1658				'description' => 'If this flag is set to B<yes> an ASCII art representation of the remote host
1659				key fingerprint is printed in addition to the fingerprint string at login and
1660				for unknown host keys. If this flag is set to B<no> (the default), no
1661				fingerprint strings are printed at login and only the fingerprint string will
1662				be printed for unknown host keys.',
1663				'type' => 'leaf',
1664				'upstream_default' => 'no',
1665				'value_type' => 'uniline'
1666				},
1667				'XAuthLocation',
1668				{
1669				'description' => 'Specifies the full pathname of the L<xauth(1)> program. The default is
1670				/usr/bin/xauth',
1671				'type' => 'leaf',
1672				'upstream_default' => '/usr/bin/xauth',
1673				'value_type' => 'uniline'
1674				},
1675				'FallBackToRsh',
1676				{
1677				'description' => 'This parameter is now ignored by Ssh',
1678				'status' => 'deprecated',
1679				'type' => 'leaf',
1680				'value_type' => 'uniline'
1681				},
1682				'HostbasedKeyTypes',
1683				{
1684				'description' => 'This parameter is now ignored by Ssh',
1685				'status' => 'deprecated',
1686				'type' => 'leaf',
1687				'value_type' => 'uniline'
1688				},
1689				'PubkeyAcceptedKeyTypes',
1690				{
1691				'description' => 'This parameter is now ignored by Ssh',
1692				'status' => 'deprecated',
1693				'type' => 'leaf',
1694				'value_type' => 'uniline'
1695				},
1696				'UseRsh',
1697				{
1698				'description' => 'This parameter is now ignored by Ssh',
1699				'status' => 'deprecated',
1700				'type' => 'leaf',
1701				'value_type' => 'uniline'
1702				}
1703				],
1704				'generated_by' => 'parse-man.pl from ssh_system 9.4p1 doc',
1705				'license' => 'LGPL2',
1706				'name' => 'Ssh::HostElement'
1707				}
1708				]
1709				;
1710