File Coverage

blib/lib/Config/Model/models/Sshd/MatchElement.pl
Criterion Covered Total %
statement 6 6 100.0
branch n/a
condition n/a
subroutine 2 2 100.0
pod n/a
total 8 8 100.0


line stmt bran cond sub pod time code
1             #
2             # This file is part of Config-Model-OpenSsh
3             #
4             # This software is Copyright (c) 2008-2022 by Dominique Dumont.
5             #
6             # This is free software, licensed under:
7             #
8             # The GNU Lesser General Public License, Version 2.1, February 1999
9             #
10 3     3   19532 use strict;
  3         8  
  3         85  
11 3     3   15 use warnings;
  3         6  
  3         3154  
12              
13             return [
14             {
15             'accept' => [
16             '.*',
17             {
18             'summary' => 'boilerplate parameter that may hide a typo',
19             'type' => 'leaf',
20             'value_type' => 'uniline',
21             'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author'
22             }
23             ],
24             'class_description' => 'This configuration class was generated from sshd_system documentation.
25             by L<parse-man.pl|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl>
26             ',
27             'element' => [
28             'AcceptEnv',
29             {
30             'cargo' => {
31             'type' => 'leaf',
32             'value_type' => 'uniline'
33             },
34             'description' => 'Specifies what environment
35             variables sent by the client will be copied into the
36             session\'s L<environ(7)>. See B<SendEnv> and
37             B<SetEnv> in L<ssh_config(5)> for how to configure the
38             client. The TERM environment variable is always accepted
39             whenever the client requests a pseudo-terminal as it is
40             required by the protocol. Variables are specified by name,
41             which may contain the wildcard characters \'*\'
42             and \'?\'. Multiple environment variables may be
43             separated by whitespace or spread across multiple
44             B<AcceptEnv> directives. Be warned that some environment
45             variables could be used to bypass restricted user
46             environments. For this reason, care should be taken in the
47             use of this directive. The default is not to accept any
48             environment variables.',
49             'type' => 'list'
50             },
51             'AllowAgentForwarding',
52             {
53             'description' => 'Specifies whether L<ssh-agent(1)>
54             forwarding is permitted. The default is B<yes>. Note
55             that disabling agent forwarding does not improve security
56             unless users are also denied shell access, as they can
57             always install their own forwarders.',
58             'type' => 'leaf',
59             'upstream_default' => 'yes',
60             'value_type' => 'boolean',
61             'write_as' => [
62             'no',
63             'yes'
64             ]
65             },
66             'AllowGroups',
67             {
68             'cargo' => {
69             'type' => 'leaf',
70             'value_type' => 'uniline'
71             },
72             'description' => 'This keyword can be followed by
73             a list of group name patterns, separated by spaces. If
74             specified, login is allowed only for users whose primary
75             group or supplementary group list matches one of the
76             patterns. Only group names are valid; a numerical group ID
77             is not recognized. By default, login is allowed for all
78             groups. The allow/deny groups directives are processed in
79             the following order: B<DenyGroups>,
80             B<AllowGroups>.
81              
82             See PATTERNS in
83             L<ssh_config(5)> for more information on patterns.',
84             'type' => 'list'
85             },
86             'AllowStreamLocalForwarding',
87             {
88             'choice' => [
89             'yes',
90             'all',
91             'no',
92             'local',
93             'remote'
94             ],
95             'description' => 'Specifies whether StreamLocal
96             (Unix-domain socket) forwarding is permitted. The available
97             options are B<yes> (the default) or B<all> to allow
98             StreamLocal forwarding, B<no> to prevent all StreamLocal
99             forwarding, B<local> to allow local (from the
100             perspective of L<ssh(1)>) forwarding only or B<remote> to
101             allow remote forwarding only. Note that disabling
102             StreamLocal forwarding does not improve security unless
103             users are also denied shell access, as they can always
104             install their own forwarders.',
105             'type' => 'leaf',
106             'upstream_default' => 'yes',
107             'value_type' => 'enum'
108             },
109             'AllowTcpForwarding',
110             {
111             'choice' => [
112             'yes',
113             'all',
114             'no',
115             'local',
116             'remote'
117             ],
118             'description' => 'Specifies whether TCP
119             forwarding is permitted. The available options are
120             B<yes> (the default) or B<all> to allow TCP
121             forwarding, B<no> to prevent all TCP forwarding,
122             B<local> to allow local (from the perspective of L<ssh(1)>)
123             forwarding only or B<remote> to allow remote forwarding
124             only. Note that disabling TCP forwarding does not improve
125             security unless users are also denied shell access, as they
126             can always install their own forwarders.',
127             'type' => 'leaf',
128             'upstream_default' => 'yes',
129             'value_type' => 'enum'
130             },
131             'AllowUsers',
132             {
133             'cargo' => {
134             'type' => 'leaf',
135             'value_type' => 'uniline'
136             },
137             'description' => 'This keyword can be followed by
138             a list of user name patterns, separated by spaces. If
139             specified, login is allowed only for user names that match
140             one of the patterns. Only user names are valid; a numerical
141             user ID is not recognized. By default, login is allowed for
142             all users. If the pattern takes the form USER@HOST then USER
143             and HOST are separately checked, restricting logins to
144             particular users from particular hosts. HOST criteria may
145             additionally contain addresses to match in CIDR
146             address/masklen format. The allow/deny users directives are
147             processed in the following order: B<DenyUsers>,
148             B<AllowUsers>.
149              
150             See PATTERNS in
151             L<ssh_config(5)> for more information on patterns.',
152             'type' => 'list'
153             },
154             'AuthenticationMethods',
155             {
156             'description' => 'Specifies the authentication
157             methods that must be successfully completed for a user to be
158             granted access. This option must be followed by one or more
159             lists of comma-separated authentication method names, or by
160             the single string B<any> to indicate the default
161             behaviour of accepting any single authentication method. If
162             the default is overridden, then successful authentication
163             requires completion of every method in at least one of these
164             lists.
165              
166             For example,
167             "publickey, password
168             publickey, keyboard-interactive" would require the user
169             to complete public key authentication, followed by either
170             password or keyboard interactive authentication. Only
171             methods that are next in one or more lists are offered at
172             each stage, so for this example it would not be possible to
173             attempt password or keyboard-interactive authentication
174             before public key.
175              
176             For keyboard
177             interactive authentication it is also possible to restrict
178             authentication to a specific device by appending a colon
179             followed by the device identifier B<bsdauth> or
180             B<pam>. depending on the server configuration. For
181             example, "keyboard-interactive:bsdauth" would
182             restrict keyboard interactive authentication to the
183             B<bsdauth> device.
184              
185             If the
186             publickey method is listed more than once, L<sshd(8)> verifies
187             that keys that have been used successfully are not reused
188             for subsequent authentications. For example,
189             "publickey, publickey" requires successful
190             authentication using two different public keys.
191              
192             Note that each
193             authentication method listed should also be explicitly
194             enabled in the configuration.
195              
196             The available
197             authentication methods are: "gssapi-with-mic",
198             "hostbased", "keyboard-interactive",
199             "none" (used for access to password-less accounts
200             when B<PermitEmptyPasswords> is enabled),
201             "password" and "publickey".',
202             'type' => 'leaf',
203             'value_type' => 'uniline'
204             },
205             'AuthorizedKeysCommand',
206             {
207             'description' => 'Specifies a program to be used
208             to look up the user\'s public keys. The program must be
209             owned by root, not writable by group or others and specified
210             by an absolute path. Arguments to
211             B<AuthorizedKeysCommand> accept the tokens described in
212             the I<TOKENS> section. If no arguments are specified
213             then the username of the target user is used.
214              
215             The program
216             should produce on standard output zero or more lines of
217             authorized_keys output (see I<AUTHORIZED_KEYS> in
218             L<sshd(8)>). B<AuthorizedKeysCommand> is tried after the
219             usual B<AuthorizedKeysFile> files and will not be
220             executed if a matching key is found there. By default, no
221             B<AuthorizedKeysCommand> is run.',
222             'type' => 'leaf',
223             'value_type' => 'uniline'
224             },
225             'AuthorizedKeysCommandUser',
226             {
227             'description' => 'Specifies the user under whose
228             account the B<AuthorizedKeysCommand> is run. It is
229             recommended to use a dedicated user that has no other role
230             on the host than running authorized keys commands. If
231             B<AuthorizedKeysCommand> is specified but
232             B<AuthorizedKeysCommandUser> is not, then L<sshd(8)> will
233             refuse to start.',
234             'type' => 'leaf',
235             'value_type' => 'uniline'
236             },
237             'AuthorizedKeysFile',
238             {
239             'cargo' => {
240             'type' => 'leaf',
241             'value_type' => 'uniline'
242             },
243             'description' => 'Specifies the file that
244             contains the public keys used for user authentication. The
245             format is described in the AUTHORIZED_KEYS FILE FORMAT
246             section of L<sshd(8)>. Arguments to B<AuthorizedKeysFile>
247             accept the tokens described in the I<TOKENS> section.
248             After expansion, B<AuthorizedKeysFile> is taken to be an
249             absolute path or one relative to the user\'s home
250             directory. Multiple files may be listed, separated by
251             whitespace. Alternately this option may be set to
252             B<none> to skip checking for user keys in files. The
253             default is ".ssh/authorized_keys
254             .ssh/authorized_keys2".',
255             'migrate_values_from' => '- AuthorizedKeysFile2',
256             'type' => 'list'
257             },
258             'AuthorizedPrincipalsCommand',
259             {
260             'description' => 'Specifies a program to be used
261             to generate the list of allowed certificate principals as
262             per B<AuthorizedPrincipalsFile>. The program must be
263             owned by root, not writable by group or others and specified
264             by an absolute path. Arguments to
265             B<AuthorizedPrincipalsCommand> accept the tokens
266             described in the I<TOKENS> section. If no arguments are
267             specified then the username of the target user is used.
268              
269             The program
270             should produce on standard output zero or more lines of
271             B<AuthorizedPrincipalsFile> output. If either
272             B<AuthorizedPrincipalsCommand> or
273             B<AuthorizedPrincipalsFile> is specified, then
274             certificates offered by the client for authentication must
275             contain a principal that is listed. By default, no
276             B<AuthorizedPrincipalsCommand> is run.',
277             'type' => 'leaf',
278             'value_type' => 'uniline'
279             },
280             'AuthorizedPrincipalsCommandUser',
281             {
282             'description' => 'Specifies the user under whose
283             account the B<AuthorizedPrincipalsCommand> is run. It is
284             recommended to use a dedicated user that has no other role
285             on the host than running authorized principals commands. If
286             B<AuthorizedPrincipalsCommand> is specified but
287             B<AuthorizedPrincipalsCommandUser> is not, then L<sshd(8)>
288             will refuse to start.',
289             'type' => 'leaf',
290             'value_type' => 'uniline'
291             },
292             'AuthorizedPrincipalsFile',
293             {
294             'description' => "Specifies a file that lists
295             principal names that are accepted for certificate
296             authentication. When using certificates signed by a key
297             listed in B<TrustedUserCAKeys>, this file lists names,
298             one of which must appear in the certificate for it to be
299             accepted for authentication. Names are listed one per line
300             preceded by key options (as described in I<AUTHORIZED_KEYS
301             FILE FORMAT> in L<sshd(8)>). Empty lines and comments
302             starting with '#' are ignored.
303              
304             Arguments to
305             B<AuthorizedPrincipalsFile> accept the tokens described
306             in the I<TOKENS> section. After expansion,
307             B<AuthorizedPrincipalsFile> is taken to be an absolute
308             path or one relative to the user's home directory. The
309             default is B<none>, i.e. not to use a principals file
310             \x{2013} in this case, the username of the user must appear
311             in a certificate's principals list for it to be
312             accepted.
313              
314             Note that
315             B<AuthorizedPrincipalsFile> is only used when
316             authentication proceeds using a CA listed in
317             B<TrustedUserCAKeys> and is not consulted for
318             certification authorities trusted via
319             I<~/.ssh/authorized_keys>, though the B<principals=>
320             key option offers a similar facility (see L<sshd(8)> for
321             details).",
322             'type' => 'leaf',
323             'upstream_default' => 'none',
324             'value_type' => 'uniline'
325             },
326             'Banner',
327             {
328             'description' => 'The contents of
329             the specified file are sent to the remote user before
330             authentication is allowed. If the argument is B<none>
331             then no banner is displayed. By default, no banner is
332             displayed.',
333             'type' => 'leaf',
334             'value_type' => 'uniline'
335             },
336             'CASignatureAlgorithms',
337             {
338             'description' => 'Specifies which algorithms are
339             allowed for signing of certificates by certificate
340             authorities (CAs). The default is:
341              
342             ssh-ed25519, ecdsa-sha2-nistp256,
343             ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
344             sk-ssh-ed25519@openssh.com,
345             sk-ecdsa-sha2-nistp256@openssh.com,
346             rsa-sha2-512, rsa-sha2-256
347              
348             If the
349             specified list begins with a \'+\' character, then
350             the specified algorithms will be appended to the default set
351             instead of replacing them. If the specified list begins with
352             a \'-\' character, then the specified algorithms
353             (including wildcards) will be removed from the default set
354             instead of replacing them.
355              
356             Certificates
357             signed using other algorithms will not be accepted for
358             public key or host-based authentication.',
359             'type' => 'leaf',
360             'value_type' => 'uniline'
361             },
362             'ChrootDirectory',
363             {
364             'description' => 'Specifies the pathname of a
365             directory to L<chroot(2)> to after authentication. At session
366             startup L<sshd(8)> checks that all components of the pathname
367             are root-owned directories which are not writable by any
368             other user or group. After the chroot, L<sshd(8)> changes the
369             working directory to the user\'s home directory.
370             Arguments to B<ChrootDirectory> accept the tokens
371             described in the I<TOKENS> section.
372              
373             The
374             B<ChrootDirectory> must contain the necessary files and
375             directories to support the user\'s session. For an
376             interactive session this requires at least a shell,
377             typically L<sh(1)>, and basic I</dev> nodes such as
378             L<null(4)>, L<zero(4)>, L<stdin(4)>, L<stdout(4)>, L<stderr(4)>, and L<tty(4)>
379             devices. For file transfer sessions using SFTP no additional
380             configuration of the environment is necessary if the
381             in-process sftp-server is used, though sessions which use
382             logging may require I</dev/log> inside the chroot
383             directory on some operating systems (see L<sftp-server(8)> for
384             details).
385              
386             For safety, it
387             is very important that the directory hierarchy be prevented
388             from modification by other processes on the system
389             (especially those outside the jail). Misconfiguration can
390             lead to unsafe environments which L<sshd(8)> cannot detect.
391              
392             The default is
393             B<none>, indicating not to L<chroot(2)>.',
394             'type' => 'leaf',
395             'upstream_default' => 'none',
396             'value_type' => 'uniline'
397             },
398             'ClientAliveCountMax',
399             {
400             'description' => 'Sets the number of client alive
401             messages which may be sent without L<sshd(8)> receiving any
402             messages back from the client. If this threshold is reached
403             while client alive messages are being sent, sshd will
404             disconnect the client, terminating the session. It is
405             important to note that the use of client alive messages is
406             very different from B<TCPKeepAlive>. The client alive
407             messages are sent through the encrypted channel and
408             therefore will not be spoofable. The TCP keepalive option
409             enabled by B<TCPKeepAlive> is spoofable. The client
410             alive mechanism is valuable when the client or server depend
411             on knowing when a connection has become unresponsive.
412              
413             The default
414             value is 3. If B<ClientAliveInterval> is set to 15, and
415             B<ClientAliveCountMax> is left at the default,
416             unresponsive SSH clients will be disconnected after
417             approximately 45 seconds. Setting a zero
418             B<ClientAliveCountMax> disables connection
419             termination.',
420             'type' => 'leaf',
421             'upstream_default' => '3',
422             'value_type' => 'integer'
423             },
424             'ClientAliveInterval',
425             {
426             'description' => 'Sets a timeout interval in
427             seconds after which if no data has been received from the
428             client, L<sshd(8)> will send a message through the encrypted
429             channel to request a response from the client. The default
430             is 0, indicating that these messages will not be sent to the
431             client.',
432             'type' => 'leaf',
433             'upstream_default' => '0',
434             'value_type' => 'integer'
435             },
436             'DenyGroups',
437             {
438             'cargo' => {
439             'type' => 'leaf',
440             'value_type' => 'uniline'
441             },
442             'description' => 'This keyword can be followed by
443             a list of group name patterns, separated by spaces. Login is
444             disallowed for users whose primary group or supplementary
445             group list matches one of the patterns. Only group names are
446             valid; a numerical group ID is not recognized. By default,
447             login is allowed for all groups. The allow/deny groups
448             directives are processed in the following order:
449             B<DenyGroups>, B<AllowGroups>.
450              
451             See PATTERNS in
452             L<ssh_config(5)> for more information on patterns.',
453             'type' => 'list'
454             },
455             'DenyUsers',
456             {
457             'cargo' => {
458             'type' => 'leaf',
459             'value_type' => 'uniline'
460             },
461             'description' => 'This keyword can be followed by
462             a list of user name patterns, separated by spaces. Login is
463             disallowed for user names that match one of the patterns.
464             Only user names are valid; a numerical user ID is not
465             recognized. By default, login is allowed for all users. If
466             the pattern takes the form USER@HOST then USER and HOST are
467             separately checked, restricting logins to particular users
468             from particular hosts. HOST criteria may additionally
469             contain addresses to match in CIDR address/masklen format.
470             The allow/deny users directives are processed in the
471             following order: B<DenyUsers>, B<AllowUsers>.
472              
473             See PATTERNS in
474             L<ssh_config(5)> for more information on patterns.',
475             'type' => 'list'
476             },
477             'DisableForwarding',
478             {
479             'description' => 'Disables all forwarding
480             features, including X11, L<ssh-agent(1)>, TCP and StreamLocal.
481             This option overrides all other forwarding-related options
482             and may simplify restricted configurations.',
483             'type' => 'leaf',
484             'value_type' => 'uniline'
485             },
486             'ExposeAuthInfo',
487             {
488             'description' => 'Writes a temporary file
489             containing a list of authentication methods and public
490             credentials (e.g. keys) used to authenticate the user. The
491             location of the file is exposed to the user session through
492             the SSH_USER_AUTH environment variable. The default is
493             B<no>.',
494             'type' => 'leaf',
495             'upstream_default' => 'no',
496             'value_type' => 'boolean',
497             'write_as' => [
498             'no',
499             'yes'
500             ]
501             },
502             'ForceCommand',
503             {
504             'description' => 'Forces the execution of the
505             command specified by B<ForceCommand>, ignoring any
506             command supplied by the client and I<~/.ssh/rc> if
507             present. The command is invoked by using the user\'s
508             login shell with the -c option. This applies to shell,
509             command, or subsystem execution. It is most useful inside a
510             B<Match> block. The command originally supplied by the
511             client is available in the SSH_ORIGINAL_COMMAND environment
512             variable. Specifying a command of B<internal-sftp> will
513             force the use of an in-process SFTP server that requires no
514             support files when used with B<ChrootDirectory>. The
515             default is B<none>.',
516             'type' => 'leaf',
517             'upstream_default' => 'none',
518             'value_type' => 'uniline'
519             },
520             'GatewayPorts',
521             {
522             'choice' => [
523             'no',
524             'yes',
525             'clientspecified'
526             ],
527             'description' => 'Specifies whether remote hosts
528             are allowed to connect to ports forwarded for the client. By
529             default, L<sshd(8)> binds remote port forwardings to the
530             loopback address. This prevents other remote hosts from
531             connecting to forwarded ports. B<GatewayPorts> can be
532             used to specify that sshd should allow remote port
533             forwardings to bind to non-loopback addresses, thus allowing
534             other hosts to connect. The argument may be B<no> to
535             force remote port forwardings to be available to the local
536             host only, B<yes> to force remote port forwardings to
537             bind to the wildcard address, or B<clientspecified> to
538             allow the client to select the address to which the
539             forwarding is bound. The default is B<no>.',
540             'type' => 'leaf',
541             'upstream_default' => 'no',
542             'value_type' => 'enum'
543             },
544             'GSSAPIAuthentication',
545             {
546             'description' => 'Specifies whether user
547             authentication based on GSSAPI is allowed. The default is
548             B<no>.',
549             'type' => 'leaf',
550             'upstream_default' => 'no',
551             'value_type' => 'boolean',
552             'write_as' => [
553             'no',
554             'yes'
555             ]
556             },
557             'HostbasedAcceptedAlgorithms',
558             {
559             'description' => 'Specifies the signature
560             algorithms that will be accepted for hostbased
561             authentication as a list of comma-separated patterns.
562             Alternately if the specified list begins with a
563             \'+\' character, then the specified signature
564             algorithms will be appended to the default set instead of
565             replacing them. If the specified list begins with a
566             \'-\' character, then the specified signature
567             algorithms (including wildcards) will be removed from the
568             default set instead of replacing them. If the specified list
569             begins with a \'^\' character, then the specified
570             signature algorithms will be placed at the head of the
571             default set. The default for this option is:
572              
573             ssh-ed25519-cert-v01@openssh.com,
574             ecdsa-sha2-nistp256-cert-v01@openssh.com,
575             ecdsa-sha2-nistp384-cert-v01@openssh.com,
576             ecdsa-sha2-nistp521-cert-v01@openssh.com,
577             sk-ssh-ed25519-cert-v01@openssh.com,
578             sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
579             rsa-sha2-512-cert-v01@openssh.com,
580             rsa-sha2-256-cert-v01@openssh.com,
581             ssh-ed25519,
582             ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
583             sk-ssh-ed25519@openssh.com,
584             sk-ecdsa-sha2-nistp256@openssh.com,
585             rsa-sha2-512, rsa-sha2-256
586              
587             The list of
588             available signature algorithms may also be obtained using
589             "ssh -Q HostbasedAcceptedAlgorithms". This was
590             formerly named HostbasedAcceptedKeyTypes.',
591             'type' => 'leaf',
592             'value_type' => 'uniline'
593             },
594             'HostbasedAuthentication',
595             {
596             'description' => 'Specifies whether rhosts or
597             /etc/hosts.equiv authentication together with successful
598             public key client host authentication is allowed (host-based
599             authentication). The default is B<no>.',
600             'type' => 'leaf',
601             'upstream_default' => 'no',
602             'value_type' => 'boolean',
603             'write_as' => [
604             'no',
605             'yes'
606             ]
607             },
608             'HostbasedUsesNameFromPacketOnly',
609             {
610             'description' => 'Specifies whether or not the
611             server will attempt to perform a reverse name lookup when
612             matching the name in the I<~/.shosts>, I<~/.rhosts>,
613             and I</etc/hosts.equiv> files during
614             B<HostbasedAuthentication>. A setting of B<yes>
615             means that L<sshd(8)> uses the name supplied by the client
616             rather than attempting to resolve the name from the TCP
617             connection itself. The default is B<no>.',
618             'type' => 'leaf',
619             'upstream_default' => 'no',
620             'value_type' => 'boolean',
621             'write_as' => [
622             'no',
623             'yes'
624             ]
625             },
626             'IgnoreRhosts',
627             {
628             'description' => 'Specifies whether to ignore
629             per-user I<.rhosts> and I<.shosts> files during
630             B<HostbasedAuthentication>. The system-wide
631             I</etc/hosts.equiv> and I</etc/ssh/shosts.equiv> are
632             still used regardless of this setting.
633              
634             Accepted values
635             are B<yes> (the default) to ignore all per-user files,
636             B<shosts-only> to allow the use of I<.shosts> but to
637             ignore I<.rhosts> or B<no> to allow both
638             I<.shosts> and I<rhosts>.',
639             'type' => 'leaf',
640             'upstream_default' => 'yes',
641             'value_type' => 'boolean',
642             'write_as' => [
643             'no',
644             'yes'
645             ]
646             },
647             'Include',
648             {
649             'cargo' => {
650             'type' => 'leaf',
651             'value_type' => 'uniline'
652             },
653             'description' => 'Include the specified
654             configuration file(s). Multiple pathnames may be specified
655             and each pathname may contain L<glob(7)> wildcards that will be
656             expanded and processed in lexical order. Files without
657             absolute paths are assumed to be in I</etc/ssh>. An
658             B<Include> directive may appear inside a B<Match>
659             block to perform conditional inclusion.',
660             'type' => 'list'
661             },
662             'IPQoS',
663             {
664             'assert' => {
665             '1_or_2' => {
666             'code' => 'return 1 unless defined $_;
667             my @v = (/(\\w+)/g);
668             return (@v < 3) ? 1 : 0;
669             ',
670             'msg' => 'value must not have more than 2 fields.'
671             },
672             'accepted_values' => {
673             'code' => 'return 1 unless defined $_;
674             my @v = (/(\\S+)/g);
675             my @good = grep {/^(af[1-4][1-3]|cs[0-7]|ef|lowdelay|throughput|reliability|\\d+)/} @v ;
676             return @good == @v ? 1 : 0;
677             ',
678             'msg' => 'Unexpected value "$_". Expected 1 or 2 occurences of: "af11", "af12", "af13", "af21", "af22",
679             "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1",
680             "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay",
681             "throughput", "reliability", or numeric value.
682             '
683             }
684             },
685             'description' => 'Specifies the
686             IPv4 type-of-service or DSCP class for the connection.
687             Accepted values are B<af11>, B<af12>, B<af13>,
688             B<af21>, B<af22>, B<af23>, B<af31>,
689             B<af32>, B<af33>, B<af41>, B<af42>,
690             B<af43>, B<cs0>, B<cs1>, B<cs2>, B<cs3>,
691             B<cs4>, B<cs5>, B<cs6>, B<cs7>, B<ef>,
692             B<le>, B<lowdelay>, B<throughput>,
693             B<reliability>, a numeric value, or B<none> to use
694             the operating system default. This option may take one or
695             two arguments, separated by whitespace. If one argument is
696             specified, it is used as the packet class unconditionally.
697             If two values are specified, the first is automatically
698             selected for interactive sessions and the second for
699             non-interactive sessions. The default is B<lowdelay> for
700             interactive sessions and B<throughput> for
701             non-interactive sessions.',
702             'type' => 'leaf',
703             'upstream_default' => 'af21 cs1',
704             'value_type' => 'uniline'
705             },
706             'KbdInteractiveAuthentication',
707             {
708             'description' => 'Specifies whether to allow
709             keyboard-interactive authentication. The default is
710             B<yes>. The argument to this keyword must be B<yes>
711             or B<no>. B<ChallengeResponseAuthentication> is a
712             deprecated alias for this.',
713             'migrate_from' => {
714             'formula' => '$old',
715             'variables' => {
716             'old' => '- ChallengeResponseAuthentication'
717             }
718             },
719             'type' => 'leaf',
720             'upstream_default' => 'yes',
721             'value_type' => 'boolean',
722             'write_as' => [
723             'no',
724             'yes'
725             ]
726             },
727             'KerberosAuthentication',
728             {
729             'description' => 'Specifies whether the password
730             provided by the user for B<PasswordAuthentication> will
731             be validated through the Kerberos KDC. To use this option,
732             the server needs a Kerberos servtab which allows the
733             verification of the KDC\'s identity. The default is
734             B<no>.',
735             'type' => 'leaf',
736             'upstream_default' => 'no',
737             'value_type' => 'boolean',
738             'write_as' => [
739             'no',
740             'yes'
741             ]
742             },
743             'LogLevel',
744             {
745             'choice' => [
746             'QUIET',
747             'FATAL',
748             'ERROR',
749             'INFO',
750             'VERBOSE',
751             'DEBUG',
752             'DEBUG1',
753             'DEBUG2',
754             'DEBUG3'
755             ],
756             'description' => 'Gives the verbosity level that
757             is used when logging messages from L<sshd(8)>. The possible
758             values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
759             DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and
760             DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
761             levels of debugging output. Logging with a DEBUG level
762             violates the privacy of users and is not recommended.',
763             'type' => 'leaf',
764             'upstream_default' => 'INFO',
765             'value_type' => 'enum'
766             },
767             'MaxAuthTries',
768             {
769             'description' => 'Specifies the maximum number of
770             authentication attempts permitted per connection. Once the
771             number of failures reaches half this value, additional
772             failures are logged. The default is 6.',
773             'type' => 'leaf',
774             'upstream_default' => '6',
775             'value_type' => 'integer'
776             },
777             'MaxSessions',
778             {
779             'description' => 'Specifies the maximum number of
780             open shell, login or subsystem (e.g. sftp) sessions
781             permitted per network connection. Multiple sessions may be
782             established by clients that support connection multiplexing.
783             Setting B<MaxSessions> to 1 will effectively disable
784             session multiplexing, whereas setting it to 0 will prevent
785             all shell, login and subsystem sessions while still
786             permitting forwarding. The default is 10.',
787             'type' => 'leaf',
788             'upstream_default' => '10',
789             'value_type' => 'integer'
790             },
791             'PasswordAuthentication',
792             {
793             'description' => 'Specifies whether password
794             authentication is allowed. The default is B<yes>.',
795             'type' => 'leaf',
796             'upstream_default' => 'yes',
797             'value_type' => 'boolean',
798             'write_as' => [
799             'no',
800             'yes'
801             ]
802             },
803             'PermitEmptyPasswords',
804             {
805             'description' => 'When password authentication is
806             allowed, it specifies whether the server allows login to
807             accounts with empty password strings. The default is
808             B<no>.',
809             'type' => 'leaf',
810             'upstream_default' => 'no',
811             'value_type' => 'boolean',
812             'write_as' => [
813             'no',
814             'yes'
815             ]
816             },
817             'PermitListen',
818             {
819             'cargo' => {
820             'type' => 'leaf',
821             'value_type' => 'uniline'
822             },
823             'description' => "Specifies the addresses/ports
824             on which a remote TCP port forwarding may listen. The listen
825             specification must be one of the following forms:
826              
827             B<PermitListen>I<port> B<
828             PermitListen> I<host>:I<port>
829              
830             Multiple
831             permissions may be specified by separating them with
832             whitespace. An argument of B<any> can be used to remove
833             all restrictions and permit any listen requests. An argument
834             of B<none> can be used to prohibit all listen requests.
835             The host name may contain wildcards as described in the
836             PATTERNS section in L<ssh_config(5)>. The wildcard
837             '*' can also be used in place of a port number
838             to allow all ports. By default all port forwarding listen
839             requests are permitted. Note that the B<GatewayPorts>
840             option may further restrict which addresses may be listened
841             on. Note also that L<ssh(1)> will request a listen host of
842             B<localhost> if no listen host was specifically
843             requested, and this name is treated differently to explicit
844             localhost addresses of \x{201c}127.0.0.1\x{201d} and
845             \x{201c}::1\x{201d}.",
846             'type' => 'list'
847             },
848             'PermitOpen',
849             {
850             'cargo' => {
851             'type' => 'leaf',
852             'value_type' => 'uniline'
853             },
854             'description' => 'Specifies the destinations to
855             which TCP port forwarding is permitted. The forwarding
856             specification must be one of the following forms:
857              
858             B<PermitOpen>I<host>:I<port> B<
859             PermitOpen> I<IPv4_addr>:I<port> B<
860             PermitOpen> I<[IPv6_addr]>:I<port>
861              
862             Multiple
863             forwards may be specified by separating them with
864             whitespace. An argument of B<any> can be used to remove
865             all restrictions and permit any forwarding requests. An
866             argument of B<none> can be used to prohibit all
867             forwarding requests. The wildcard \'*\' can be
868             used for host or port to allow all hosts or ports
869             respectively. Otherwise, no pattern matching or address
870             lookups are performed on supplied names. By default all port
871             forwarding requests are permitted.',
872             'type' => 'list'
873             },
874             'PermitRootLogin',
875             {
876             'choice' => [
877             'yes',
878             'prohibit-password',
879             'forced-commands-only',
880             'no'
881             ],
882             'description' => 'Specifies whether root can log
883             in using L<ssh(1)>. The argument must be B<yes>,
884             B<prohibit-password>, B<forced-commands-only>, or
885             B<no>. The default is B<prohibit-password>.
886              
887             If this option
888             is set to B<prohibit-password> (or its deprecated alias,
889             B<without-password>), password and keyboard-interactive
890             authentication are disabled for root.
891              
892             If this option
893             is set to B<forced-commands-only>, root login with
894             public key authentication will be allowed, but only if the
895             I<command> option has been specified (which may be
896             useful for taking remote backups even if root login is
897             normally not allowed). All other authentication methods are
898             disabled for root.
899              
900             If this option
901             is set to B<no>, root is not allowed to log in.',
902             'type' => 'leaf',
903             'value_type' => 'enum'
904             },
905             'PermitTTY',
906             {
907             'description' => 'Specifies whether L<pty(4)>
908             allocation is permitted. The default is B<yes>.',
909             'type' => 'leaf',
910             'upstream_default' => 'yes',
911             'value_type' => 'boolean',
912             'write_as' => [
913             'no',
914             'yes'
915             ]
916             },
917             'PermitTunnel',
918             {
919             'choice' => [
920             'yes',
921             'point-to-point',
922             'ethernet',
923             'no'
924             ],
925             'description' => 'Specifies whether L<tun(4)> device
926             forwarding is allowed. The argument must be B<yes>,
927             B<point-to-point> (layer 3), B<ethernet> (layer 2),
928             or B<no>. Specifying B<yes> permits both
929             B<point-to-point> and B<ethernet>. The default is
930             B<no>.
931              
932             Independent of
933             this setting, the permissions of the selected L<tun(4)> device
934             must allow access to the user.',
935             'type' => 'leaf',
936             'upstream_default' => 'no',
937             'value_type' => 'enum'
938             },
939             'PermitUserRC',
940             {
941             'description' => 'Specifies whether any
942             I<~/.ssh/rc> file is executed. The default is
943             B<yes>.',
944             'type' => 'leaf',
945             'upstream_default' => 'yes',
946             'value_type' => 'boolean',
947             'write_as' => [
948             'no',
949             'yes'
950             ]
951             },
952             'PubkeyAcceptedAlgorithms',
953             {
954             'description' => 'Specifies the signature
955             algorithms that will be accepted for public key
956             authentication as a list of comma-separated patterns.
957             Alternately if the specified list begins with a
958             \'+\' character, then the specified algorithms
959             will be appended to the default set instead of replacing
960             them. If the specified list begins with a \'-\'
961             character, then the specified algorithms (including
962             wildcards) will be removed from the default set instead of
963             replacing them. If the specified list begins with a
964             \'^\' character, then the specified algorithms
965             will be placed at the head of the default set. The default
966             for this option is:
967              
968             ssh-ed25519-cert-v01@openssh.com,
969             ecdsa-sha2-nistp256-cert-v01@openssh.com,
970             ecdsa-sha2-nistp384-cert-v01@openssh.com,
971             ecdsa-sha2-nistp521-cert-v01@openssh.com,
972             sk-ssh-ed25519-cert-v01@openssh.com,
973             sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
974             rsa-sha2-512-cert-v01@openssh.com,
975             rsa-sha2-256-cert-v01@openssh.com,
976             ssh-ed25519,
977             ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521,
978             sk-ssh-ed25519@openssh.com,
979             sk-ecdsa-sha2-nistp256@openssh.com,
980             rsa-sha2-512, rsa-sha2-256
981              
982             The list of
983             available signature algorithms may also be obtained using
984             "ssh -Q PubkeyAcceptedAlgorithms".',
985             'type' => 'leaf',
986             'value_type' => 'uniline'
987             },
988             'PubkeyAuthOptions',
989             {
990             'choice' => [
991             'none',
992             'touch-required',
993             'verify-required'
994             ],
995             'description' => 'Sets one or more public key
996             authentication options. The supported keywords are:
997             B<none> (the default; indicating no additional options
998             are enabled), B<touch-required> and
999             B<verify-required>.
1000              
1001             The
1002             B<touch-required> option causes public key
1003             authentication using a FIDO authenticator algorithm (i.e.
1004             B<ecdsa-sk> or B<ed25519-sk>) to always require the
1005             signature to attest that a physically present user
1006             explicitly confirmed the authentication (usually by touching
1007             the authenticator). By default, L<sshd(8)> requires user
1008             presence unless overridden with an authorized_keys option.
1009             The B<touch-required> flag disables this override.
1010              
1011             The
1012             B<verify-required> option requires a FIDO key signature
1013             attest that the user was verified, e.g. via a PIN.
1014              
1015             Neither the
1016             B<touch-required> or B<verify-required> options have
1017             any effect for other, non-FIDO, public key types.',
1018             'type' => 'leaf',
1019             'value_type' => 'enum'
1020             },
1021             'PubkeyAuthentication',
1022             {
1023             'description' => 'Specifies whether public key
1024             authentication is allowed. The default is B<yes>.',
1025             'type' => 'leaf',
1026             'upstream_default' => 'yes',
1027             'value_type' => 'boolean',
1028             'write_as' => [
1029             'no',
1030             'yes'
1031             ]
1032             },
1033             'RekeyLimit',
1034             {
1035             'description' => 'Specifies the maximum amount of
1036             data that may be transmitted before the session key is
1037             renegotiated, optionally followed by a maximum amount of
1038             time that may pass before the session key is renegotiated.
1039             The first argument is specified in bytes and may have a
1040             suffix of \'K\', \'M\', or
1041             \'G\' to indicate Kilobytes, Megabytes, or
1042             Gigabytes, respectively. The default is between
1043             \'1G\' and \'4G\', depending on the
1044             cipher. The optional second value is specified in seconds
1045             and may use any of the units documented in the I<TIME
1046             FORMATS> section. The default value for B<RekeyLimit>
1047             is B<default none>, which means that rekeying is
1048             performed after the cipher\'s default amount of data
1049             has been sent or received and no time based rekeying is
1050             done.',
1051             'type' => 'leaf',
1052             'value_type' => 'uniline'
1053             },
1054             'RevokedKeys',
1055             {
1056             'description' => 'Specifies revoked public keys
1057             file, or B<none> to not use one. Keys listed in this
1058             file will be refused for public key authentication. Note
1059             that if this file is not readable, then public key
1060             authentication will be refused for all users. Keys may be
1061             specified as a text file, listing one public key per line,
1062             or as an OpenSSH Key Revocation List (KRL) as generated by
1063             L<ssh-keygen(1)>. For more information on KRLs, see the KEY
1064             REVOCATION LISTS section in L<ssh-keygen(1)>.',
1065             'type' => 'leaf',
1066             'value_type' => 'uniline'
1067             },
1068             'SetEnv',
1069             {
1070             'description' => "Specifies one
1071             or more environment variables to set in child sessions
1072             started by L<sshd(8)> as \x{201c}NAME=VALUE\x{201d}. The
1073             environment value may be quoted (e.g. if it contains
1074             whitespace characters). Environment variables set by
1075             B<SetEnv> override the default environment and any
1076             variables specified by the user via B<AcceptEnv> or
1077             B<PermitUserEnvironment>.",
1078             'type' => 'leaf',
1079             'value_type' => 'uniline'
1080             },
1081             'StreamLocalBindMask',
1082             {
1083             'description' => 'Sets the octal file creation
1084             mode mask (umask) used when creating a Unix-domain socket
1085             file for local or remote port forwarding. This option is
1086             only used for port forwarding to a Unix-domain socket
1087             file.
1088              
1089             The default
1090             value is 0177, which creates a Unix-domain socket file that
1091             is readable and writable only by the owner. Note that not
1092             all operating systems honor the file mode on Unix-domain
1093             socket files.',
1094             'type' => 'leaf',
1095             'value_type' => 'uniline'
1096             },
1097             'StreamLocalBindUnlink',
1098             {
1099             'description' => 'Specifies whether to remove an
1100             existing Unix-domain socket file for local or remote port
1101             forwarding before creating a new one. If the socket file
1102             already exists and B<StreamLocalBindUnlink> is not
1103             enabled, B<sshd> will be unable to forward the port to
1104             the Unix-domain socket file. This option is only used for
1105             port forwarding to a Unix-domain socket file.
1106              
1107             The argument
1108             must be B<yes> or B<no>. The default is
1109             B<no>.',
1110             'type' => 'leaf',
1111             'upstream_default' => 'no',
1112             'value_type' => 'boolean',
1113             'write_as' => [
1114             'no',
1115             'yes'
1116             ]
1117             },
1118             'TrustedUserCAKeys',
1119             {
1120             'description' => 'Specifies a file containing
1121             public keys of certificate authorities that are trusted to
1122             sign user certificates for authentication, or B<none> to
1123             not use one. Keys are listed one per line; empty lines and
1124             comments starting with \'#\' are allowed. If a
1125             certificate is presented for authentication and has its
1126             signing CA key listed in this file, then it may be used for
1127             authentication for any user listed in the
1128             certificate\'s principals list. Note that certificates
1129             that lack a list of principals will not be permitted for
1130             authentication using B<TrustedUserCAKeys>. For more
1131             details on certificates, see the CERTIFICATES section in
1132             L<ssh-keygen(1)>.',
1133             'type' => 'leaf',
1134             'value_type' => 'uniline'
1135             },
1136             'X11DisplayOffset',
1137             {
1138             'description' => 'Specifies the first display
1139             number available for L<sshd(8)>\'s X11 forwarding. This
1140             prevents sshd from interfering with real X11 servers. The
1141             default is 10.',
1142             'type' => 'leaf',
1143             'value_type' => 'uniline'
1144             },
1145             'X11Forwarding',
1146             {
1147             'description' => 'Specifies whether X11
1148             forwarding is permitted. The argument must be B<yes> or
1149             B<no>. The default is B<no>.
1150              
1151             When X11
1152             forwarding is enabled, there may be additional exposure to
1153             the server and to client displays if the L<sshd(8)> proxy
1154             display is configured to listen on the wildcard address (see
1155             B<X11UseLocalhost>), though this is not the default.
1156             Additionally, the authentication spoofing and authentication
1157             data verification and substitution occur on the client side.
1158             The security risk of using X11 forwarding is that the
1159             client\'s X11 display server may be exposed to attack
1160             when the SSH client requests forwarding (see the warnings
1161             for B<ForwardX11> in L<ssh_config(5)>). A system
1162             administrator may have a stance in which they want to
1163             protect clients that may expose themselves to attack by
1164             unwittingly requesting X11 forwarding, which can warrant a
1165             B<no> setting.
1166              
1167             Note that
1168             disabling X11 forwarding does not prevent users from
1169             forwarding X11 traffic, as users can always install their
1170             own forwarders.',
1171             'type' => 'leaf',
1172             'upstream_default' => 'no',
1173             'value_type' => 'boolean',
1174             'write_as' => [
1175             'no',
1176             'yes'
1177             ]
1178             },
1179             'X11UseLocalhost',
1180             {
1181             'description' => 'Specifies whether L<sshd(8)>
1182             should bind the X11 forwarding server to the loopback
1183             address or to the wildcard address. By default, sshd binds
1184             the forwarding server to the loopback address and sets the
1185             hostname part of the DISPLAY environment variable to
1186             B<localhost>. This prevents remote hosts from connecting
1187             to the proxy display. However, some older X11 clients may
1188             not function with this configuration. B<X11UseLocalhost>
1189             may be set to B<no> to specify that the forwarding
1190             server should be bound to the wildcard address. The argument
1191             must be B<yes> or B<no>. The default is
1192             B<yes>.',
1193             'type' => 'leaf',
1194             'upstream_default' => 'yes',
1195             'value_type' => 'boolean',
1196             'write_as' => [
1197             'no',
1198             'yes'
1199             ]
1200             },
1201             'AuthorizedKeysFile2',
1202             {
1203             'cargo' => {
1204             'type' => 'leaf',
1205             'value_type' => 'uniline'
1206             },
1207             'description' => 'This parameter is now ignored by Ssh',
1208             'status' => 'deprecated',
1209             'type' => 'list'
1210             },
1211             'ChallengeResponseAuthentication',
1212             {
1213             'status' => 'deprecated',
1214             'type' => 'leaf',
1215             'value_type' => 'boolean'
1216             },
1217             'KeyRegenerationInterval',
1218             {
1219             'status' => 'deprecated',
1220             'type' => 'leaf',
1221             'value_type' => 'uniline'
1222             },
1223             'Protocol',
1224             {
1225             'status' => 'deprecated',
1226             'type' => 'leaf',
1227             'value_type' => 'uniline'
1228             },
1229             'RDomain',
1230             {
1231             'status' => 'deprecated',
1232             'type' => 'leaf',
1233             'value_type' => 'uniline'
1234             },
1235             'RSAAuthentication',
1236             {
1237             'status' => 'deprecated',
1238             'type' => 'leaf',
1239             'value_type' => 'uniline'
1240             },
1241             'RhostsRSAAuthentication',
1242             {
1243             'status' => 'deprecated',
1244             'type' => 'leaf',
1245             'value_type' => 'uniline'
1246             },
1247             'UsePrivilegeSeparation',
1248             {
1249             'status' => 'deprecated',
1250             'type' => 'leaf',
1251             'value_type' => 'uniline'
1252             }
1253             ],
1254             'generated_by' => 'parse-man.pl from sshd_system 9.0p1 doc',
1255             'license' => 'LGPL2',
1256             'name' => 'Sshd::MatchElement'
1257             }
1258             ]
1259             ;
1260