File Coverage

blib/lib/Config/Model/models/Sshd.pl

Criterion	Covered	Total	%
statement	6	6	100.0
branch			n/a
condition			n/a
subroutine	2	2	100.0
pod			n/a
total	8	8	100.0

line	stmt	sub	time	code
1				#
2				# This file is part of Config-Model-OpenSsh
3				#
4				# This software is Copyright (c) 2008-2022 by Dominique Dumont.
5				#
6				# This is free software, licensed under:
7				#
8				# The GNU Lesser General Public License, Version 2.1, February 1999
9				#
10	3	3	288982	use strict;
	3		8
	3		99
11	3	3	31	use warnings;
	3		11
	3		2653
12
13				return [
14				{
15				'accept' => [
16				'.*',
17				{
18				'summary' => 'boilerplate parameter that may hide a typo',
19				'type' => 'leaf',
20				'value_type' => 'uniline',
21				'warn' => 'Unknown parameter. Please make sure there\'s no typo and contact the author'
22				}
23				],
24				'class_description' => 'This configuration class was generated from sshd_system documentation.
25				by L<parse-man.pl\|https://github.com/dod38fr/config-model-openssh/contrib/parse-man.pl>
26				',
27				'element' => [
28				'AddressFamily',
29				{
30				'choice' => [
31				'any',
32				'inet',
33				'inet6'
34				],
35				'description' => 'Specifies which address family should be used by L<sshd(8)>. Valid arguments
36				are B<any> (the default), B<inet> (use IPv4 only), or B<inet6> (use IPv6 only).',
37				'type' => 'leaf',
38				'upstream_default' => 'any',
39				'value_type' => 'enum'
40				},
41				'Ciphers',
42				{
43				'description' => 'Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the
44				specified list begins with a \'+\' character, then the specified ciphers will be
45				appended to the default set instead of replacing them. If the specified list
46				begins with a \'-\' character, then the specified ciphers (including wildcards)
47				will be removed from the default set instead of replacing them. If the
48				specified list begins with a \'^\' character, then the specified ciphers will be
49				placed at the head of the default set.
50
51				The supported ciphers are:
52
53				B<3des-cbc> B<aes128-cbc> B<aes192-cbc> B<aes256-cbc> B<aes128-ctr>
54				B<aes192-ctr> B<aes256-ctr> B<aes128-gcm@openssh.com> B<aes256-gcm@openssh.com>
55				B<chacha20-poly1305@openssh.com>
56
57				The default is: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr,
58				aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
59
60				The list of available ciphers may also be obtained using Qq ssh -Q cipher .',
61				'type' => 'leaf',
62				'value_type' => 'uniline'
63				},
64				'Compression',
65				{
66				'choice' => [
67				'delayed',
68				'no',
69				'yes'
70				],
71				'description' => 'Specifies whether compression is enabled after the user has authenticated
72				successfully. The argument must be B<yes> B<delayed> (a legacy synonym for
73				B<yes> or B<no> The default is B<yes>',
74				'type' => 'leaf',
75				'upstream_default' => 'yes',
76				'value_type' => 'enum'
77				},
78				'DebianBanner',
79				{
80				'description' => 'Specifies whether the distribution-specified extra version suffix is included
81				during initial protocol handshake. The default is B<yes>',
82				'type' => 'leaf',
83				'upstream_default' => 'yes',
84				'value_type' => 'boolean',
85				'write_as' => [
86				'no',
87				'yes'
88				]
89				},
90				'FingerprintHash',
91				{
92				'choice' => [
93				'md5',
94				'sha256'
95				],
96				'description' => 'Specifies the hash algorithm used when logging key fingerprints. Valid options
97				are: B<md5> and B<sha256> The default is B<sha256>',
98				'type' => 'leaf',
99				'upstream_default' => 'sha256',
100				'value_type' => 'enum'
101				},
102				'GSSAPICleanupCredentials',
103				{
104				'description' => 'Specifies whether to automatically destroy the user\'s credentials cache on
105				logout. The default is B<yes>',
106				'type' => 'leaf',
107				'upstream_default' => 'yes',
108				'value_type' => 'boolean',
109				'write_as' => [
110				'no',
111				'yes'
112				]
113				},
114				'GSSAPIKeyExchange',
115				{
116				'description' => 'Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
117				doesn\'t rely on ssh keys to verify host identity. The default is B<no>',
118				'type' => 'leaf',
119				'upstream_default' => 'no',
120				'value_type' => 'boolean',
121				'write_as' => [
122				'no',
123				'yes'
124				]
125				},
126				'GSSAPIStrictAcceptorCheck',
127				{
128				'description' => 'Determines whether to be strict about the identity of the GSSAPI acceptor a
129				client authenticates against. If set to B<yes> then the client must
130				authenticate against the host service on the current hostname. If set to B<no>
131				then the client may authenticate against any service key stored in the
132				machine\'s default store. This facility is provided to assist with operation on
133				multi homed machines. The default is B<yes>',
134				'type' => 'leaf',
135				'upstream_default' => 'yes',
136				'value_type' => 'boolean',
137				'write_as' => [
138				'no',
139				'yes'
140				]
141				},
142				'GSSAPIStoreCredentialsOnRekey',
143				{
144				'description' => 'Controls whether the user\'s GSSAPI credentials should be updated following a
145				successful connection rekeying. This option can be used to accepted renewed or
146				updated credentials from a compatible client. The default is \'\'no\'\'
147
148				For this to work B<GSSAPIKeyExchange> needs to be enabled in the server and
149				also used by the client.',
150				'type' => 'leaf',
151				'upstream_default' => 'no',
152				'value_type' => 'boolean',
153				'write_as' => [
154				'no',
155				'yes'
156				]
157				},
158				'GSSAPIKexAlgorithms',
159				{
160				'description' => 'The list of key exchange algorithms that are accepted by GSSAPI key exchange.
161				Possible values are gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1-,
162				gss-group14-sha256-, gss-group16-sha512-, gss-nistp256-sha256-,
163				gss-curve25519-sha256-
164
165				The default is \'\'gss-group14-sha256-, gss-group16-sha512-,
166				gss-nistp256-sha256-, gss-curve25519-sha256-, gss-gex-sha1-,
167				gss-group14-sha1-\'\' This option only applies to connections using GSSAPI.',
168				'type' => 'leaf',
169				'value_type' => 'uniline'
170				},
171				'HostCertificate',
172				{
173				'description' => 'Specifies a file containing a public host certificate. The certificate\'s public
174				key must match a private host key already specified by B<HostKey> The default
175				behaviour of L<sshd(8)> is not to load any certificates.',
176				'type' => 'leaf',
177				'value_type' => 'uniline'
178				},
179				'HostKey',
180				{
181				'description' => 'Specifies a file containing a private host key used by SSH. The defaults are
182				/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key and
183				/etc/ssh/ssh_host_rsa_key
184
185				Note that L<sshd(8)> will refuse to use a file if it is group/world-accessible
186				and that the B<HostKeyAlgorithms> option restricts which of the keys are
187				actually used by L<sshd(8)>.
188
189				It is possible to have multiple host key files. It is also possible to specify
190				public host key files instead. In this case operations on the private key will
191				be delegated to an ssh-agent1.',
192				'type' => 'leaf',
193				'value_type' => 'uniline'
194				},
195				'HostKeyAgent',
196				{
197				'description' => 'Identifies the UNIX-domain socket used to communicate with an agent that has
198				access to the private host keys. If the string Qq SSH_AUTH_SOCK is specified,
199				the location of the socket will be read from the B<SSH_AUTH_SOCK> environment
200				variable.',
201				'type' => 'leaf',
202				'value_type' => 'uniline'
203				},
204				'HostKeyAlgorithms',
205				{
206				'description' => 'Specifies the host key signature algorithms that the server offers. The default
207				for this option is: ssh-ed25519-cert-v01@openssh.com,
208				ecdsa-sha2-nistp256-cert-v01@openssh.com,
209				ecdsa-sha2-nistp384-cert-v01@openssh.com,
210				ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com,
211				sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,
212				rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,
213				ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com,
214				sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512, rsa-sha2-256
215
216				The list of available signature algorithms may also be obtained using Qq ssh -Q
217				HostKeyAlgorithms .',
218				'type' => 'leaf',
219				'value_type' => 'uniline'
220				},
221				'IgnoreUserKnownHosts',
222				{
223				'description' => 'Specifies whether L<sshd(8)> should ignore the user\'s ~/.ssh/known_hosts during
224				B<HostbasedAuthentication> and use only the system-wide known hosts file
225				/etc/ssh/ssh_known_hosts The default is \'\'no\'\'',
226				'type' => 'leaf',
227				'upstream_default' => 'no',
228				'value_type' => 'boolean',
229				'write_as' => [
230				'no',
231				'yes'
232				]
233				},
234				'KerberosGetAFSToken',
235				{
236				'description' => 'If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS
237				token before accessing the user\'s home directory. The default is B<no>',
238				'type' => 'leaf',
239				'upstream_default' => 'no',
240				'value_type' => 'boolean',
241				'write_as' => [
242				'no',
243				'yes'
244				]
245				},
246				'KerberosOrLocalPasswd',
247				{
248				'description' => 'If password authentication through Kerberos fails then the password will be
249				validated via any additional local mechanism such as /etc/passwd The default is
250				B<yes>',
251				'type' => 'leaf',
252				'upstream_default' => 'yes',
253				'value_type' => 'boolean',
254				'write_as' => [
255				'no',
256				'yes'
257				]
258				},
259				'KerberosTicketCleanup',
260				{
261				'description' => 'Specifies whether to automatically destroy the user\'s ticket cache file on
262				logout. The default is B<yes>',
263				'type' => 'leaf',
264				'upstream_default' => 'yes',
265				'value_type' => 'boolean',
266				'write_as' => [
267				'no',
268				'yes'
269				]
270				},
271				'KexAlgorithms',
272				{
273				'description' => 'Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must
274				be comma-separated. Alternately if the specified list begins with a \'+\'
275				character, then the specified algorithms will be appended to the default set
276				instead of replacing them. If the specified list begins with a \'-\' character,
277				then the specified algorithms (including wildcards) will be removed from the
278				default set instead of replacing them. If the specified list begins with a \'^\'
279				character, then the specified algorithms will be placed at the head of the
280				default set. The supported algorithms are:
281
282				B<curve25519-sha256> B<curve25519-sha256@libssh.org>
283				B<diffie-hellman-group1-sha1> B<diffie-hellman-group14-sha1>
284				B<diffie-hellman-group14-sha256> B<diffie-hellman-group16-sha512>
285				B<diffie-hellman-group18-sha512> B<diffie-hellman-group-exchange-sha1>
286				B<diffie-hellman-group-exchange-sha256> B<ecdh-sha2-nistp256>
287				B<ecdh-sha2-nistp384> B<ecdh-sha2-nistp521>
288				B<sntrup761x25519-sha512@openssh.com>
289
290				The default is: sntrup761x25519-sha512@openssh.com, curve25519-sha256,
291				curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384,
292				ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256,
293				diffie-hellman-group16-sha512, diffie-hellman-group18-sha512,
294				diffie-hellman-group14-sha256
295
296				The list of available key exchange algorithms may also be obtained using Qq ssh
297				-Q KexAlgorithms .',
298				'type' => 'leaf',
299				'value_type' => 'uniline'
300				},
301				'ListenAddress',
302				{
303				'description' => 'Specifies the local addresses L<sshd(8)> should listen on. The following forms
304				may be used:
305
306				B<ListenAddress> I<hostname \| address> B<ListenAddress> I<hostname : port>
307				B<ListenAddress> I<IPv4_address : port> B<ListenAddress> [I<hostname \| address
308				: port> ]
309
310				If I<port> is not specified, sshd will listen on the address and all B<Port>
311				options specified. The default is to listen on all local addresses. Multiple
312				B<ListenAddress> options are permitted.',
313				'type' => 'leaf',
314				'value_type' => 'uniline'
315				},
316				'LoginGraceTime',
317				{
318				'description' => 'The server disconnects after this time if the user has not successfully logged
319				in. If the value is 0, there is no time limit. The default is 120 seconds.',
320				'type' => 'leaf',
321				'value_type' => 'uniline'
322				},
323				'LogVerbose',
324				{
325				'description' => 'Specify one or more overrides to LogLevel. An override consists of a pattern
326				lists that matches the source file, function and line number to force detailed
327				logging for. For example, an override pattern of:
328				kex.c::1000,:kex_exchange_identification():, packet.c:
329
330				would enable detailed logging for line 1000 of kex.c everything in the Fn
331				kex_exchange_identification function, and all code in the packet.c file. This
332				option is intended for debugging and no overrides are enabled by default.',
333				'type' => 'leaf',
334				'value_type' => 'uniline'
335				},
336				'MACs',
337				{
338				'description' => 'Specifies the available MAC (message authentication code) algorithms.
339
340				The MAC algorithm is used for data integrity protection. Multiple algorithms
341				must be comma-separated. If the specified list begins with a \'+\' character,
342				then the specified algorithms will be appended to the default set instead of
343				replacing them. If the specified list begins with a \'-\' character, then the
344				specified algorithms (including wildcards) will be removed from the default set
345				instead of replacing them. If the specified list begins with a \'^\' character,
346				then the specified algorithms will be placed at the head of the default set.
347
348				The algorithms that contain Qq -etm calculate the MAC after encryption
349				(encrypt-then-mac). These are considered safer and their use recommended. The
350				supported MACs are:
351
352				B<hmac-md5> B<hmac-md5-96> B<hmac-sha1> B<hmac-sha1-96> B<hmac-sha2-256>
353				B<hmac-sha2-512> B<umac-64@openssh.com> B<umac-128@openssh.com>
354				B<hmac-md5-etm@openssh.com> B<hmac-md5-96-etm@openssh.com>
355				B<hmac-sha1-etm@openssh.com> B<hmac-sha1-96-etm@openssh.com>
356				B<hmac-sha2-256-etm@openssh.com> B<hmac-sha2-512-etm@openssh.com>
357				B<umac-64-etm@openssh.com> B<umac-128-etm@openssh.com>
358
359				The default is: umac-64-etm@openssh.com, umac-128-etm@openssh.com,
360				hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com,
361				hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com,
362				hmac-sha2-256, hmac-sha2-512, hmac-sha1
363
364				The list of available MAC algorithms may also be obtained using Qq ssh -Q mac .',
365				'type' => 'leaf',
366				'value_type' => 'uniline'
367				},
368				'Match',
369				{
370				'cargo' => {
371				'config_class_name' => 'Sshd::MatchBlock',
372				'type' => 'node'
373				},
374				'description' => 'Introduces a conditional block. If all of the criteria on the B<Match> line are
375				satisfied, the keywords on the following lines override those set in the global
376				section of the config file, until either another B<Match> line or the end of
377				the file. If a keyword appears in multiple B<Match> blocks that are satisfied,
378				only the first instance of the keyword is applied.
379
380				The arguments to B<Match> are one or more criteria-pattern pairs or the single
381				token B<All> which matches all criteria. The available criteria are B<User>
382				B<Group> B<Host> B<LocalAddress> B<LocalPort> and B<Address>
383
384				The match patterns may consist of single entries or comma-separated lists and
385				may use the wildcard and negation operators described in the I<PATTERNS>
386				section of ssh_config5.
387
388				The patterns in an B<Address> criteria may additionally contain addresses to
389				match in CIDR address/masklen format, such as 192.0.2.0/24 or 2001:db8::/32.
390				Note that the mask length provided must be consistent with the address - it is
391				an error to specify a mask length that is too long for the address or one with
392				bits set in this host portion of the address. For example, 192.0.2.0/33 and
393				192.0.2.0/8, respectively.
394
395				Only a subset of keywords may be used on the lines following a B<Match>
396				keyword. Available keywords are B<AcceptEnv> B<AllowAgentForwarding>
397				B<AllowGroups> B<AllowStreamLocalForwarding> B<AllowTcpForwarding>
398				B<AllowUsers> B<AuthenticationMethods> B<AuthorizedKeysCommand>
399				B<AuthorizedKeysCommandUser> B<AuthorizedKeysFile>
400				B<AuthorizedPrincipalsCommand> B<AuthorizedPrincipalsCommandUser>
401				B<AuthorizedPrincipalsFile> B<Banner> B<CASignatureAlgorithms>
402				B<ChannelTimeout> B<ChrootDirectory> B<ClientAliveCountMax>
403				B<ClientAliveInterval> B<DenyGroups> B<DenyUsers> B<DisableForwarding>
404				B<ExposeAuthInfo> B<ForceCommand> B<GatewayPorts> B<GSSAPIAuthentication>
405				B<HostbasedAcceptedAlgorithms> B<HostbasedAuthentication>
406				B<HostbasedUsesNameFromPacketOnly> B<IgnoreRhosts> B<Include> B<IPQoS>
407				B<KbdInteractiveAuthentication> B<KerberosAuthentication> B<LogLevel>
408				B<MaxAuthTries> B<MaxSessions> B<PasswordAuthentication>
409				B<PermitEmptyPasswords> B<PermitListen> B<PermitOpen> B<PermitRootLogin>
410				B<PermitTTY> B<PermitTunnel> B<PermitUserRC> B<PubkeyAcceptedAlgorithms>
411				B<PubkeyAuthentication> B<PubkeyAuthOptions> B<RekeyLimit> B<RevokedKeys>
412				B<SetEnv> B<StreamLocalBindMask> B<StreamLocalBindUnlink> B<TrustedUserCAKeys>
413				B<UnusedConnectionTimeout> B<X11DisplayOffset> B<X11Forwarding> and
414				B<X11UseLocalhost>',
415				'type' => 'list'
416				},
417				'MaxStartups',
418				{
419				'description' => 'Specifies the maximum number of concurrent unauthenticated connections to the
420				SSH daemon. Additional connections will be dropped until authentication
421				succeeds or the B<LoginGraceTime> expires for a connection. The default is
422				10:30:100.
423
424				Alternatively, random early drop can be enabled by specifying the three colon
425				separated values start:rate:full (e.g. "10:30:60"). L<sshd(8)> will refuse
426				connection attempts with a probability of rate/100 (30%) if there are currently
427				start (10) unauthenticated connections. The probability increases linearly and
428				all connection attempts are refused if the number of unauthenticated
429				connections reaches full (60).',
430				'type' => 'leaf',
431				'upstream_default' => '10',
432				'value_type' => 'uniline'
433				},
434				'ModuliFile',
435				{
436				'description' => 'Specifies the L<moduli(5)> file that contains the Diffie-Hellman groups used
437				for the \'\'diffie-hellman-group-exchange-sha1\'\' and
438				\'\'diffie-hellman-group-exchange-sha256\'\' key exchange methods. The default is
439				/etc/ssh/moduli',
440				'type' => 'leaf',
441				'upstream_default' => '/etc/ssh/moduli',
442				'value_type' => 'uniline'
443				},
444				'PermitUserEnvironment',
445				{
446				'description' => 'Specifies whether ~/.ssh/environment and B<environment=> options in
447				~/.ssh/authorized_keys are processed by L<sshd(8)>. Valid options are B<yes>
448				B<no> or a pattern-list specifying which environment variable names to accept
449				(for example Qq LANG, LC_* ) . The default is B<no> Enabling environment
450				processing may enable users to bypass access restrictions in some
451				configurations using mechanisms such as B<LD_PRELOAD>',
452				'type' => 'leaf',
453				'upstream_default' => 'no',
454				'value_type' => 'boolean',
455				'write_as' => [
456				'no',
457				'yes'
458				]
459				},
460				'PerSourceMaxStartups',
461				{
462				'description' => 'Specifies the number of unauthenticated connections allowed from a given source
463				address, or \'\'none\'\' if there is no limit. This limit is applied in addition to
464				B<MaxStartups> whichever is lower. The default is B<none>',
465				'type' => 'leaf',
466				'upstream_default' => 'none',
467				'value_type' => 'uniline'
468				},
469				'PerSourceNetBlockSize',
470				{
471				'description' => 'Specifies the number of bits of source address that are grouped together for
472				the purposes of applying PerSourceMaxStartups limits. Values for IPv4 and
473				optionally IPv6 may be specified, separated by a colon. The default is
474				B<32:128> which means each address is considered individually.',
475				'type' => 'leaf',
476				'upstream_default' => '32:128',
477				'value_type' => 'uniline'
478				},
479				'PidFile',
480				{
481				'description' => 'Specifies the file that contains the process ID of the SSH daemon, or B<none>
482				to not write one. The default is /run/sshd.pid',
483				'type' => 'leaf',
484				'upstream_default' => '/run/sshd',
485				'value_type' => 'uniline'
486				},
487				'Port',
488				{
489				'description' => 'Specifies the port number that L<sshd(8)> listens on. The default is 22.
490				Multiple options of this type are permitted. See also B<ListenAddress>',
491				'type' => 'leaf',
492				'value_type' => 'uniline'
493				},
494				'PrintLastLog',
495				{
496				'description' => 'Specifies whether L<sshd(8)> should print the date and time of the last user
497				login when a user logs in interactively. The default is B<yes>',
498				'type' => 'leaf',
499				'upstream_default' => 'yes',
500				'value_type' => 'boolean',
501				'write_as' => [
502				'no',
503				'yes'
504				]
505				},
506				'PrintMotd',
507				{
508				'description' => 'Specifies whether L<sshd(8)> should print /etc/motd when a user logs in
509				interactively. (On some systems it is also printed by the shell, /etc/profile
510				or equivalent.) The default is B<yes>',
511				'type' => 'leaf',
512				'upstream_default' => 'yes',
513				'value_type' => 'boolean',
514				'write_as' => [
515				'no',
516				'yes'
517				]
518				},
519				'RequiredRSASize',
520				{
521				'description' => 'Specifies the minimum RSA key size (in bits) that L<sshd(8)> will accept. User
522				and host-based authentication keys smaller than this limit will be refused. The
523				default is B<1024> bits. Note that this limit may only be raised from the
524				default.',
525				'type' => 'leaf',
526				'upstream_default' => '1024',
527				'value_type' => 'integer'
528				},
529				'SecurityKeyProvider',
530				{
531				'description' => 'Specifies a path to a library that will be used when loading FIDO
532				authenticator-hosted keys, overriding the default of using the built-in USB HID
533				support.',
534				'type' => 'leaf',
535				'value_type' => 'uniline'
536				},
537				'StrictModes',
538				{
539				'description' => 'Specifies whether L<sshd(8)> should check file modes and ownership of the
540				user\'s files and home directory before accepting login. This is normally
541				desirable because novices sometimes accidentally leave their directory or files
542				world-writable. The default is B<yes> Note that this does not apply to
543				B<ChrootDirectory> whose permissions and ownership are checked unconditionally.',
544				'type' => 'leaf',
545				'upstream_default' => 'yes',
546				'value_type' => 'boolean',
547				'write_as' => [
548				'no',
549				'yes'
550				]
551				},
552				'Subsystem',
553				{
554				'cargo' => {
555				'mandatory' => '1',
556				'type' => 'leaf',
557				'value_type' => 'uniline'
558				},
559				'description' => 'Configures an external subsystem (e.g. file transfer daemon). Arguments should
560				be a subsystem name and a command (with optional arguments) to execute upon
561				subsystem request.
562
563				The command B<sftp-server> implements the SFTP file transfer subsystem.
564
565				Alternately the name B<internal-sftp> implements an in-process SFTP server.
566				This may simplify configurations using B<ChrootDirectory> to force a different
567				filesystem root on clients.
568
569				By default no subsystems are defined.',
570				'index_type' => 'string',
571				'type' => 'hash'
572				},
573				'SyslogFacility',
574				{
575				'choice' => [
576				'AUTH',
577				'DAEMON',
578				'LOCAL0',
579				'LOCAL1',
580				'LOCAL2',
581				'LOCAL3',
582				'LOCAL4',
583				'LOCAL5',
584				'LOCAL6',
585				'LOCAL7',
586				'USER'
587				],
588				'description' => 'Gives the facility code that is used when logging messages from L<sshd(8)>. The
589				possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
590				LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.',
591				'type' => 'leaf',
592				'upstream_default' => 'AUTH',
593				'value_type' => 'enum'
594				},
595				'TCPKeepAlive',
596				{
597				'description' => 'Specifies whether the system should send TCP keepalive messages to the other
598				side. If they are sent, death of the connection or crash of one of the machines
599				will be properly noticed. However, this means that connections will die if the
600				route is down temporarily, and some people find it annoying. On the other hand,
601				if TCP keepalives are not sent, sessions may hang indefinitely on the server,
602				leaving Qq ghost users and consuming server resources.
603
604				The default is B<yes> (to send TCP keepalive messages), and the server will
605				notice if the network goes down or the client host crashes. This avoids
606				infinitely hanging sessions.
607
608				To disable TCP keepalive messages, the value should be set to B<no>
609
610				This option was formerly called B<KeepAlive>',
611				'type' => 'leaf',
612				'upstream_default' => 'yes',
613				'value_type' => 'boolean',
614				'write_as' => [
615				'no',
616				'yes'
617				]
618				},
619				'UseDNS',
620				{
621				'description' => 'Specifies whether L<sshd(8)> should look up the remote host name, and to check
622				that the resolved host name for the remote IP address maps back to the very
623				same IP address.
624
625				If this option is set to B<no> (the default) then only addresses and not host
626				names may be used in ~/.ssh/authorized_keys B<from> and B<sshd_config> B<Match>
627				B<Host> directives.',
628				'type' => 'leaf',
629				'upstream_default' => 'no',
630				'value_type' => 'boolean',
631				'write_as' => [
632				'no',
633				'yes'
634				]
635				},
636				'UsePAM',
637				{
638				'description' => 'Enables the Pluggable Authentication Module interface. If set to B<yes> this
639				will enable PAM authentication using B<KbdInteractiveAuthentication> and
640				B<PasswordAuthentication> in addition to PAM account and session module
641				processing for all authentication types.
642
643				Because PAM keyboard-interactive authentication usually serves an equivalent
644				role to password authentication, you should disable either
645				B<PasswordAuthentication> or B<KbdInteractiveAuthentication>
646
647				If B<UsePAM> is enabled, you will not be able to run L<sshd(8)> as a non-root
648				user. The default is B<no>',
649				'type' => 'leaf',
650				'upstream_default' => 'no',
651				'value_type' => 'boolean',
652				'write_as' => [
653				'no',
654				'yes'
655				]
656				},
657				'VersionAddendum',
658				{
659				'description' => 'Optionally specifies additional text to append to the SSH protocol banner sent
660				by the server upon connection. The default is B<none>',
661				'type' => 'leaf',
662				'value_type' => 'uniline'
663				},
664				'XAuthLocation',
665				{
666				'description' => 'Specifies the full pathname of the L<xauth(1)> program, or B<none> to not use
667				one. The default is /usr/bin/xauth',
668				'type' => 'leaf',
669				'upstream_default' => '/usr/bin/xauth',
670				'value_type' => 'uniline'
671				}
672				],
673				'generated_by' => 'parse-man.pl from sshd_system 9.4p1 doc',
674				'include' => [
675				'Sshd::MatchElement'
676				],
677				'license' => 'LGPL2',
678				'name' => 'Sshd',
679				'rw_config' => {
680				'backend' => 'OpenSsh::Sshd',
681				'config_dir' => '/etc/ssh',
682				'file' => 'sshd_config',
683				'os_config_dir' => {
684				'darwin' => '/etc'
685				}
686				}
687				}
688				]
689				;
690