Config-Model-OpenSsh-1.238/0000755000175000017500000000000013166471154014021 5ustar domidomiConfig-Model-OpenSsh-1.238/MANIFEST0000644000175000017500000000316113166471154015153 0ustar domidomi# This file was automatically generated by Dist::Zilla::Plugin::Manifest v6.010. Build.PL Changes LICENSE MANIFEST MANIFEST.SKIP META.json META.yml README-build-from-git.md README.pod demo/maintainer-demo.pl demo/user-demo.pl lib/Config/Model/Backend/OpenSsh.pm lib/Config/Model/Backend/OpenSsh/Ssh.pm lib/Config/Model/Backend/OpenSsh/Sshd.pm lib/Config/Model/OpenSsh.pm lib/Config/Model/models/Ssh.pl lib/Config/Model/models/Ssh.pod lib/Config/Model/models/Ssh/HostElement.pl lib/Config/Model/models/Ssh/HostElement.pod lib/Config/Model/models/Ssh/PortForward.pl lib/Config/Model/models/Ssh/PortForward.pod lib/Config/Model/models/Sshd.pl lib/Config/Model/models/Sshd.pod lib/Config/Model/models/Sshd/MatchBlock.pl lib/Config/Model/models/Sshd/MatchBlock.pod lib/Config/Model/models/Sshd/MatchCondition.pl lib/Config/Model/models/Sshd/MatchCondition.pod lib/Config/Model/models/Sshd/MatchElement.pl lib/Config/Model/models/Sshd/MatchElement.pod lib/Config/Model/models/SystemSsh.pl lib/Config/Model/models/SystemSsh.pod lib/Config/Model/system.d/sshd lib/Config/Model/system.d/system-ssh lib/Config/Model/user.d/ssh t/custom_sshd.t t/custom_sshd_match.t t/model_tests.d/ssh-examples/basic/system_ssh_config t/model_tests.d/ssh-examples/basic/user_ssh_config t/model_tests.d/ssh-examples/legacy/system_ssh_config t/model_tests.d/ssh-examples/legacy/user_ssh_config t/model_tests.d/ssh-test-conf.pl t/model_tests.d/sshd-examples/debian-bug-671367/system_sshd_config t/model_tests.d/sshd-test-conf.pl t/model_tests.d/system-ssh-examples/basic/system_ssh_config t/model_tests.d/system-ssh-test-conf.pl t/model_tests.t t/pod.t t/ssh_config.t weaver.ini Config-Model-OpenSsh-1.238/LICENSE0000644000175000017500000006013213166471154015030 0ustar domidomiThis software is Copyright (c) 2008-2014 by Dominique Dumont. This is free software, licensed under: The GNU Lesser General Public License, Version 2.1, February 1999 The GNU Lesser General Public License (LGPL) Version 2.1, February 1999 (The master copy of this license lives on the GNU website.) Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Config-Model-OpenSsh-1.238/t/0000755000175000017500000000000013166471154014264 5ustar domidomiConfig-Model-OpenSsh-1.238/t/pod.t0000644000175000017500000000023713166471154015235 0ustar domidomi# -*- cperl -*- use strict; use Test::More; eval "use Test::Pod 1.00"; plan skip_all => "Test::Pod 1.00 required for testing POD" if $@; all_pod_files_ok( ); Config-Model-OpenSsh-1.238/t/model_tests.d/0000755000175000017500000000000013166471154017030 5ustar domidomiConfig-Model-OpenSsh-1.238/t/model_tests.d/system-ssh-examples/0000755000175000017500000000000013166471154022763 5ustar domidomiConfig-Model-OpenSsh-1.238/t/model_tests.d/system-ssh-examples/basic/0000755000175000017500000000000013166471154024044 5ustar domidomiConfig-Model-OpenSsh-1.238/t/model_tests.d/system-ssh-examples/basic/system_ssh_config0000644000175000017500000000204413166471154027515 0ustar domidomi # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * IdentityFile ~/.ssh/identity IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa Port 22 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc ProxyCommand ssh -q -W %h:%p gateway.example.com SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no Config-Model-OpenSsh-1.238/t/model_tests.d/system-ssh-test-conf.pl0000644000175000017500000000212613166471154023405 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # use strict; use Config::Model::BackendMgr; # test loading layered config à la ssh_config $model_to_test = "SystemSsh"; @tests = ( { # t0 name => 'basic', setup => { 'system_ssh_config' => { 'darwin' => '/etc/ssh_config', 'default' => '/etc/ssh/ssh_config', }, }, check => { 'Host:"*" Ciphers' => 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc', 'Host:"*" IdentityFile:1' => '~/.ssh/id_rsa', #'Host:"foo\.\*,\*\.bar"' => '', # 'LocalForward:0 port' => 20022, # 'LocalForward:0 host' => 10.3.244.4, # 'LocalForward:1 ipv6' => 1, # 'LocalForward:1 port' => 22080, # 'LocalForward:1 host' => '2001:0db8:85a3:0000:0000:8a2e:0370:7334', }, } ); 1; Config-Model-OpenSsh-1.238/t/model_tests.d/ssh-test-conf.pl0000644000175000017500000000357113166471154022070 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # use Config::Model::BackendMgr; # test loading layered config à la ssh_config $home_for_test = $^O eq 'darwin' ? '/Users/joe' : '/home/joe'; Config::Model::BackendMgr::_set_test_home($home_for_test); $model_to_test = "Ssh"; my @setup = ( setup => { 'system_ssh_config' => { 'darwin' => '/etc/ssh_config', 'default' => '/etc/ssh/ssh_config', }, 'user_ssh_config' => "$home_for_test/.ssh/config" } ); @tests = ( { name => 'basic', @setup, check => [ 'Host:"*" Port' => {qw/mode layered value 22/}, 'Host:"*" Port' => '1022', # user value will completely override layered values 'Host:"*" Ciphers' => { qw/mode layered value/, '3des-cbc' }, 'Host:"*" Ciphers' => { qw/mode user value/, 'aes192-cbc,aes128-cbc' }, 'Host:"*" Ciphers' => 'aes192-cbc,aes128-cbc', #'Host:"foo\.\*,\*\.bar"' => '', 'Host:picosgw LocalForward:0 port' => 20022, 'Host:picosgw LocalForward:0 host' => '10.3.244.4', 'Host:picosgw LocalForward:1 ipv6' => 1, 'Host:picosgw LocalForward:1 port' => 22080, 'Host:picosgw LocalForward:1 host' => '2001:0db8:85a3:0000:0000:8a2e:0370:7334', ], verify_annotation => { '' => 'ssh global comment', 'Host:"*" SendEnv' => ' PermitLocalCommand no', 'Host:"foo.*,*.bar"' => "foo bar big\ncomment", } }, { name => 'legacy', @setup, load_check => 'no', load_warnings => [ (qr/deprecated/) x 2, ], } ); 1; Config-Model-OpenSsh-1.238/t/model_tests.d/ssh-examples/0000755000175000017500000000000013166471154021441 5ustar domidomiConfig-Model-OpenSsh-1.238/t/model_tests.d/ssh-examples/legacy/0000755000175000017500000000000013166471154022705 5ustar domidomiConfig-Model-OpenSsh-1.238/t/model_tests.d/ssh-examples/legacy/user_ssh_config0000644000175000017500000000011113166471154026001 0ustar domidomi# ssh global comment Host * usersh yes fallbacktorsh yes dummy yes Config-Model-OpenSsh-1.238/t/model_tests.d/ssh-examples/legacy/system_ssh_config0000644000175000017500000000050013166471154026351 0ustar domidomi# Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * Port 22 Ciphers 3des-cbc SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no Config-Model-OpenSsh-1.238/t/model_tests.d/ssh-examples/basic/0000755000175000017500000000000013166471154022522 5ustar domidomiConfig-Model-OpenSsh-1.238/t/model_tests.d/ssh-examples/basic/user_ssh_config0000644000175000017500000000157613166471154025636 0ustar domidomi# ssh global comment Host * # ForwardAgent no # ForwardX11 no Port 1022 # Protocol 2,1 # Cipher 3des Ciphers aes192-cbc,aes128-cbc # PermitLocalCommand no SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no # foo bar big # comment Host foo.*,*.bar # for and bar have X11 ForwardX11 yes SendEnv FOO BAR Host *.gre.hp.com ForwardX11 yes User tester Host picosgw ForwardAgent yes HostName sshgw.truc.bidule IdentityFile ~/.ssh/%r LocalForward 20022 10.3.244.4:22 # IPv6 example LocalForward all.com/22080 2001:0db8:85a3:0000:0000:8a2e:0370:7334/80 User k0013 Host picos ForwardX11 yes HostName localhost Port 20022 User ocad ControlPersist YES Config-Model-OpenSsh-1.238/t/model_tests.d/ssh-examples/basic/system_ssh_config0000644000175000017500000000050013166471154026166 0ustar domidomi# Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * Port 22 Ciphers 3des-cbc SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no Config-Model-OpenSsh-1.238/t/model_tests.d/sshd-test-conf.pl0000644000175000017500000000162413166471154022231 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # $model_to_test = "Sshd" ; my $map = { 'darwin' => '/etc/sshd_config', 'default' => '/etc/ssh/sshd_config', } ; my $target = $map->{$^O} || $map->{default} ; @tests = ( { name => 'debian-bug-671367' , setup => { 'system_sshd_config' => $map, }, load_warnings => undef , # some weird warnings pop up in Perl smoke tests with perl 5.15.9 check => { 'AuthorizedKeysFile:0' => '/etc/ssh/userkeys/%u', 'AuthorizedKeysFile:1' => '/var/lib/misc/userkeys2/%u', }, file_contents_like => { $target , qr!/etc/ssh/userkeys/%u /var/lib/misc/userkeys2/%u! , } }, ); 1; Config-Model-OpenSsh-1.238/t/model_tests.d/sshd-examples/0000755000175000017500000000000013166471154021605 5ustar domidomiConfig-Model-OpenSsh-1.238/t/model_tests.d/sshd-examples/debian-bug-671367/0000755000175000017500000000000013166471154024355 5ustar domidomiConfig-Model-OpenSsh-1.238/t/model_tests.d/sshd-examples/debian-bug-671367/system_sshd_config0000644000175000017500000000061313166471154030172 0ustar domidomi## This file was written by Config::Model ## You may modify the content of this file. Configuration ## modifications will be preserved. Modifications in ## comments may be mangled. # Package generated configuration file # See the sshd_config(5) manpage for details # now a list AuthorizedKeysFile /etc/ssh/userkeys/%u # used to work on wheezy AuthorizedKeysFile2 /var/lib/misc/userkeys2/%u Config-Model-OpenSsh-1.238/t/custom_sshd.t0000644000175000017500000001047013166471154017006 0ustar domidomi# -*- cperl -*- use ExtUtils::testlib; use Test::More tests => 5; use Config::Model ; use Log::Log4perl qw(:easy) ; use File::Path ; use File::Copy ; use warnings; no warnings qw(once); use strict; my $arg = shift @ARGV || ''; my ($log,$show) = (0) x 2 ; my $trace = $arg =~ /t/ ? 1 : 0 ; $log = 1 if $arg =~ /l/; $show = 1 if $arg =~ /s/; my $log4perl_user_conf_file = $ENV{HOME}.'/.log4config-model' ; if ($log and -e $log4perl_user_conf_file ) { Log::Log4perl::init($log4perl_user_conf_file); } else { Log::Log4perl->easy_init($log ? $DEBUG: $ERROR); } my $model = Config::Model -> new ( ) ; Config::Model::Exception::Any->Trace(1) if $arg =~ /e/; ok(1,"compiled"); # pseudo root where config files are written by config-model my $wr_root = 'wr_test'; my $testdir = 'custom_sshd' ; my $ssh_path = $^O eq 'darwin' ? '/etc' : '/etc/ssh' ; # cleanup before tests rmtree($wr_root); my @orig = ; my $wr_dir = $wr_root.'/'.$testdir ; mkpath($wr_dir.$ssh_path, { mode => 0755 }) || die "can't mkpath: $!"; open(SSHD,"> $wr_dir$ssh_path/sshd_config") || die "can't open file: $!"; print SSHD @orig ; close SSHD ; my $inst = $model->instance (root_class_name => 'Sshd', instance_name => 'sshd_instance', root_dir => $wr_dir, backend => 'OpenSsh::Sshd', ); ok($inst,"Read $wr_dir$ssh_path/sshd_config and created instance") ; my $root = $inst -> config_root ; my $dump = $root->dump_tree (); print "First $testdir dump:\n",$dump if $trace ; #like($dump,qr/Match:0/, "check Match section") if $testdir =~ /match/; $root -> load("Port=2222") ; $inst->write_back() ; ok(1,"wrote data in $wr_dir") ; # copy data in wr_dir2 my $wr_dir2 = $wr_dir.'b/' ; mkpath($wr_dir2.$ssh_path, { mode => 0755 }) ; copy($wr_dir.$ssh_path.'/sshd_config',$wr_dir2.$ssh_path) ; my $inst2 = $model->instance (root_class_name => 'Sshd', instance_name => 'sshd_instance2', root_dir => $wr_dir2, backend => 'OpenSsh::Sshd', ); ok($inst2,"Read $wr_dir2$ssh_path/sshd_config and created instance") ; my $root2 = $inst2 -> config_root ; my $dump2 = $root2 -> dump_tree (); print "Second $testdir dump:",$dump2 if $trace ; my @mod = split /\n/,$dump ; $mod[17] =~ s/221/2222/; is_deeply([split /\n/,$dump2],\@mod, "check if both dumps are consistent") ; __DATA__ # snatched from Debian config file # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 221 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes AllowUsers foo bar@192.168.0.* ClientAliveCountMax 5 ClientAliveInterval 300 Config-Model-OpenSsh-1.238/t/ssh_config.t0000644000175000017500000001475313166471154016605 0ustar domidomi# -*- cperl -*- use ExtUtils::testlib; use Test::More ; use Config::Model ; use Config::Model::BackendMgr; # required for tests use Log::Log4perl qw(:easy) ; use File::Path ; use English; use Test::Differences ; use Test::Warn ; use warnings; use strict; my $arg = shift || ''; my ($log,$show) = (0) x 2 ; my $trace = $arg =~ /t/ ? 1 : 0 ; $log = 1 if $arg =~ /l/; $show = 1 if $arg =~ /s/; my $log4perl_user_conf_file = $ENV{HOME}.'/.log4config-model' ; if ($log and -e $log4perl_user_conf_file ) { Log::Log4perl::init($log4perl_user_conf_file); } else { Log::Log4perl->easy_init($log ? $DEBUG: $ERROR); } my $model = Config::Model -> new ( ) ; Config::Model::Exception::Any->Trace(1) if $arg =~ /e/; ok(1,"compiled"); # pseudo root where config files are written by config-model my $wr_root = 'wr_test'; my $testdir = 'ssh_test' ; my $ssh_path = $^O eq 'darwin' ? '/etc' : '/etc/ssh' ; # cleanup before tests rmtree($wr_root); my @orig = ; my $wr_dir = $wr_root.'/'.$testdir ; mkpath($wr_dir.$ssh_path, { mode => 0755 }) || die "can't mkpath: $!"; open(SSHD,"> $wr_dir$ssh_path/ssh_config") || die "can't open file: $!"; print SSHD @orig ; close SSHD ; # special global variable used only for tests my $joe_home = $^O eq 'darwin' ? '/Users/joe' : '/home/joe' ; ; Config::Model::BackendMgr::_set_test_home($joe_home) ; # set up Joe's environment my $joe_ssh = $wr_dir.$joe_home.'/.ssh'; mkpath($joe_ssh, { mode => 0755 }) || die "can't mkpath $joe_ssh: $!"; open(JOE,"> $joe_ssh/config") || die "can't open file: $!"; print JOE "Host mine.bar\n\nIdentityFile ~/.ssh/mine\n" ; close JOE ; sub read_user_ssh { my $file = shift ; open(IN, $file)||die "can't read $file:$!"; my @res = grep {/\w/} map { chomp; s/\s+/ /g; $_ ;} grep { not /##/ } ; close (IN); return @res ; } print "Test from directory $testdir\n" if $trace ; note "Running test like root (no layered config)" ; my $root_inst = $model->instance (root_class_name => 'SystemSsh', instance_name => 'root_ssh_instance', root_dir => $wr_dir, ); ok($root_inst,"Read $wr_dir$ssh_path/ssh_config and created instance") ; my $root_cfg = $root_inst -> config_root ; $root_cfg->init ; my $dump = $root_cfg->dump_tree (); print $dump if $trace ; like($dump,qr/^#"ssh global comment"/, "check global comment pattern") ; like($dump,qr/Ciphers=aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,aes256-cbc#" Protocol 2,1\s+Cipher 3des"/,"check Ciphers comment"); like($dump,qr/SendEnv#" PermitLocalCommand no"/,"check SendEnv comment"); like($dump,qr/Host:"foo\.\*,\*\.bar"/, "check Host pattern") ; like($dump,qr/LocalForward:0\s+port=20022/, "check user LocalForward port") ; like($dump,qr/host=10.3.244.4/, "check user LocalForward host") ; like($dump,qr/LocalForward:1#"IPv6 example"\s+ipv6=1/, "check user LocalForward ipv6") ; like($dump,qr/port=22080/, "check user LocalForward port ipv6") ; like($dump,qr/host=2001:0db8:85a3:0000:0000:8a2e:0370:7334/, "check user LocalForward host ipv6") ; $root_inst->write_back() ; ok(1,"wrote ssh_config data in $wr_dir") ; my $inst2 = $model->instance (root_class_name => 'SystemSsh', instance_name => 'root_ssh_instance2', root_dir => $wr_dir, ); my $root2 = $inst2 -> config_root ; my $dump2 = $root2 -> dump_tree (); print $dump2 if $trace ; is_deeply([split /\n/,$dump2],[split /\n/,$dump], "check if both root_ssh dumps are identical") ; SKIP: { skip "user tests when test is run as root", 12 if $EUID == 0 ; note "Running test like user with layered config"; my $user_inst = $model->instance (root_class_name => 'Ssh', instance_name => 'user_ssh_instance', root_dir => $wr_dir, ); ok($user_inst,"Read user .ssh/config and created instance") ; my @joe_orig = read_user_ssh($wr_dir.$joe_home.'/.ssh/config') ; my $user_cfg = $user_inst -> config_root ; $dump = $user_cfg->dump_tree (mode => 'full' ); print $dump if $trace ; like($dump,qr/Host:"foo\.\*,\*\.bar"/,"check root Host pattern") ; like($dump,qr/Host:"?mine.bar"?/,"check user Host pattern") ; $user_inst->write_back() ; my $joe_file = $wr_dir.$joe_home.'/.ssh/config' ; ok(1,"wrote user .ssh/config data in $joe_file") ; ok(-e $joe_file,"Found $joe_file") ; # compare original and written file my @joe_written = read_user_ssh($joe_file) ; eq_or_diff(\@joe_written,\@joe_orig,"check user .ssh/config files") ; # write some data $user_cfg->load('EnableSSHKeysign=1') ; $user_inst->write_back() ; unshift @joe_orig,'EnableSSHKeysign yes'; @joe_written = read_user_ssh($joe_file) ; eq_or_diff(\@joe_written,\@joe_orig,"check user .ssh/config files after modif") ; # run test on tricky element warning_like { $user_inst->load( check => 'skip', step => 'Host:"*" IPQoS="foo bar baz"') ; } qr/skipping value/ ,"too many fields warning"; warning_like { $user_inst->load( check => 'skip', step => 'Host:"*" IPQoS="foo"') ; } qr/skipping/ ,"bad fields warning"; ok($user_inst->has_error,"check errors count") ; like($user_inst->error_messages,qr/"af11"/,"check error message") ; $user_inst->load('Host:"*" IPQoS="af11 af12"') ; # fix is pending my $expect = $Config::Model::VERSION > 2.046 ? 0 : 1 ; is($user_inst->has_error,$expect,"check error count after fix") ; # check if config has warnings is($user_inst->has_warning,0,"check if warnings are left"); } done_testing; __END__ # ssh global comment Host * # ForwardAgent no # ForwardX11 no Port 1022 # Protocol 2,1 # Cipher 3des Ciphers aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,aes256-cbc # PermitLocalCommand no SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no # foo bar big # comment Host foo.*,*.bar # for and bar have X11 ForwardX11 yes SendEnv FOO BAR Host *.gre.hp.com ForwardX11 yes User tester Host picosgw ForwardAgent yes HostName sshgw.truc.bidule IdentityFile ~/.ssh/%r LocalForward 20022 10.3.244.4:22 # IPv6 example LocalForward all.com/22080 2001:0db8:85a3:0000:0000:8a2e:0370:7334/80 User k0013 Host picos ForwardX11 yes HostName localhost Port 20022 User ocad ControlPersist YES Config-Model-OpenSsh-1.238/t/model_tests.t0000644000175000017500000000033213166471154016771 0ustar domidomi# -*- cperl -*- use warnings; use strict; use Config::Model::Tester 2.042; use ExtUtils::testlib; my $arg = shift || ''; my $test_only_model = shift || ''; my $do = shift ; run_tests($arg, $test_only_model, $do) ; Config-Model-OpenSsh-1.238/t/custom_sshd_match.t0000644000175000017500000000607413166471154020167 0ustar domidomi# -*- cperl -*- use ExtUtils::testlib; use Test::More tests => 5; use Test::Differences; use Config::Model ; use Log::Log4perl qw(:easy) ; use File::Path ; use File::Copy ; use warnings; no warnings qw(once); use strict; my $arg = shift || ''; my ($log,$show) = (0) x 2 ; my $trace = $arg =~ /t/ ? 1 : 0 ; $log = 1 if $arg =~ /l/; $show = 1 if $arg =~ /s/; my $log4perl_user_conf_file = $ENV{HOME}.'/.log4config-model' ; if ($log and -e $log4perl_user_conf_file ) { Log::Log4perl::init($log4perl_user_conf_file); } else { Log::Log4perl->easy_init($log ? $DEBUG: $ERROR); } my $model = Config::Model -> new ( ) ; Config::Model::Exception::Any->Trace(1) if $arg =~ /e/; ok(1,"compiled"); # pseudo root where config files are written by config-model my $wr_root = 'wr_test'; my $testdir = 'custom_sshd' ; my $ssh_path = $^O eq 'darwin' ? '/etc' : '/etc/ssh' ; # cleanup before tests rmtree($wr_root); my @orig = ; my $wr_dir = $wr_root.'/'.$testdir ; mkpath($wr_dir.$ssh_path, { mode => 0755 }) || die "can't mkpath: $!"; open(SSHD,"> $wr_dir$ssh_path/sshd_config") || die "can't open file: $!"; print SSHD @orig ; close SSHD ; my $inst = $model->instance (root_class_name => 'Sshd', instance_name => 'sshd_instance', root_dir => $wr_dir, backend => 'OpenSsh::Sshd', ); ok($inst,"Read $wr_dir$ssh_path/sshd_config and created instance") ; my $root = $inst -> config_root ; my $dump = $root->dump_tree (); print "First $testdir dump:\n",$dump if $trace ; #like($dump,qr/Match:0/, "check Match section") if $testdir =~ /match/; $root -> load("Port=2222 HostbasedAuthentication=yes Subsystem:ddftp=/home/dd/bin/ddftp Match:1 Condition Host=elysee.* ") ; $inst->write_back() ; ok(1,"wrote data in $wr_dir") ; # copy data in wr_dir2 my $wr_dir2 = $wr_dir.'b' ; mkpath($wr_dir2.$ssh_path, { mode => 0755 }) ; copy($wr_dir.$ssh_path.'/sshd_config',$wr_dir2.$ssh_path) ; my $inst2 = $model->instance (root_class_name => 'Sshd', instance_name => 'sshd_instance2', root_dir => $wr_dir2, backend => 'OpenSsh::Sshd', ); ok($inst2,"Read $wr_dir2$ssh_path/sshd_config and created instance") ; my $root2 = $inst2 -> config_root ; my $dump2 = $root2 -> dump_tree (); print "Second $testdir dump:\n",$dump2 if $trace ; my @mod = split /\n/,$dump ; unshift @mod, 'HostbasedAuthentication=yes', 'Port=2222'; splice @mod,2,0,'Subsystem:ddftp=/home/dd/bin/ddftp'; splice @mod,12,1,' Group="pres.*"',' Host="elysee.*" -'; eq_or_diff([split /\n/,$dump2],\@mod, "check if both dumps are consistent") ; __DATA__ X11Forwarding yes Match User domi AllowTcpForwarding yes PasswordAuthentication yes RhostsRSAAuthentication no RSAAuthentication yes X11DisplayOffset 10 X11Forwarding yes # sarkomment Match User sarko Group pres.* Banner /etc/bienvenue.txt X11Forwarding no # some comment Match User bush Group pres.* Host white.house.* Banner /etc/welcome.txt Config-Model-OpenSsh-1.238/weaver.ini0000644000175000017500000000022513166471154016012 0ustar domidomi[@Default] [-Transformer] transformer = List [Support] perldoc = 0 bugs = metadata websites = search,anno,ratings,kwalitee,testers,testmatrix,deps Config-Model-OpenSsh-1.238/README-build-from-git.md0000644000175000017500000000321613166471154020121 0ustar domidomi# How to build Config::Model::OpenSsh from git repository `Config::Model::OpenSsh` is build with [Dist::Zilla](http://dzil.org/). This page details how to install the tools and dependencies required to build this module. ## Install tools and dependencies ### Debian, Ubuntu and derivatives Run $ sudo apt install libdist-zilla-perl libdist-zilla-app-command-authordebs-perl $ dzil authordebs --install $ sudo apt build-dep libconfig-model-openssh-perl The [libdist-zilla-app-command-authordebs-perl package](https://tracker.debian.org/pkg/libdist-zilla-app-command-authordebs-perl) is quite recent (uploaded on Dec 2016 in Debian/unstable) and may not be available yet on your favorite distribution. ### Other systems Run $ cpamn Dist::Zilla $ dzil authordeps -missing | cpanm --notest $ dzil listdeps --missing | cpanm --notest NB: The author would welcome pull requests that explains how to install these tools and dependencies using native package of other distributions. ## Build Config::Model::OpenSsh Run dzil build or dzil test `dzil` may complain about missing `EmailNotify` or `Twitter` plugin. You may ignore this or edit [dist.ini](dist.ini) to comment out the last 2 sections. These are useful only to the author when releasing a new version. `dzil` may also return an error like `Cannot determine local time zone`. In this case, you should specify explicitely your timezone in a `TZ` environement variable. E.g run `dzil` this way: TZ="Europe/Paris" dzil test The list of possible timezones is provided by [DateTime::TimeZone::Catalog](https://metacpan.org/pod/DateTime::TimeZone::Catalog) documentation. Config-Model-OpenSsh-1.238/Changes0000644000175000017500000003007313166471154015317 0ustar domidomi1.238 2017-10-08 * udpated models to use new rw_config parameter (requires Config::Model 2.111) * update Ciphers parameter * UseLogin parameter is deprecated 1.237 2016-03-07 * Fix tests broken by Config::Model 2.080 changes (RT #112736) * Build.PL: avoid dependency on cme to build doc * dist.ini: * updated to use github's bug tracker - removed build dependency on Tk * updated README.pod to use cme meta edit 1.236 2014-05-22 * removed experience parameters from OpenSsh model with config-model-edit * removed build time dependency on AnyEvent * warn and propose a fix when public key is used as IdendityFile 1.235 2014-04-04 * tweak test to be compatible with Config::Model >= or < 2.052 * fix man pages abstract section (for Pod::Weaver) 1.234 2014-03-01 * fixed skipped test count in ssh_config.t to enable cpanm installation (RT 93314) * test $inst->has_warning (requires Config::Model 2.050) 1.233 2014-02-13 * Ssh backends: send a clear error message when unknown parameters are found (RT 92639) * Ssh: added deprecated UseRSh and FallBackToRsh (RT 92639) 1.232 2013-12-29 * Ssh::GSSAPI* params: set upstream_default to 0 (instead of default) * fixed typo in Sshd::MatchCondition description (tx gregoa) 1.231 2013-12-23 * Added parameters supported by OpenSsh 6.4 (i.e. IgnoreUnknown ForwardX11Timeout GatewayPorts GSSAPIKeyExchange GSSAPIClientIdentity GSSAPIServerIdentity GSSAPIDelegateCredentials GSSAPIRenewalForcesRekey GSSAPITrustDns IPQoS KexAlgorithms PKCS11Provider AllowAgentForwarding AuthenticationMethods AuthorizedKeysCommand AuthorizedKeysCommandUser AuthorizedPrincipalsFile ChrootDirectory GSSAPIStoreCredentialsOnRekey HostCertificate HostKeyAgent MaxSessions PermitBlacklistedKeys PubkeyAuthentication RekeyLimit RevokedKeys RhostsRSAAuthentication TrustedUserCAKeys VersionAddendum) 1.230 2013-08-27 This new release now works on MacOS X. It does take into account the different location of ssh configuration files compared to Linux or BSD. * Fixed tests for MacOS X 1.230_04 2013-08-19 * Depends on Config::Model 2.041 * Build depends on Config::Model::Tester 2.042 1.230_03 2013-08-09 * Load EV at beginning of test to avoid failure in CPAN smoke tests. 1.230_02 2013-08-08 * Load AnyEvent at beginning of test to avoid failure in CPAN smoke tests. 1.230_01 2013-08-07 * Fixed dist.ini to tweak $VERSION in all module files 1.229 2013-07-23 * fixed dist::zilla files to include .ssh dir needed for tests 1.228 2013-07-21 [ Usage changes ] * 'cme edit ssh|sshd|system-ssh' is now working on MacOS X * '/etc/ssh/ssh_config' is now handled by system-ssh. I.e. use 'cme edit system-ssh' to change this file * root user can edit its ~/.ssh/config file like any other user with 'cme edit ssh'. [ Bug fixes ] * corrected OpenSSH project name (was OpenSsh) * ssh backend: fix bug that prevented reading user file with global parameters * Ssh model: allow config file creation [ Other changes ] * renamed ChangeLog in Changes * Ssh model: use new default layer from C::M 2.040 to read system config file (hence the updated requirement on Config::Model 2.040) * All backends: removed custom code to open file. Lets Config::Model::BackendMgr handle this 2013-04-04 - 1.227 * Removed Augeas backend (no longer needed, comments are handled by Config::Model::Backend::OpenSsh) * Removed unused deps (File::Slurp) * Replaced Any::Moose with Mouse. Directly depend on Mouse. Removed dependency on Any::Mooose 2012-12-07 - 1.226 * ssh model: + added ControlPersist parameter + added Re-Build parameter (fix RT #81346) * Changed experience of Control* parameters to beginner * backend: ensure clear error message if Host is used in sshd_config * updated demos to use cme * use cme gen-class-pod to re-build when necessary * updated Config::Model dependency to 2.026 for this 2012-10-28 Dominique Dumont v 1.225 Doc and demo fix release * updated demos to use cme instead of deprecated config-edit * likewise, clean up pod doc to use cme command * removed non utf-8 char from ssh doc (Fix RT 79077) 2012-05-22 Dominique Dumont v 1.224 * Backend: make sure that AuthorizedKeysFile items are written on a single line. * Depends on Config::Model 2.017 (which has a correct dependency list). * Note to distro packagers: this dependency on Config::Model 2.017 is required for people installing this module with cpanm and for Perl smoke tests. From a feature point of view, this module requires only Config::Model 2.015 2012-05-18 Dominique Dumont v 1.223 * Added build-dependencies required by t/model_test.t (which use Config::Model::Tester) * Fix sshd-test-conf.pl to avoid test failure due to Text::Balanced warnings with perl 5.15 2012-05-16 Dominique Dumont v 1.222 * added AuthorizedKeysFile2 parameter (See Debian #671367) and migration from AuthorizedKeysFile2 to AuthorizedKeysFile to help migration from Debian Squeeze to Wheezy * replaced deprecated get_all_indexes with fetch_all_indexes * depends on Config::Model 2.015 2012-04-25 Dominique Dumont v 1.221 * Ssh model: ControlMaster also supports auto keyword (tx to harleypig and Daniel Dehennin) Closes Debian #670319 * Test: Fix skip count when test is run as root (fix smoke test failures) 2012-02-20 Dominique Dumont v 1.220 * Fix test to force write back even if no data were changed in the test (Fix FTBS Debian #660371 and Ubuntu #935221) * This fix depends on Config::Model 2.004 * Requires perl 5.10 * Move runtime dependencies in configure-requires as config::model is called by Build.PL to (re)generate pod (see also RT73611) 2011-12-07 Dominique Dumont v 1.219 * Ssh model: do not warp LocalForward with GatewayPorts. They are independant * Ssh backend: store root config in layered data instead of preset data (also fix RT#72916) * Depends on Config::Model 1.265 2011-07-22 Dominique Dumont v 1.218 * OpenSsh backend: Fix bug that tried to open a file in /etc when saving ssh config as a regular user. 2011-05-11 Dominique Dumont v 1.217 * All Backend: test value with length instead of defined (avoid keyword without value lines) * added Test::Difference build dependency * lib/Config/Model/user.d/ssh: added forgotten user file for ssh 2011-04-11 Dominique Dumont v 1.216 * All: use Any::Moose instead of plain Moose * depends on Any::Moose (fix RT# 67307) 2011-04-04 Dominique Dumont v 1.215 * All models: Added author, license and class_description * Added generated documentation from configuration classes. * Requires Config::Model 1.236 2011-03-03 Dominique Dumont v 1.214 * Fixed Build.PL to install files from lib/.../system.d/ * Fixed Ssh backend to write Host pattern annotations/comments 2011-02-28 Dominique Dumont v 1.213 * Fixed MANIFEST.SKIP to remove cruft shipped by Dist::Zilla. As downstream packager, I was not amused :/ 2011-02-23 Dominique Dumont v 1.212 * Fixed Build.PL to include prereqs computed by Dist::Zilla 2011-02-21 Dominique Dumont v 1.211 * *.t: fixed tests (Fix Debian bug #605792) * demo: split user and maintainer demo * removed config-edit-*. config-edit now has auto-completion and can be invoked with '-application ssh' or '-application sshd' * removed dependency on Parse::RecDescent * depend on Config::Model 1.234 * Single backend was split in 3 (OpenSsh, Ssh and Sshd) to benefit from C::M::Backend::Any 2010-02-02 Dominique Dumont * demo/demo.pl (my_system): new demo (requires Config::Model::Itself) 2010-01-24 Dominique Dumont * lib/Config/Model/models/Ssh/PortForward.pl: host and hostport are mandatory 2010-01-22 Dominique Dumont v1.210 * lib/Config/Model/OpenSsh.pm: Modified to read and write Port forward information from PortForward config class. * lib/Config/Model/models/Ssh/PortForward.pl: New configuration class to make ssh port forwarding configuration easier. 2010-01-18 Dominique Dumont v1.209 * lib/Config/Model/models/Sshd.pl: Added automatic migration of data from deprecated KeepAlive parameter to TCPKeepAlive parameter. This enables an automatic migration from old sshd config to new syntax. * lib/Config/Model/models/Ssh/HostElement.pl: Since ssh_config doc mentions that LocalForward and RemoteForward can be specified several times, these 2 parameters are changed from leaf to a list of leaf. * lib/Config/Model/models/Ssh.pl: As specifying Host block as list of patterns and content was not practical, the Host element in Ssh model was changed from list of HostBlock nodes to hash of HostElement. The Host patterns is used as the key of the hash. This enables a better view of shh configuration in the GUI. * lib/Config/Model/OpenSsh.pm (assign): Store value in uniline leaf even with embedded white spaces. (write_all_host_block): adapted to Host structure change in model 2009-09-10 Dominique Dumont v1.208 * lib/Config/Model/models/**.pl: Changed 'level' of some elements to 'important' so the new wizard provided by C::M::TkUI will show the most imporant ssh and sshd configuration parameters. 2009-07-29 Dominique Dumont v1.207 * t/ssh_config.t: When run as root, skip the tests that must be run as regular user. (Fix Debian FTBS) * lib/Config/Model/models/Ssh/HostElement.pl: Fix model error: ServerAliveInterval is an integer, not a boolean 2009-06-24 Dominique Dumont v1.206 * Build.PL: added forgotten dependency on Parse::RecDescent. Depends on Config::Model 0.637 2009-06-23 Dominique Dumont * lib/Config/Model/models/**.pl: replaced deprecated 'built_in' model parameter with 'upstream_default'. (In fact I just had to run "config-model-edit -model Ssh -save" (from Config::Model::Itself)) 2009-04-11 Dominique Dumont v1.205 * lib/Config/Model/OpenSsh.pm (read_ssh_file): fix bug that breaks with Config::Model 0.635 2009-03-09 Dominique Dumont v1.204 * t/ssh_config.t: Removed unused options that broke with Config::Model 0.634 * config-edit-ssh: Update documentation 2009-02-03 Dominique Dumont v1.203 * t/augeas_*.t: Do the exec only if Augeas part can be tested. Use $^X in exec instead of 'perl'. This should also fix tests in CPAN. 2009-02-02 Dominique Dumont v1.202 * t/augeas*.t : Changed Augeas locale workaround to reduce the number of test failures in CPAN tests. 2009-01-29 Dominique Dumont v1.201 * config-edit-sshd: added workaround Augeas locale bug * Sshd files: Major bug fixes for Augeas integration * lib/Config/Model/OpenSsh.pm (read_ssh_file): Fix: Host names are separated by white spaces and not comma 2008-11-16 Domi * lib/Config/Model/models/Sshd.pl: Added write through Augeas so comment in /etc/ssh/sshd_config can be preserved (requires Augeas and Config::Model::Backend::Augeas) * config-edit-ssh: new command line to edit ~/.ssh/config file (as normal user) or /etc/ssh/ssh_config (as root) 2008-05-26 Dominique Dumont v0.104 * all: changed module name from Sshd to OpenSsh 2008-05-24 Dominique Dumont v0.103 * lib/Config/Model/Sshd.pm (): Added doc * config-edit-sshd: new file Config-Model-OpenSsh-1.238/lib/0000755000175000017500000000000013166471154014567 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/0000755000175000017500000000000013166471154015774 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/0000755000175000017500000000000013166471154017034 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/system.d/0000755000175000017500000000000013166471154020602 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/system.d/system-ssh0000644000175000017500000000002213166471154022636 0ustar domidomimodel = SystemSsh Config-Model-OpenSsh-1.238/lib/Config/Model/system.d/sshd0000644000175000017500000000001513166471154021462 0ustar domidomimodel = Sshd Config-Model-OpenSsh-1.238/lib/Config/Model/OpenSsh.pm0000644000175000017500000001077413166471154020762 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # package Config::Model::OpenSsh ; $Config::Model::OpenSsh::VERSION = '1.238'; use Config::Model 2.111; 1; # ABSTRACT: OpenSSH config editor __END__ =pod =encoding UTF-8 =head1 NAME Config::Model::OpenSsh - OpenSSH config editor =head1 VERSION version 1.238 =head1 SYNOPSIS =head2 invoke editor The following will launch a graphical editor (if L is installed): sudo cme edit sshd =head2 command line This command will add a C section in C<~/.ssh/config>: cme modify ssh Host:Foo ForwardX11=yes =head2 programmatic This code snippet will remove the C section added above: use Config::Model ; use Log::Log4perl qw(:easy) ; my $model = Config::Model -> new ( ) ; my $inst = $model->instance (root_class_name => 'Ssh'); $inst -> config_root ->load("Host~Foo") ; $inst->write_back() ; =head1 DESCRIPTION This module provides a configuration editors (and models) for the configuration files of OpenSSH. (C, F and C<~/.ssh/config>). This module can also be used to modify safely the content of these configuration files from a Perl programs. Once this module is installed, you can edit C with run (as root) : # cme edit sshd To edit F, run (as root): # cme edit ssh To edit F<~/.ssh/config>, run as a normal user: $ cme edit ssh =head1 user interfaces As mentioned in L, several user interfaces are available with C subcommand: =over =item * A graphical interface is proposed by default if L is installed. =item * A Curses interface with option C if L is installed. =item * A Shell like interface with option C. =back =head1 SEE ALSO L, L, =head1 AUTHOR Dominique Dumont =head1 COPYRIGHT AND LICENSE This software is Copyright (c) 2008-2014 by Dominique Dumont. This is free software, licensed under: The GNU Lesser General Public License, Version 2.1, February 1999 =for :stopwords cpan testmatrix url annocpan anno bugtracker rt cpants kwalitee diff irc mailto metadata placeholders metacpan =head1 SUPPORT =head2 Websites The following websites have more information about this module, and may be of help to you. As always, in addition to those websites please use your favorite search engine to discover more resources. =over 4 =item * Search CPAN The default CPAN search engine, useful to view POD in HTML format. L =item * AnnoCPAN The AnnoCPAN is a website that allows community annotations of Perl module documentation. L =item * CPAN Ratings The CPAN Ratings is a website that allows community ratings and reviews of Perl modules. L =item * CPANTS The CPANTS is a website that analyzes the Kwalitee ( code metrics ) of a distribution. L =item * CPAN Testers The CPAN Testers is a network of smokers who run automated tests on uploaded CPAN distributions. L =item * CPAN Testers Matrix The CPAN Testers Matrix is a website that provides a visual overview of the test results for a distribution on various Perls/platforms. L =item * CPAN Testers Dependencies The CPAN Testers Dependencies is a website that shows a chart of the test results of all dependencies for a distribution. L =back =head2 Bugs / Feature Requests Please report any bugs or feature requests by email to C, or through the web interface at L. You will be automatically notified of any progress on the request by the system. =head2 Source Code The code is open to the world, and available for you to hack on. Please feel free to browse it and play with it, or whatever. If you want to contribute patches, please send me a diff or prod me to pull from your repository :) L git clone git://github.com/dod38fr/config-model-openssh.git =cut Config-Model-OpenSsh-1.238/lib/Config/Model/user.d/0000755000175000017500000000000013166471154020234 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/user.d/ssh0000644000175000017500000000001413166471154020747 0ustar domidomimodel = Ssh Config-Model-OpenSsh-1.238/lib/Config/Model/models/0000755000175000017500000000000013166471154020317 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/models/SystemSsh.pl0000644000175000017500000000136613166471154022624 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # [ { 'author' => [ 'Dominique Dumont' ], 'class_description' => 'Configuration class used by L to edit or validate /etc/ssh/ssh_config (as root) ', 'copyright' => [ '2013 Dominique Dumont' ], 'include' => [ 'Ssh' ], 'license' => 'LGPL2', 'name' => 'SystemSsh', 'rw_config' => { 'backend' => 'OpenSsh::Ssh', 'config_dir' => '/etc/ssh', 'file' => 'ssh_config', 'os_config_dir' => { 'darwin' => '/etc' } } } ] ; Config-Model-OpenSsh-1.238/lib/Config/Model/models/Ssh.pod0000644000175000017500000010713413166471154021566 0ustar domidomi# PODNAME: Config::Model::models::Ssh # ABSTRACT: Configuration class Ssh =encoding utf8 =head1 NAME Config::Model::models::Ssh - Configuration class Ssh =head1 DESCRIPTION Configuration classes used by L Configuration class used by L to edit or validate ~/.ssh/config. =head1 Elements =head2 EnableSSHKeysign Setting this option to 'yes' in the global client configuration file /etc/ssh/ssh_config enables the use of the helper program ssh-keysign(8) during HostbasedAuthentication. See ssh-keysign(8)for more information. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 Host The declarations make in 'parameters' are applied only to the hosts that match one of the patterns given in pattern elements. A single '*' as a pattern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching). Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the hash (which takes order into account), and general defaults at the end. I< Optional. Type hash of node of class L . > =head2 AddressFamily Specifies which address family to use when connecting. I< Optional. Type enum. choice: 'any', 'inet', 'inet6'. > =over 4 =item upstream_default value : any =back =head2 BatchMode If set to 'yes', passphrase/password querying will be disabled. In addition, the ServerAliveInterval option will be set to 300 seconds by default. This option is useful in scripts and other batch jobs where no user is present to supply the password, and where it is desirable to detect a broken network swiftly. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 BindAddress Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address. Note that this option does not work if UsePrivilegedPort is set to 'yes'. I< Optional. Type uniline. > =head2 ChallengeResponseAuthentication Specifies whether to use challenge-response authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 CheckHostIP If enabled, ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If disbled, the check will not be executed. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 Cipher Specifies the cipher to use for encrypting the session in protocol version 1. "des" is only supported in the ssh(1) client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. I< Optional. Type enum. choice: 'blowfish', '3des', 'des'. > =over 4 =item upstream_default value : 3des =back =head2 Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. The supported ciphers are: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com The default is: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc The list of available ciphers may also be obtained using C I< Optional. Type uniline. > =head2 ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is primarily useful when used from the ssh(1) command line to clear port forwardings set in configuration files, and is automatically set by scp(1) and sftp(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 Compression Specifies whether to use compression. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 CompressionLevel I< Optional. Type integer. > =over 4 =item upstream_default value : 6 =back =head2 ConnectionAttempts Specifies the number of tries (one per second) to make before exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. I< Optional. Type integer. > =over 4 =item upstream_default value : 1 =back =head2 ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. This value is used only when the target is down or really unreachable, not when it refuses the connection. I< Optional. Type integer. > =head2 ControlMaster Enables the sharing of multiple sessions over a single network connection. When set to 'yes', ssh(1) will listen for connections on a control socket specified using the ControlPath argument. Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to 'no' (the default). These sessions will try to reuse the master instance's network connection rather than initiating new ones, but will fall back to connecting normally if the control socket does not exist, or is not listening. Setting this to 'ask' will cause ssh to listen for control connections, but require confirmation using the SSH_ASKPASS program before they are accepted (see ssh-add(1) for details). If the ControlPath cannot be opened, ssh will continue without connecting to a master instance. X11 and ssh-agent(1) forwarding is supported over these multiplexed connections, however the display and agent forwarded will be the one belonging to the master connection i.e. it is not pos sible to forward multiple displays or agents. Two additional options allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already exist. These options are: 'auto' and 'autoask'. The latter requires confirmation like the 'ask' option. I< Optional. Type enum. choice: 'no', 'yes', 'ask', 'auto', 'autoask'. > =over 4 =item upstream_default value : no =back =head2 ControlPath Specify the path to the control socket used for connection sharing as described in the ControlMaster section above or the string 'none' to disable connection sharing. In the path, '%l' will be substituted by the local host name, '%h' will be substituted by the target host name, '%p' the port, and '%r' by the remotelogin username. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h, %p, and %r. This ensures that shared connections are uniquely identified. I< Optional. Type uniline. > =head2 ControlPersist - persists the master connection in the background When used in conjunction with ControlMaster, specifies that the master connection should remain open in the background (waiting for future client connections) after the initial client connection has been closed. If set to ``no'', then the master connection will not be placed into the background, and will close as soon as the initial client connection is closed. If set to ``yes'', then the master connection will remain in the background indef- initely (until killed or closed via a mechanism such as the ssh(1) ``-O exit'' option). If set to a time in seconds, or a time in any of the formats documented in sshd_config(5), then the backgrounded master connection will automatically terminate after it has remained idle (with no client connections) for the specified time. I< Optional. Type uniline. > =head2 DynamicForward Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be [bind_address:]port. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address/]port. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of 'localhost' indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh(1) will act as a SOCKS server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. I< Optional. Type list of uniline. > =head2 EscapeChar Sets the escape character (default: '~'). The escape character can also be set on the command line. The argument should be a single character, '^' followed by a letter, or 'none' to disable the escape character entirely (making the connection transparent for binary data). I< Optional. Type uniline. > =over 4 =item upstream_default value : ~ =back =head2 ExitOnForwardFailure Specifies whether ssh(1) should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 dis play through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardX11Timeout - timeout for untrusted X11 forwarding Specify a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of L. X11 connections received by L after this time will be refused. The default is to disable untrusted X11 forwarding after twenty minutes has elapsed. I< Optional. Type uniline. > =head2 ForwardX11Trusted If this option is set, remote X11 clients will have full access to the original X11 display. If this option is not set, remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the xauth(1) token used for the session will be set to expire after 20 minutes. Remote clients will be refused access after this time. See the X11 SECURITY extension specification for full details on the restrictions imposed on untrusted clients. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, ssh(1) binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GlobalKnownHostsFile Specifies a file to use for the global host key database. I< Optional. Type uniline. > =over 4 =item upstream_default value : /etc/ssh/ssh_known_hosts =back =head2 GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIKeyExchange Specifies whether key exchange based on GSSAPI may be used. When using GSSAPI key exchange the server need not have a host key. Note that this option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIClientIdentity If set, specifies the GSSAPI client identity that ssh should use when connecting to the server. The default is unset, which means that the default identity will be used. I< Optional. Type uniline. > =head2 GSSAPIServerIdentity If set, specifies the GSSAPI server identity that ssh should expect when connecting to the server. The default is unset, which means that the expected GSSAPI server identity will be determined from the target hostname. I< Optional. Type uniline. > =head2 GSSAPIDelegateCredentials Forward (delegate) credentials to the server. Note that this option applies to protocol version 2 connections using GSSAPI. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIRenewalForcesRekey If set to "yes" then renewal of the client's GSSAPI credentials will force the rekeying of the ssh connection. With a compatible server, this can delegate the renewed credentials to a session on the server. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPITrustDns Set to "yes" to indicate that the DNS is trusted to securely canonicalize the name of the host being connected to. If "no", the hostname entered on the command line will be passed untouched to the GSSAPI library. This option only applies to protocol version 2 connections using GSSAPI. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HashKnownHosts Indicates that ssh(1) should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh(1) and sshd(8), but they do not reveal identifying information should the file's contents be disclosed. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. This option applies to protocol version 2 only and is similar to RhostsRSAAuthentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HostKeyAlgorithms Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. I< Optional. Type check_list. choice: 'ssh-rsa', 'ssh-dss'. > =head2 HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host. I< Optional. Type uniline. > =head2 HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications). I< Optional. Type uniline. > =head2 IdentitiesOnly Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. This option is intended for situations where ssh-agent offers many different identities. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 IdentityFile Specifies a file from which the user's RSA or DSA authentication identity is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. The file name may use the tilde syntax to refer to a user's home directory or one of the following escape characters: '%d' (local user's home directory), '%u' (local user name), '%l' (local host name), '%h' (remote host name) or '%r' (remote user name). It is possible to have multiple identity files specified in con figuration files; all these identities will be tried in sequence. I< Optional. Type list of uniline. > =head2 IPQoS - IPv4 type-of-service or DSCP class for the connection. Specifies the IPv4 type-of-service or DSCP class for the connection. Accepted values are "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is "lowdelay" for interactive sessions and "throughput" for non-interactive sessions. I< Optional. Type uniline. > =over 4 =item upstream_default value : lowdelay throughput =back =head2 KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 KbdInteractiveDevices Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. The methods available vary depending on what the server supports. For an OpenSSH server, it may be zero or more of: 'bsdauth', 'pam', and 'skey'. I< Optional. Type list of uniline. > =head2 KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. I< Optional. Type check_list. choice: 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'. > =head2 LocalForward - Local port forwarding Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address/]port and host/hostport. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of "localhost" indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces. Example: LocalForward 20000 192.168.0.66:80 . I< Optional. Type list of node of class L . > =head2 LogLevel Gives the verbosity level that is used when logging messages from ssh(1). The possible values are: SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output. I< Optional. Type enum. choice: 'SILENT', 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3'. > =over 4 =item upstream_default value : INFO =back =head2 MACs Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. I< Optional. Type check_list. choice: 'hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-sha1-96', 'hmac-md5-96'. > =head2 NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warn ings about changed host keys. However, this option disables host authentication for localhost. The default is to check the host key for localhost. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 NumberOfPasswordPrompts Specifies the number of password prompts before giving up. I< Optional. Type integer. > =over 4 =item upstream_default value : 3 =back =head2 PasswordAuthentication Specifies whether to use password authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 PermitLocalCommand Allow local command execution via the LocalCommand option or using the !command escape sequence in ssh(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user's shell. The following escape character substitutions will be performed: '%d' (local user's home directory), '%h' (remote host name), '%l' (local host name), '%n' (host name as provided on the command line), '%p' (remote port), '%r' (remote user name) or '%u' (local user name). This directive is ignored unless PermitLocalCommand has been enabled. I< Optional. Type uniline. > =head2 PKCS11Provider Specifies which PKCS#11 provider to use. The argument to this keyword is the PKCS#11 shared library ssh(1) should use to communicate with a PKCS#11 token providing the user's private RSA key. I< Optional. Type uniline. > =head2 Port Specifies the port number to connect on the remote host. I< Optional. Type integer. > =over 4 =item upstream_default value : 22 =back =head2 PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). I< Optional. Type check_list. choice: 'gssapi-with-mic', 'hostbased', 'publickey', 'keyboard-interactive', 'password'. > =head2 Protocol Specifies the protocol versions ssh(1) should support in order of preference. The default is "2,1". This means that ssh tries version 2 and falls back to version 1 if version 2 is not available. I< Optional. Type check_list. choice: '2', '1'. > =head2 ProxyCommand Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell. In the command string, '%h' will be substi tuted by the host name to connect and '%p' by the port. The com mand can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to "none" disables this option entirely. Note that CheckHostIP is not available for connects with a proxy command. This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.0.2.0: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p. I< Optional. Type uniline. > =head2 PubkeyAuthentication Specifies whether to try public key authentication. This option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated. The argument is the number of bytes, with an optional suffix of 'K', 'M', or 'G' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between '1G' and '4G', depending on the cipher. This option applies to protocol version 2 only. I< Optional. Type uniline. > =head2 RemoteForward - remote port forward to local Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. If the bind_address is not specified, the default is to only bind to loopback addresses. If the bind_address is '*' or an empty string, then the forwarding is requested to listen on all inter faces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)). I< Optional. Type list of node of class L . > =head2 RequestTTY Specifies whether to request a pseudo-tty for the session. This option mirrors the -t and -T flags for C. I< Optional. Type enum. choice: 'yes', 'no', 'force', 'auto'. > Here are some explanations on the possible values: =over =item 'auto' request a TTY when opening a login session =item 'force' always request a TTY =item 'no' never request a TTY =item 'yes' always request a TTY when standard input is a TTY =back =head2 RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. This option applies to protocol version 1 only and requires ssh(1) to be setuid root. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 RSAAuthentication Specifies whether to try RSA authentication. RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. Note that this option applies to protocol version 1 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 SendEnv Specifies what variables from the local environ(7) should be sent to the server. Note that environment passing is only supported for protocol 2. The server must also support it, and the server must be configured to accept these environment variables. Refer to AcceptEnv in sshd_config(5) for how to configure the server. Variables are specified by name, which may contain wildcard char acters. Multiple environment variables may be separated by whitespace or spread across multiple SendEnv directives. The default is not to send any environment variables. See PATTERNS in ssh_config(5) for more information on patterns. I< Optional. Type list of uniline. > =head2 ServerAliveCountMax Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. It is important to note that the use of server alive messages is very different from TCPKeepAlive. The server alive messages are sent through the encrypted channel and there fore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or server depend on knowing when a connec tion has become inactive. The default value is 3. If, for example, ServerAliveInterval is set to 15 and ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. This option applies to protocol version 2 only; in protocol version 1 there is no mechanism to request a response from the server to the server alive messages, so disconnection is the responsibility of the TCP stack. I< Optional. Type integer. > =over 4 =item upstream_default value : 3 =back =head2 ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server, or 300 if the BatchMode option is set. This option applies to protocol version 2 only. ProtocolKeepAlives and SetupTimeOut are Debian-specific compatibility aliases for this option. I< Optional. Type integer. > =over 4 =item upstream_default value : 0 =back =head2 SmartcardDevice Specifies which smartcard device to use. The argument to this keyword is the device ssh(1) should use to communicate with a smartcard used for storing the user's private RSA key. By default, no device is specified and smartcard support is not activated. I< Optional. Type uniline. > =head2 StrictHostKeyChecking If this flag is set to "yes", ssh(1) will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, though it can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to "no", ssh will automatically add new host keys to the user known hosts files. If this flag is set to "ask", new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be "yes", "no", or "ask". The default is "ask". I< Optional. Type enum. choice: 'yes', 'no', 'ask'. > =over 4 =item upstream_default value : ask =back =head2 TCPKeepAlive Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. This option only uses TCP keepalives (as opposed to using ssh level keepalives), so takes a long time to notice when the connection dies. As such, you probably want the ServerAliveInterval option as well. However, this means that connections will die if the route is down temporarily, and some people find it annoying. The default is "yes" (to send TCP keepalive messages), and the client will notice if the network goes down or the remote host dies. This is important in scripts, and many users want it too. To disable TCP keepalive messages, the value should be set to "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 Tunnel Request tun(4) device forwarding between the client and the server. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" requests the default tunnel mode, which is "point-to-point". The default is "no". I< Optional. Type enum. choice: 'yes', 'point-to-point', 'ethernet', 'no'. > =over 4 =item upstream_default value : no =back =head2 TunnelDevice Specifies the tun(4) devices to open on the client (local_tun) and the server (remote_tun). The argument must be local_tun[:remote_tun]. The devices may be specified by numerical ID or the keyword "any", which uses the next available tunnel device. If remote_tun is not specified, it defaults to "any". The default is "any:any". I< Optional. Type uniline. > =over 4 =item upstream_default value : any:any =back =head2 UseBlacklistedKeys Specifies whether ssh(1) should use keys recorded in its blacklist of known-compromised keys (see ssh-vulnkey(1)) for authentication. If "yes", then attempts to use compromised keys for authentication will be logged but accepted. It is strongly recommended that this be used only to install new authorized keys on the remote system, and even then only with the utmost care. If "no", then attempts to use compromised keys for authentication will be prevented. The default is "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be "yes" or "no". The default is "no". If set to "yes", ssh(1) must be setuid root. Note that this option must be set to "yes" for RhostsRSAAuthentication with older servers. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 User Specifies the user to log in as. This can be useful when a dif ferent user name is used on different machines. This saves the trouble of having to remember to give the user name on the command line. I< Optional. Type uniline. > =head2 UserKnownHostsFile Specifies a file to use for the user host key database instead of ~/.ssh/known_hosts. I< Optional. Type uniline. > =head2 VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to "yes", the client will implicitly trust keys that match a secure fingerprint from DNS. Insecure fingerprints will be handled as if this option was set to "ask". If this option is set to "ask", information on fingerprint match will be displayed, but the user will still need to confirm new host keys according to the StrictHostKeyChecking option. The argument must be "yes", "no", or "ask". The default is "no". Note that this option applies to protocol version 2 only. See also VERIFYING HOST KEYS in ssh(1). I< Optional. Type enum. choice: 'yes', 'no', 'ask'. > =over 4 =item upstream_default value : no =back =head2 VisualHostKey If this flag is set to "yes", an ASCII art representation of the remote host key fingerprint is printed additionally to the hex fingerprint string. If this flag is set to "no", only the hex fingerprint string will be printed. The default is "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 XAuthLocation Specifies the full pathname of the xauth(1) program. The default is /usr/bin/X11/xauth. I< Optional. Type uniline. > =over 4 =item upstream_default value : /usr/X11R6/bin/xauth =back =head2 UseRsh This parameter is now ignored by Ssh. B I< Optional. Type uniline. > =head2 FallBackToRsh This parameter is now ignored by Ssh. B I< Optional. Type uniline. > =head2 IgnoreUnknown Specifies a pattern-list of unknown options to be ignored if they are encountered in configuration parsing. This may be used to suppress errors if ssh_config contains options that are unrecognised by ssh(1). It is recommended that IgnoreUnknown be listed early in the configuration file as it will not be applied to unknown options that appear before it. I< Optional. Type uniline. > =head1 SEE ALSO =over =item * L =item * L =item * L =back =head1 AUTHOR =over =item Dominique Dumont =back =head1 COPYRIGHT =over =item 2009-2013 Dominique Dumont =back =head1 LICENSE =over =item LGPL2 =back =cut Config-Model-OpenSsh-1.238/lib/Config/Model/models/SystemSsh.pod0000644000175000017500000010715113166471154022772 0ustar domidomi# PODNAME: Config::Model::models::SystemSsh # ABSTRACT: Configuration class SystemSsh =encoding utf8 =head1 NAME Config::Model::models::SystemSsh - Configuration class SystemSsh =head1 DESCRIPTION Configuration classes used by L Configuration class used by L to edit or validate /etc/ssh/ssh_config (as root) =head1 Elements =head2 EnableSSHKeysign Setting this option to 'yes' in the global client configuration file /etc/ssh/ssh_config enables the use of the helper program ssh-keysign(8) during HostbasedAuthentication. See ssh-keysign(8)for more information. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 Host The declarations make in 'parameters' are applied only to the hosts that match one of the patterns given in pattern elements. A single '*' as a pattern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching). Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the hash (which takes order into account), and general defaults at the end. I< Optional. Type hash of node of class L . > =head2 AddressFamily Specifies which address family to use when connecting. I< Optional. Type enum. choice: 'any', 'inet', 'inet6'. > =over 4 =item upstream_default value : any =back =head2 BatchMode If set to 'yes', passphrase/password querying will be disabled. In addition, the ServerAliveInterval option will be set to 300 seconds by default. This option is useful in scripts and other batch jobs where no user is present to supply the password, and where it is desirable to detect a broken network swiftly. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 BindAddress Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address. Note that this option does not work if UsePrivilegedPort is set to 'yes'. I< Optional. Type uniline. > =head2 ChallengeResponseAuthentication Specifies whether to use challenge-response authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 CheckHostIP If enabled, ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If disbled, the check will not be executed. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 Cipher Specifies the cipher to use for encrypting the session in protocol version 1. "des" is only supported in the ssh(1) client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. I< Optional. Type enum. choice: 'blowfish', '3des', 'des'. > =over 4 =item upstream_default value : 3des =back =head2 Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. The supported ciphers are: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com The default is: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc The list of available ciphers may also be obtained using C I< Optional. Type uniline. > =head2 ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is primarily useful when used from the ssh(1) command line to clear port forwardings set in configuration files, and is automatically set by scp(1) and sftp(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 Compression Specifies whether to use compression. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 CompressionLevel I< Optional. Type integer. > =over 4 =item upstream_default value : 6 =back =head2 ConnectionAttempts Specifies the number of tries (one per second) to make before exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. I< Optional. Type integer. > =over 4 =item upstream_default value : 1 =back =head2 ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. This value is used only when the target is down or really unreachable, not when it refuses the connection. I< Optional. Type integer. > =head2 ControlMaster Enables the sharing of multiple sessions over a single network connection. When set to 'yes', ssh(1) will listen for connections on a control socket specified using the ControlPath argument. Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to 'no' (the default). These sessions will try to reuse the master instance's network connection rather than initiating new ones, but will fall back to connecting normally if the control socket does not exist, or is not listening. Setting this to 'ask' will cause ssh to listen for control connections, but require confirmation using the SSH_ASKPASS program before they are accepted (see ssh-add(1) for details). If the ControlPath cannot be opened, ssh will continue without connecting to a master instance. X11 and ssh-agent(1) forwarding is supported over these multiplexed connections, however the display and agent forwarded will be the one belonging to the master connection i.e. it is not pos sible to forward multiple displays or agents. Two additional options allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already exist. These options are: 'auto' and 'autoask'. The latter requires confirmation like the 'ask' option. I< Optional. Type enum. choice: 'no', 'yes', 'ask', 'auto', 'autoask'. > =over 4 =item upstream_default value : no =back =head2 ControlPath Specify the path to the control socket used for connection sharing as described in the ControlMaster section above or the string 'none' to disable connection sharing. In the path, '%l' will be substituted by the local host name, '%h' will be substituted by the target host name, '%p' the port, and '%r' by the remotelogin username. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h, %p, and %r. This ensures that shared connections are uniquely identified. I< Optional. Type uniline. > =head2 ControlPersist - persists the master connection in the background When used in conjunction with ControlMaster, specifies that the master connection should remain open in the background (waiting for future client connections) after the initial client connection has been closed. If set to ``no'', then the master connection will not be placed into the background, and will close as soon as the initial client connection is closed. If set to ``yes'', then the master connection will remain in the background indef- initely (until killed or closed via a mechanism such as the ssh(1) ``-O exit'' option). If set to a time in seconds, or a time in any of the formats documented in sshd_config(5), then the backgrounded master connection will automatically terminate after it has remained idle (with no client connections) for the specified time. I< Optional. Type uniline. > =head2 DynamicForward Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be [bind_address:]port. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address/]port. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of 'localhost' indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh(1) will act as a SOCKS server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. I< Optional. Type list of uniline. > =head2 EscapeChar Sets the escape character (default: '~'). The escape character can also be set on the command line. The argument should be a single character, '^' followed by a letter, or 'none' to disable the escape character entirely (making the connection transparent for binary data). I< Optional. Type uniline. > =over 4 =item upstream_default value : ~ =back =head2 ExitOnForwardFailure Specifies whether ssh(1) should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 dis play through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardX11Timeout - timeout for untrusted X11 forwarding Specify a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of L. X11 connections received by L after this time will be refused. The default is to disable untrusted X11 forwarding after twenty minutes has elapsed. I< Optional. Type uniline. > =head2 ForwardX11Trusted If this option is set, remote X11 clients will have full access to the original X11 display. If this option is not set, remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the xauth(1) token used for the session will be set to expire after 20 minutes. Remote clients will be refused access after this time. See the X11 SECURITY extension specification for full details on the restrictions imposed on untrusted clients. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, ssh(1) binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GlobalKnownHostsFile Specifies a file to use for the global host key database. I< Optional. Type uniline. > =over 4 =item upstream_default value : /etc/ssh/ssh_known_hosts =back =head2 GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIKeyExchange Specifies whether key exchange based on GSSAPI may be used. When using GSSAPI key exchange the server need not have a host key. Note that this option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIClientIdentity If set, specifies the GSSAPI client identity that ssh should use when connecting to the server. The default is unset, which means that the default identity will be used. I< Optional. Type uniline. > =head2 GSSAPIServerIdentity If set, specifies the GSSAPI server identity that ssh should expect when connecting to the server. The default is unset, which means that the expected GSSAPI server identity will be determined from the target hostname. I< Optional. Type uniline. > =head2 GSSAPIDelegateCredentials Forward (delegate) credentials to the server. Note that this option applies to protocol version 2 connections using GSSAPI. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIRenewalForcesRekey If set to "yes" then renewal of the client's GSSAPI credentials will force the rekeying of the ssh connection. With a compatible server, this can delegate the renewed credentials to a session on the server. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPITrustDns Set to "yes" to indicate that the DNS is trusted to securely canonicalize the name of the host being connected to. If "no", the hostname entered on the command line will be passed untouched to the GSSAPI library. This option only applies to protocol version 2 connections using GSSAPI. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HashKnownHosts Indicates that ssh(1) should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh(1) and sshd(8), but they do not reveal identifying information should the file's contents be disclosed. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. This option applies to protocol version 2 only and is similar to RhostsRSAAuthentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HostKeyAlgorithms Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. I< Optional. Type check_list. choice: 'ssh-rsa', 'ssh-dss'. > =head2 HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host. I< Optional. Type uniline. > =head2 HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications). I< Optional. Type uniline. > =head2 IdentitiesOnly Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. This option is intended for situations where ssh-agent offers many different identities. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 IdentityFile Specifies a file from which the user's RSA or DSA authentication identity is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. The file name may use the tilde syntax to refer to a user's home directory or one of the following escape characters: '%d' (local user's home directory), '%u' (local user name), '%l' (local host name), '%h' (remote host name) or '%r' (remote user name). It is possible to have multiple identity files specified in con figuration files; all these identities will be tried in sequence. I< Optional. Type list of uniline. > =head2 IPQoS - IPv4 type-of-service or DSCP class for the connection. Specifies the IPv4 type-of-service or DSCP class for the connection. Accepted values are "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is "lowdelay" for interactive sessions and "throughput" for non-interactive sessions. I< Optional. Type uniline. > =over 4 =item upstream_default value : lowdelay throughput =back =head2 KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 KbdInteractiveDevices Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. The methods available vary depending on what the server supports. For an OpenSSH server, it may be zero or more of: 'bsdauth', 'pam', and 'skey'. I< Optional. Type list of uniline. > =head2 KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. I< Optional. Type check_list. choice: 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'. > =head2 LocalForward - Local port forwarding Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address/]port and host/hostport. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of "localhost" indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces. Example: LocalForward 20000 192.168.0.66:80 . I< Optional. Type list of node of class L . > =head2 LogLevel Gives the verbosity level that is used when logging messages from ssh(1). The possible values are: SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output. I< Optional. Type enum. choice: 'SILENT', 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3'. > =over 4 =item upstream_default value : INFO =back =head2 MACs Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. I< Optional. Type check_list. choice: 'hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-sha1-96', 'hmac-md5-96'. > =head2 NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warn ings about changed host keys. However, this option disables host authentication for localhost. The default is to check the host key for localhost. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 NumberOfPasswordPrompts Specifies the number of password prompts before giving up. I< Optional. Type integer. > =over 4 =item upstream_default value : 3 =back =head2 PasswordAuthentication Specifies whether to use password authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 PermitLocalCommand Allow local command execution via the LocalCommand option or using the !command escape sequence in ssh(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user's shell. The following escape character substitutions will be performed: '%d' (local user's home directory), '%h' (remote host name), '%l' (local host name), '%n' (host name as provided on the command line), '%p' (remote port), '%r' (remote user name) or '%u' (local user name). This directive is ignored unless PermitLocalCommand has been enabled. I< Optional. Type uniline. > =head2 PKCS11Provider Specifies which PKCS#11 provider to use. The argument to this keyword is the PKCS#11 shared library ssh(1) should use to communicate with a PKCS#11 token providing the user's private RSA key. I< Optional. Type uniline. > =head2 Port Specifies the port number to connect on the remote host. I< Optional. Type integer. > =over 4 =item upstream_default value : 22 =back =head2 PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). I< Optional. Type check_list. choice: 'gssapi-with-mic', 'hostbased', 'publickey', 'keyboard-interactive', 'password'. > =head2 Protocol Specifies the protocol versions ssh(1) should support in order of preference. The default is "2,1". This means that ssh tries version 2 and falls back to version 1 if version 2 is not available. I< Optional. Type check_list. choice: '2', '1'. > =head2 ProxyCommand Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell. In the command string, '%h' will be substi tuted by the host name to connect and '%p' by the port. The com mand can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to "none" disables this option entirely. Note that CheckHostIP is not available for connects with a proxy command. This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.0.2.0: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p. I< Optional. Type uniline. > =head2 PubkeyAuthentication Specifies whether to try public key authentication. This option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated. The argument is the number of bytes, with an optional suffix of 'K', 'M', or 'G' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between '1G' and '4G', depending on the cipher. This option applies to protocol version 2 only. I< Optional. Type uniline. > =head2 RemoteForward - remote port forward to local Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. If the bind_address is not specified, the default is to only bind to loopback addresses. If the bind_address is '*' or an empty string, then the forwarding is requested to listen on all inter faces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)). I< Optional. Type list of node of class L . > =head2 RequestTTY Specifies whether to request a pseudo-tty for the session. This option mirrors the -t and -T flags for C. I< Optional. Type enum. choice: 'yes', 'no', 'force', 'auto'. > Here are some explanations on the possible values: =over =item 'auto' request a TTY when opening a login session =item 'force' always request a TTY =item 'no' never request a TTY =item 'yes' always request a TTY when standard input is a TTY =back =head2 RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. This option applies to protocol version 1 only and requires ssh(1) to be setuid root. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 RSAAuthentication Specifies whether to try RSA authentication. RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. Note that this option applies to protocol version 1 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 SendEnv Specifies what variables from the local environ(7) should be sent to the server. Note that environment passing is only supported for protocol 2. The server must also support it, and the server must be configured to accept these environment variables. Refer to AcceptEnv in sshd_config(5) for how to configure the server. Variables are specified by name, which may contain wildcard char acters. Multiple environment variables may be separated by whitespace or spread across multiple SendEnv directives. The default is not to send any environment variables. See PATTERNS in ssh_config(5) for more information on patterns. I< Optional. Type list of uniline. > =head2 ServerAliveCountMax Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. It is important to note that the use of server alive messages is very different from TCPKeepAlive. The server alive messages are sent through the encrypted channel and there fore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or server depend on knowing when a connec tion has become inactive. The default value is 3. If, for example, ServerAliveInterval is set to 15 and ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. This option applies to protocol version 2 only; in protocol version 1 there is no mechanism to request a response from the server to the server alive messages, so disconnection is the responsibility of the TCP stack. I< Optional. Type integer. > =over 4 =item upstream_default value : 3 =back =head2 ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server, or 300 if the BatchMode option is set. This option applies to protocol version 2 only. ProtocolKeepAlives and SetupTimeOut are Debian-specific compatibility aliases for this option. I< Optional. Type integer. > =over 4 =item upstream_default value : 0 =back =head2 SmartcardDevice Specifies which smartcard device to use. The argument to this keyword is the device ssh(1) should use to communicate with a smartcard used for storing the user's private RSA key. By default, no device is specified and smartcard support is not activated. I< Optional. Type uniline. > =head2 StrictHostKeyChecking If this flag is set to "yes", ssh(1) will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, though it can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to "no", ssh will automatically add new host keys to the user known hosts files. If this flag is set to "ask", new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be "yes", "no", or "ask". The default is "ask". I< Optional. Type enum. choice: 'yes', 'no', 'ask'. > =over 4 =item upstream_default value : ask =back =head2 TCPKeepAlive Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. This option only uses TCP keepalives (as opposed to using ssh level keepalives), so takes a long time to notice when the connection dies. As such, you probably want the ServerAliveInterval option as well. However, this means that connections will die if the route is down temporarily, and some people find it annoying. The default is "yes" (to send TCP keepalive messages), and the client will notice if the network goes down or the remote host dies. This is important in scripts, and many users want it too. To disable TCP keepalive messages, the value should be set to "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 Tunnel Request tun(4) device forwarding between the client and the server. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" requests the default tunnel mode, which is "point-to-point". The default is "no". I< Optional. Type enum. choice: 'yes', 'point-to-point', 'ethernet', 'no'. > =over 4 =item upstream_default value : no =back =head2 TunnelDevice Specifies the tun(4) devices to open on the client (local_tun) and the server (remote_tun). The argument must be local_tun[:remote_tun]. The devices may be specified by numerical ID or the keyword "any", which uses the next available tunnel device. If remote_tun is not specified, it defaults to "any". The default is "any:any". I< Optional. Type uniline. > =over 4 =item upstream_default value : any:any =back =head2 UseBlacklistedKeys Specifies whether ssh(1) should use keys recorded in its blacklist of known-compromised keys (see ssh-vulnkey(1)) for authentication. If "yes", then attempts to use compromised keys for authentication will be logged but accepted. It is strongly recommended that this be used only to install new authorized keys on the remote system, and even then only with the utmost care. If "no", then attempts to use compromised keys for authentication will be prevented. The default is "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be "yes" or "no". The default is "no". If set to "yes", ssh(1) must be setuid root. Note that this option must be set to "yes" for RhostsRSAAuthentication with older servers. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 User Specifies the user to log in as. This can be useful when a dif ferent user name is used on different machines. This saves the trouble of having to remember to give the user name on the command line. I< Optional. Type uniline. > =head2 UserKnownHostsFile Specifies a file to use for the user host key database instead of ~/.ssh/known_hosts. I< Optional. Type uniline. > =head2 VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to "yes", the client will implicitly trust keys that match a secure fingerprint from DNS. Insecure fingerprints will be handled as if this option was set to "ask". If this option is set to "ask", information on fingerprint match will be displayed, but the user will still need to confirm new host keys according to the StrictHostKeyChecking option. The argument must be "yes", "no", or "ask". The default is "no". Note that this option applies to protocol version 2 only. See also VERIFYING HOST KEYS in ssh(1). I< Optional. Type enum. choice: 'yes', 'no', 'ask'. > =over 4 =item upstream_default value : no =back =head2 VisualHostKey If this flag is set to "yes", an ASCII art representation of the remote host key fingerprint is printed additionally to the hex fingerprint string. If this flag is set to "no", only the hex fingerprint string will be printed. The default is "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 XAuthLocation Specifies the full pathname of the xauth(1) program. The default is /usr/bin/X11/xauth. I< Optional. Type uniline. > =over 4 =item upstream_default value : /usr/X11R6/bin/xauth =back =head2 UseRsh This parameter is now ignored by Ssh. B I< Optional. Type uniline. > =head2 FallBackToRsh This parameter is now ignored by Ssh. B I< Optional. Type uniline. > =head2 IgnoreUnknown Specifies a pattern-list of unknown options to be ignored if they are encountered in configuration parsing. This may be used to suppress errors if ssh_config contains options that are unrecognised by ssh(1). It is recommended that IgnoreUnknown be listed early in the configuration file as it will not be applied to unknown options that appear before it. I< Optional. Type uniline. > =head1 SEE ALSO =over =item * L =item * L =item * L =back =head1 AUTHOR =over =item Dominique Dumont =back =head1 COPYRIGHT =over =item 2013 Dominique Dumont =back =head1 LICENSE =over =item LGPL2 =back =cut Config-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd/0000755000175000017500000000000013166471154021220 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd/MatchBlock.pl0000644000175000017500000000217513166471154023571 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # [ { 'author' => [ 'Dominique Dumont' ], 'class_description' => 'Class to represent a Match block inside a sshd_config file. It\'s made of a list of conditions to match and a list of parameters to apply to the matched items.', 'copyright' => [ '2009-2011 Dominique Dumont' ], 'element' => [ 'Condition', { 'config_class_name' => 'Sshd::MatchCondition', 'description' => 'Specify the condition (User, Group, Host, Address) necessary for this Match block to be applied', 'type' => 'node' }, 'Settings', { 'config_class_name' => 'Sshd::MatchElement', 'description' => 'Defines the sshd_config parameters that will override general settings when all defined User, Group, Host and Address patterns match.', 'type' => 'node' } ], 'license' => 'LGPL2', 'name' => 'Sshd::MatchBlock' } ] ; Config-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd/MatchCondition.pl0000644000175000017500000000301513166471154024457 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # [ { 'author' => [ 'Dominique Dumont' ], 'class_description' => 'Conidtion to apply to identify matched items inside a sshd_config match block.', 'copyright' => [ '2009-2011 Dominique Dumont' ], 'element' => [ 'User', { 'description' => 'Define the User criteria of a conditional block. The value of this field is a pattern that is tested against user name.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'Group', { 'description' => 'Define the Group criteria of a conditional block. The value of this field is a pattern that is tested against group name.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'Host', { 'description' => 'Define the Host criteria of a conditional block. The value of this field is a pattern that is tested against host name.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'Address', { 'description' => 'Define the Address criteria of a conditional block. The value of this field is a pattern that is tested against the address of the incoming connection.', 'type' => 'leaf', 'value_type' => 'uniline' } ], 'license' => 'LGPL2', 'name' => 'Sshd::MatchCondition' } ] ; Config-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd/MatchElement.pod0000644000175000017500000004477113166471154024307 0ustar domidomi# PODNAME: Config::Model::models::Sshd::MatchElement # ABSTRACT: Configuration class Sshd::MatchElement =encoding utf8 =head1 NAME Config::Model::models::Sshd::MatchElement - Configuration class Sshd::MatchElement =head1 DESCRIPTION Configuration classes used by L Configuration class that represents all parameters available inside a Match block of a sshd configuration. =head1 Elements =head2 AcceptEnv Specifies what environment variables sent by the client will be copied into the session's environ(7). I< Optional. Type list of uniline. > =head2 AllowAgentForwarding Specifies whether L forwarding is permitted. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 AllowGroups Login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. I< Optional. Type list of uniline. > =head2 AllowUsers List of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. I< Optional. Type list of uniline. > =head2 AuthenticationMethods - authentication methods that must be successfully completed for a user to be granted access Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. For example, an argument of "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard-interactive authentication before public key. For keyboard interactive authentication it is also possible to restrict authentication to a specific device by appending a colon followed by the device identifier "bsdauth", "pam", or "skey", depending on the server configuration. For example, "keyboard-interactive:bsdauth" would restrict keyboard interactive authentication to the "bsdauth" device. This option is only available for SSH protocol 2 and will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. The default is not to require multiple authentication; successful completion of a single authentication method is sufficient. I< Optional. Type uniline. > =head2 AuthorizedKeysCommand - program to be used to look up the user's public keys Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in L). If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual AuthorizedKeysFile files. By default, no AuthorizedKeysCommand is run. I< Optional. Type uniline. > =head2 AuthorizedKeysCommandUser - user under whose account the AuthorizedKeysCommand is run Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands. I< Optional. Type uniline. > =head2 AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is "yes".Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 AuthorizedKeysFile2 Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. B I< Optional. Type list of uniline. > =head2 AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. The format is described in the AUTHORIZED_KEYS FILE FORMAT section of L. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace. The default is ".ssh/authorized_keys .ssh/authorized_keys2". I< Optional. Type list of uniline. > Note: AuthorizedKeysFile values are migrated from '- AuthorizedKeysFile2' =head2 AuthorizedPrincipalsFile - file that lists principal names that are accepted for certificate authentication Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in AUTHORIZED_KEYS FILE FORMAT in L). Empty lines and comments starting with '#' are ignored. AuthorizedPrincipalsFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedPrincipalsFile is taken to be an absolute path or one relative to the user's home directory. The default is "none", i.e. not to use a principals file - in this case, the username of the user must appear in a certificate's principals list for it to be accepted. Note that AuthorizedPrincipalsFile is only used when authentication proceeds using a CA listed in TrustedUserCAKeys and is not consulted for certification authorities trusted via ~/.ssh/authorized_keys, though the principals= key option offers a similar facility (see L for details). I< Optional. Type uniline. > =head2 Banner In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed. I< Optional. Type uniline. > =head2 ChrootDirectory - pathname of a directory to chroot to after authentication Specifies the pathname of a directory to L to after authentication. All components of the pathname must be root owned directories that are not writable by any other user or group. After the chroot, L changes the working directory to the user's home directory. The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. The ChrootDirectory must contain the necessary files and directories to support the user's session. For an interactive session this requires at least a shell, typically L, and basic /dev nodes such as L, L, L, L, L, L and L devices. For file transfer sessions using "sftp", no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see L for details). The default is not to chroot(2). I< Optional. Type uniline. > =head2 DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. I< Optional. Type list of uniline. > =head2 DenyUSers This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. I< Optional. Type list of uniline. > =head2 ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. I< Optional. Type uniline. > =head2 GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. I< Optional. Type enum. choice: 'yes', 'clientspecified', 'no'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'clientspecified' allow the client to select the address to which the forwarding is bound =item 'no' No port forwarding =item 'yes' force remote port forwardings to bind to the wildcard address =back =head2 GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 HostbasedUsesNameFromPacketOnly Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during HostbasedAuthentication. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'no' sshd(8) attempts to resolve the name from the TCP connection itself. =item 'yes' sshd(8) uses the name supplied by the client =back =head2 KbdInteractiveAuthentication No doc found in sshd documentation. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 KerberosAuthentication Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. The default is "no". I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. I< Optional. Type integer. > =over 4 =item upstream_default value : 6 =back =head2 MaxSessions - Specifies the maximum number of open sessions permitted per network connection I< Optional. Type integer. > =over 4 =item upstream_default value : 10 =back =head2 PasswordAuthentication Specifies whether password authentication is allowed. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is "no". I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'yes' So, you want your machine to be part of a botnet ? ;-) =back =head2 PermitOpen Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms: "host:port" or "IPv4_addr:port" or "[IPv6_addr]:port". An argument of "any" can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted. I< Optional. Type list of uniline. > =head2 PermitRootLogin Specifies whether root can log in using ssh(1). I< Optional. Type enum. choice: 'yes', 'without-password', 'forced-commands-only', 'no'. > =over 4 =item upstream_default value : yes =back Here are some explanations on the possible values: =over =item 'forced-commands-only' root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. =item 'no' root is not allowed to log in =item 'without-password' password authentication is disabled for root =back =head2 PermitTunnel Specifies whether tun(4) device forwarding is allowed. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" permits both "point-to-point" and "ethernet". I< Optional. Type enum. choice: 'yes', 'point-to-point', 'ethernet', 'no'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'yes' permits both "point-to-point" and "ethernet" =back =head2 PubkeyAuthentication Specifies whether public key authentication is allowed. The default is "yes". Note that this option applies to protocol version 2 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated. The first argument is specified in bytes and may have a suffix of 'K', 'M', or 'G' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between '1G' and '4G', depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the TIME FORMATS section. The default value for RekeyLimit is "default none", which means that rekeying is performed after the cipher's default amount of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only. I< Optional. Type uniline. > =over 4 =item upstream_default value : default none =back =head2 RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is "no". This option applies to protocol version 1 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 RSAAuthentication Specifies whether pure RSA authentication is allowed. This option applies to protocol version 1 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 X11DisplayOffset Specifies the first display number available for sshd(8)'s X11 forwarding. This prevents sshd from interfering with real X11 servers. I< Optional. Type integer. > =over 4 =item upstream_default value : 10 =back =head2 X11Forwarding Specifies whether X11 forwarding is permitted. Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders. X11 forwarding is automatically disabled if UseLogin is enabled. I< Optional. Type enum. choice: 'yes', 'no'. > =over 4 =item upstream_default value : no =back =head2 X11UseLocalhost Specifies whether sshd(8) should bind the X11 forwarding server to the loopback address or to the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to "localhost". This prevents remote hosts from connecting to the proxy display. However, some older X11 clients may not function with this configuration. X11UseLocalhost may be set to "no" to specify that the forwarding server should be bound to the wildcard address. I< Optional. Type enum. choice: 'yes', 'no'. > =over 4 =item upstream_default value : yes =back =head1 SEE ALSO =over =item * L =back =head1 AUTHOR =over =item Dominique Dumont =back =head1 COPYRIGHT =over =item 2009-2011 Dominique Dumont =back =head1 LICENSE =over =item LGPL2 =back =cut Config-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd/MatchElement.pl0000644000175000017500000005375313166471154024140 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # [ { 'author' => [ 'Dominique Dumont' ], 'class_description' => 'Configuration class that represents all parameters available inside a Match block of a sshd configuration.', 'copyright' => [ '2009-2011 Dominique Dumont' ], 'element' => [ 'AcceptEnv', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies what environment variables sent by the client will be copied into the session\'s environ(7).', 'type' => 'list' }, 'AllowAgentForwarding', { 'description' => 'Specifies whether L forwarding is permitted. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean', 'write_as' => [ 'no', 'yes' ] }, 'AllowGroups', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.', 'type' => 'list' }, 'AllowUsers', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'List of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.', 'level' => 'important', 'type' => 'list' }, 'AuthenticationMethods', { 'description' => 'Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. For example, an argument of "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard-interactive authentication before public key. For keyboard interactive authentication it is also possible to restrict authentication to a specific device by appending a colon followed by the device identifier "bsdauth", "pam", or "skey", depending on the server configuration. For example, "keyboard-interactive:bsdauth" would restrict keyboard interactive authentication to the "bsdauth" device. This option is only available for SSH protocol 2 and will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. The default is not to require multiple authentication; successful completion of a single authentication method is sufficient.', 'summary' => 'authentication methods that must be successfully completed for a user to be granted access', 'type' => 'leaf', 'value_type' => 'uniline' }, 'AuthorizedKeysCommand', { 'description' => 'Specifies a program to be used to look up the user\'s public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in L). If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual AuthorizedKeysFile files. By default, no AuthorizedKeysCommand is run.', 'summary' => 'program to be used to look up the user\'s public keys', 'type' => 'leaf', 'value_type' => 'uniline' }, 'AuthorizedKeysCommandUser', { 'description' => 'Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands.', 'summary' => ' user under whose account the AuthorizedKeysCommand is run', 'type' => 'leaf', 'value_type' => 'uniline' }, 'AllowTcpForwarding', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether TCP forwarding is permitted. The default is "yes".Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'AuthorizedKeysFile2', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup.', 'status' => 'deprecated', 'type' => 'list' }, 'AuthorizedKeysFile', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies the file that contains the public keys that can be used for user authentication. The format is described in the AUTHORIZED_KEYS FILE FORMAT section of L. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal \'%\', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user\'s home directory. Multiple files may be listed, separated by whitespace. The default is ".ssh/authorized_keys .ssh/authorized_keys2".', 'migrate_values_from' => '- AuthorizedKeysFile2', 'type' => 'list' }, 'AuthorizedPrincipalsFile', { 'description' => 'Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in AUTHORIZED_KEYS FILE FORMAT in L). Empty lines and comments starting with \'#\' are ignored. AuthorizedPrincipalsFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal \'%\', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedPrincipalsFile is taken to be an absolute path or one relative to the user\'s home directory. The default is "none", i.e. not to use a principals file - in this case, the username of the user must appear in a certificate\'s principals list for it to be accepted. Note that AuthorizedPrincipalsFile is only used when authentication proceeds using a CA listed in TrustedUserCAKeys and is not consulted for certification authorities trusted via ~/.ssh/authorized_keys, though the principals= key option offers a similar facility (see L for details).', 'summary' => 'file that lists principal names that are accepted for certificate authentication', 'type' => 'leaf', 'value_type' => 'uniline' }, 'Banner', { 'description' => 'In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'ChrootDirectory', { 'description' => 'Specifies the pathname of a directory to L to after authentication. All components of the pathname must be root owned directories that are not writable by any other user or group. After the chroot, L changes the working directory to the user\'s home directory. The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal \'%\', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. The ChrootDirectory must contain the necessary files and directories to support the user\'s session. For an interactive session this requires at least a shell, typically L, and basic /dev nodes such as L, L, L, L, L, L and L devices. For file transfer sessions using "sftp", no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see L for details). The default is not to chroot(2).', 'summary' => 'pathname of a directory to chroot to after authentication', 'type' => 'leaf', 'value_type' => 'uniline' }, 'DenyGroups', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.', 'type' => 'list' }, 'DenyUSers', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.', 'type' => 'list' }, 'ForceCommand', { 'description' => 'Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client. The command is invoked by using the user\'s login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'GatewayPorts', { 'choice' => [ 'yes', 'clientspecified', 'no' ], 'description' => 'Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect.', 'help' => { 'clientspecified' => 'allow the client to select the address to which the forwarding is bound', 'no' => 'No port forwarding ', 'yes' => 'force remote port forwardings to bind to the wildcard address' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'GSSAPIAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'HostbasedAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'HostbasedUsesNameFromPacketOnly', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during HostbasedAuthentication.', 'help' => { 'no' => 'sshd(8) attempts to resolve the name from the TCP connection itself.', 'yes' => 'sshd(8) uses the name supplied by the client' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'KbdInteractiveAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'No doc found in sshd documentation', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'KerberosAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC\'s identity. The default is "no".', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'MaxAuthTries', { 'description' => 'Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.', 'type' => 'leaf', 'upstream_default' => '6', 'value_type' => 'integer' }, 'MaxSessions', { 'summary' => 'Specifies the maximum number of open sessions permitted per network connection', 'type' => 'leaf', 'upstream_default' => '10', 'value_type' => 'integer' }, 'PasswordAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether password authentication is allowed.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'PermitEmptyPasswords', { 'choice' => [ 'no', 'yes' ], 'description' => 'When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is "no".', 'help' => { 'yes' => 'So, you want your machine to be part of a botnet ? ;-)' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'PermitOpen', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms: "host:port" or "IPv4_addr:port" or "[IPv6_addr]:port". An argument of "any" can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.', 'type' => 'list' }, 'PermitRootLogin', { 'choice' => [ 'yes', 'without-password', 'forced-commands-only', 'no' ], 'description' => 'Specifies whether root can log in using ssh(1).', 'help' => { 'forced-commands-only' => 'root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.', 'no' => 'root is not allowed to log in ', 'without-password' => 'password authentication is disabled for root' }, 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'PermitTunnel', { 'choice' => [ 'yes', 'point-to-point', 'ethernet', 'no' ], 'description' => 'Specifies whether tun(4) device forwarding is allowed. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" permits both "point-to-point" and "ethernet".', 'help' => { 'yes' => 'permits both "point-to-point" and "ethernet"' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'PubkeyAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether public key authentication is allowed. The default is "yes". Note that this option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'RekeyLimit', { 'description' => 'Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated. The first argument is specified in bytes and may have a suffix of \'K\', \'M\', or \'G\' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between \'1G\' and \'4G\', depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the TIME FORMATS section. The default value for RekeyLimit is "default none", which means that rekeying is performed after the cipher\'s default amount of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'default none', 'value_type' => 'uniline' }, 'RhostsRSAAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is "no". This option applies to protocol version 1 only.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'RSAAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether pure RSA authentication is allowed. This option applies to protocol version 1 only.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'X11DisplayOffset', { 'description' => 'Specifies the first display number available for sshd(8)\'s X11 forwarding. This prevents sshd from interfering with real X11 servers.', 'type' => 'leaf', 'upstream_default' => '10', 'value_type' => 'integer' }, 'X11Forwarding', { 'choice' => [ 'yes', 'no' ], 'description' => 'Specifies whether X11 forwarding is permitted. Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders. X11 forwarding is automatically disabled if UseLogin is enabled.', 'level' => 'important', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'X11UseLocalhost', { 'choice' => [ 'yes', 'no' ], 'description' => 'Specifies whether sshd(8) should bind the X11 forwarding server to the loopback address or to the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to "localhost". This prevents remote hosts from connecting to the proxy display. However, some older X11 clients may not function with this configuration. X11UseLocalhost may be set to "no" to specify that the forwarding server should be bound to the wildcard address.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' } ], 'license' => 'LGPL2', 'name' => 'Sshd::MatchElement' } ] ; Config-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd/MatchBlock.pod0000644000175000017500000000236213166471154023736 0ustar domidomi# PODNAME: Config::Model::models::Sshd::MatchBlock # ABSTRACT: Configuration class Sshd::MatchBlock =encoding utf8 =head1 NAME Config::Model::models::Sshd::MatchBlock - Configuration class Sshd::MatchBlock =head1 DESCRIPTION Configuration classes used by L Class to represent a Match block inside a sshd_config file. It's made of a list of conditions to match and a list of parameters to apply to the matched items. =head1 Elements =head2 Condition Specify the condition (User, Group, Host, Address) necessary for this Match block to be applied. I< Optional. Type node of class L . > =head2 Settings Defines the sshd_config parameters that will override general settings when all defined User, Group, Host and Address patterns match. I< Optional. Type node of class L . > =head1 SEE ALSO =over =item * L =item * L =item * L =back =head1 AUTHOR =over =item Dominique Dumont =back =head1 COPYRIGHT =over =item 2009-2011 Dominique Dumont =back =head1 LICENSE =over =item LGPL2 =back =cut Config-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd/MatchCondition.pod0000644000175000017500000000243613166471154024634 0ustar domidomi# PODNAME: Config::Model::models::Sshd::MatchCondition # ABSTRACT: Configuration class Sshd::MatchCondition =encoding utf8 =head1 NAME Config::Model::models::Sshd::MatchCondition - Configuration class Sshd::MatchCondition =head1 DESCRIPTION Configuration classes used by L Conidtion to apply to identify matched items inside a sshd_config match block. =head1 Elements =head2 User Define the User criteria of a conditional block. The value of this field is a pattern that is tested against user name. I< Optional. Type uniline. > =head2 Group Define the Group criteria of a conditional block. The value of this field is a pattern that is tested against group name. I< Optional. Type uniline. > =head2 Host Define the Host criteria of a conditional block. The value of this field is a pattern that is tested against host name. I< Optional. Type uniline. > =head2 Address Define the Address criteria of a conditional block. The value of this field is a pattern that is tested against the address of the incoming connection. I< Optional. Type uniline. > =head1 SEE ALSO =over =item * L =back =head1 AUTHOR =over =item Dominique Dumont =back =head1 COPYRIGHT =over =item 2009-2011 Dominique Dumont =back =head1 LICENSE =over =item LGPL2 =back =cut Config-Model-OpenSsh-1.238/lib/Config/Model/models/Ssh.pl0000644000175000017500000000516013166471154021413 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # [ { 'author' => [ 'Dominique Dumont ' ], 'class_description' => 'Configuration class used by L to edit or validate ~/.ssh/config. ', 'copyright' => [ '2009-2013 Dominique Dumont' ], 'element' => [ 'EnableSSHKeysign', { 'description' => 'Setting this option to \'yes\' in the global client configuration file /etc/ssh/ssh_config enables the use of the helper program ssh-keysign(8) during HostbasedAuthentication. See ssh-keysign(8)for more information. ', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'Host', { 'cargo' => { 'config_class_name' => 'Ssh::HostElement', 'type' => 'node' }, 'description' => 'The declarations make in \'parameters\' are applied only to the hosts that match one of the patterns given in pattern elements. A single \'*\' as a pattern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching). Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the hash (which takes order into account), and general defaults at the end.', 'index_type' => 'string', 'level' => 'important', 'ordered' => '1', 'type' => 'hash' }, 'IgnoreUnknown', { 'description' => 'Specifies a pattern-list of unknown options to be ignored if they are encountered in configuration parsing. This may be used to suppress errors if ssh_config contains options that are unrecognised by ssh(1). It is recommended that IgnoreUnknown be listed early in the configuration file as it will not be applied to unknown options that appear before it.', 'type' => 'leaf', 'value_type' => 'uniline' } ], 'include' => [ 'Ssh::HostElement' ], 'include_after' => 'Host', 'license' => 'LGPL2', 'name' => 'Ssh', 'rw_config' => { 'auto_create' => '1', 'backend' => 'OpenSsh::Ssh', 'config_dir' => '~/.ssh', 'default_layer' => { 'config_dir' => '/etc/ssh', 'file' => 'ssh_config', 'os_config_dir' => { 'darwin' => '/etc' } }, 'file' => 'config' } } ] ; Config-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd.pod0000644000175000017500000011046113166471154021727 0ustar domidomi# PODNAME: Config::Model::models::Sshd # ABSTRACT: Configuration class Sshd =encoding utf8 =head1 NAME Config::Model::models::Sshd - Configuration class Sshd =head1 DESCRIPTION Configuration classes used by L Configuration class used by L to edit or validate /etc/ssh/sshd_config =head1 Elements =head2 AcceptEnv Specifies what environment variables sent by the client will be copied into the session's environ(7). I< Optional. Type list of uniline. > =head2 AddressFamily Specifies which address family should be used by sshd(8). I< Optional. Type enum. choice: 'any', 'inet', 'inet6'. > =over 4 =item upstream_default value : any =back =head2 AllowAgentForwarding Specifies whether L forwarding is permitted. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 AllowGroups Login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. I< Optional. Type list of uniline. > =head2 AllowUsers List of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. I< Optional. Type list of uniline. > =head2 AuthenticationMethods - authentication methods that must be successfully completed for a user to be granted access Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. For example, an argument of "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard-interactive authentication before public key. For keyboard interactive authentication it is also possible to restrict authentication to a specific device by appending a colon followed by the device identifier "bsdauth", "pam", or "skey", depending on the server configuration. For example, "keyboard-interactive:bsdauth" would restrict keyboard interactive authentication to the "bsdauth" device. This option is only available for SSH protocol 2 and will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. The default is not to require multiple authentication; successful completion of a single authentication method is sufficient. I< Optional. Type uniline. > =head2 AuthorizedKeysCommand - program to be used to look up the user's public keys Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in L). If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual AuthorizedKeysFile files. By default, no AuthorizedKeysCommand is run. I< Optional. Type uniline. > =head2 AuthorizedKeysCommandUser - user under whose account the AuthorizedKeysCommand is run Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands. I< Optional. Type uniline. > =head2 AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is "yes".Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 AuthorizedKeysFile2 Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. B I< Optional. Type list of uniline. > =head2 AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. The format is described in the AUTHORIZED_KEYS FILE FORMAT section of L. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace. The default is ".ssh/authorized_keys .ssh/authorized_keys2". I< Optional. Type list of uniline. > Note: AuthorizedKeysFile values are migrated from '- AuthorizedKeysFile2' =head2 AuthorizedPrincipalsFile - file that lists principal names that are accepted for certificate authentication Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in AUTHORIZED_KEYS FILE FORMAT in L). Empty lines and comments starting with '#' are ignored. AuthorizedPrincipalsFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedPrincipalsFile is taken to be an absolute path or one relative to the user's home directory. The default is "none", i.e. not to use a principals file - in this case, the username of the user must appear in a certificate's principals list for it to be accepted. Note that AuthorizedPrincipalsFile is only used when authentication proceeds using a CA listed in TrustedUserCAKeys and is not consulted for certification authorities trusted via ~/.ssh/authorized_keys, though the principals= key option offers a similar facility (see L for details). I< Optional. Type uniline. > =head2 Banner In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed. I< Optional. Type uniline. > =head2 ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed. All authentication styles from login.conf(5) are supported. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 ChrootDirectory - pathname of a directory to chroot to after authentication Specifies the pathname of a directory to L to after authentication. All components of the pathname must be root owned directories that are not writable by any other user or group. After the chroot, L changes the working directory to the user's home directory. The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. The ChrootDirectory must contain the necessary files and directories to support the user's session. For an interactive session this requires at least a shell, typically L, and basic /dev nodes such as L, L, L, L, L, L and L devices. For file transfer sessions using "sftp", no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see L for details). The default is not to chroot(2). I< Optional. Type uniline. > =head2 Ciphers Specifies the ciphers allowed for protocol version 2. By default, all ciphers are allowed. I< Optional. Type check_list. choice: '3des-cbc', 'aes128-cbc', 'aes192-cbc', 'aes256-cbc', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour128', 'arcfour256', 'arcfour', 'blowfish-cbc', 'cast128-cbc'. > =head2 ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only. I< Optional. Type integer. > =over 4 =item upstream_default value : 3 =back =head2 ClientAliveInterval I< Optional. Type integer. > =head2 Compression Specifies whether compression is allowed, or delayed until the user has authenticated successfully. I< Optional. Type enum. choice: 'yes', 'delayed', 'no'. > =over 4 =item upstream_default value : delayed =back =head2 DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. I< Optional. Type list of uniline. > =head2 DenyUSers This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. I< Optional. Type list of uniline. > =head2 ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. I< Optional. Type uniline. > =head2 GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. I< Optional. Type enum. choice: 'yes', 'clientspecified', 'no'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'clientspecified' allow the client to select the address to which the forwarding is bound =item 'no' No port forwarding =item 'yes' force remote port forwardings to bind to the wildcard address =back =head2 GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 GSSAPIKeyExchange Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange doesn't rely on ssh keys to verify host identity. Note that this option applies to protocol version 2 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials cache on logout. Note that this option applies to protocol version 2 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against.This facility is provided to assist with operation on multi homed machines. Note that this option applies only to protocol version 2 GSSAPI connections, and setting it to "no" may only work with recent Kerberos GSSAPI libraries. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'no' the client may authenticate against any service key stored in the machine's default store =item 'yes' the client must authenticate against the host service on the current hostname. =back =head2 GSSAPIStoreCredentialsOnRekey Controls whether the user's GSSAPI credentials should be updated following a successful connection rekeying. This option can be used to accepted renewed or updated credentials from a compatible client. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 HostbasedUsesNameFromPacketOnly Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during HostbasedAuthentication. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'no' sshd(8) attempts to resolve the name from the TCP connection itself. =item 'yes' sshd(8) uses the name supplied by the client =back =head2 HostCertificate Specifies a file containing a public host certificate. The certificate's public key must match a private host key already specified by HostKey. The default behaviour of sshd(8) is not to load any certificates. I< Optional. Type uniline. > =head2 HostKey Specifies a file containing a private host key used by SSH. The default is /etc/ssh/ssh_host_key for protocol version 1, and /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol version 2. Note that sshd(8) will refuse to use a file if it is group/world-accessible. It is possible to have multiple host key files. "rsa1" keys are used for version 1 and "dsa" or "rsa" are used for version 2 of the SSH protocol. I< Optional. Type list of uniline. > =head2 HostKeyAgent Identifies the UNIX-domain socket used to communicate with an agent that has access to the private host keys. If "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable. I< Optional. Type uniline. > =head2 IgnoreRhosts Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 IgnoreUserKnownHosts Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 IPQoS - IPv4 type-of-service or DSCP class for the connection. Specifies the IPv4 type-of-service or DSCP class for the connection. Accepted values are "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is "lowdelay" for interactive sessions and "throughput" for non-interactive sessions. I< Optional. Type uniline. > =over 4 =item upstream_default value : lowdelay throughput =back =head2 KbdInteractiveAuthentication No doc found in sshd documentation. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 KerberosAuthentication Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. The default is "no". I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 KerberosGetAFSToken If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user's home directory. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 KerberosOrLocalPasswd If password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as /etc/passwd. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 KerberosTicketCleanup Specifies whether to automatically destroy the user's ticket cache file on logout. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. I< Optional. Type check_list. choice: 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'. > =head2 KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). The purpose of regeneration is to prevent decrypting captured sessions by later breaking into the machine and stealing the keys. The key is never stored anywhere. If the value is 0, the key is never regenerated. The default is 3600 (seconds). I< Optional. Type integer. > =over 4 =item upstream_default value : 3600 =back =head2 Port Specifies the port number that sshd(8) listens on. The default is 22. Multiple options of this type are permitted. See also ListenAddress. I< Optional. Type integer. > =over 4 =item upstream_default value : 22 =back =head2 ListenAddress Specifies the local addresses sshd(8) should listen on. The following forms may be used: host|IPv4_addr|IPv6_addr host|IPv4_addr:port [host|IPv6_addr]:port If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Additionally, any Port options must precede this option for non-port qualified addresses. I< Optional. Type list of uniline. > =head2 LoginGraceTime The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds. I< Optional. Type integer. > =over 4 =item upstream_default value : 120 =back =head2 LogLevel I< Optional. Type enum. choice: 'SILENT', 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3'. > =over 4 =item upstream_default value : INFO =back Here are some explanations on the possible values: =over =item 'DEBUG' Logging with this level violates the privacy of users and is not recommended =item 'DEBUG1' Logging with this level violates the privacy of users and is not recommended =item 'DEBUG2' Logging with this level violates the privacy of users and is not recommended =item 'DEBUG3' Logging with this level violates the privacy of users and is not recommended =back =head2 MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. I< Optional. Type check_list. choice: 'hmac-md5', 'hmac-md5-96', 'hmac-ripemd160', 'hmac-sha1', 'hmac-sha1-96', 'umac-64@openssh.com'. > =head2 MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. I< Optional. Type integer. > =over 4 =item upstream_default value : 6 =back =head2 MaxSessions - Specifies the maximum number of open sessions permitted per network connection I< Optional. Type integer. > =over 4 =item upstream_default value : 10 =back =head2 MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values "start:rate:full" (e.g. "10:30:60"). sshd(8) will refuse connection attempts with a probability of "rate/100" (30%) if there are currently "start" (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches "full" (60). I< Optional. Type uniline. > =over 4 =item upstream_default value : 10 =back =head2 PasswordAuthentication Specifies whether password authentication is allowed. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 PermitBlacklistedKeys Specifies whether sshd(8) should allow keys recorded in its blacklist of known-compromised keys (see L). If "yes", then attempts to authenticate with compromised keys will be logged but accepted. If "no", then attempts to authenticate with compromised keys will be rejected. I< Optional. Type boolean. > =head2 PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is "no". I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'yes' So, you want your machine to be part of a botnet ? ;-) =back =head2 PermitOpen Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms: "host:port" or "IPv4_addr:port" or "[IPv6_addr]:port". An argument of "any" can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted. I< Optional. Type list of uniline. > =head2 PermitRootLogin Specifies whether root can log in using ssh(1). I< Optional. Type enum. choice: 'yes', 'without-password', 'forced-commands-only', 'no'. > =over 4 =item upstream_default value : yes =back Here are some explanations on the possible values: =over =item 'forced-commands-only' root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. =item 'no' root is not allowed to log in =item 'without-password' password authentication is disabled for root =back =head2 PermitTunnel Specifies whether tun(4) device forwarding is allowed. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" permits both "point-to-point" and "ethernet". I< Optional. Type enum. choice: 'yes', 'point-to-point', 'ethernet', 'no'. > =over 4 =item upstream_default value : no =back Here are some explanations on the possible values: =over =item 'yes' permits both "point-to-point" and "ethernet" =back =head2 PermitUserEnvironment Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is "no". Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 PidFile Specifies the file that contains the process ID of the SSH daemon. I< Optional. Type uniline. > =over 4 =item upstream_default value : /var/run/sshd.pid =back =head2 PrintLastLog Specifies whether sshd(8) should print the date and time of the last user login when a user logs in interactively. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 PrintMotd Specifies whether sshd(8) should print /etc/motd when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.) I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 Protocol Specifies the protocol versions sshd(8) supports. Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. I< Optional. Type check_list. choice: '1', '2'. > =head2 PubkeyAuthentication Specifies whether public key authentication is allowed. The default is "yes". Note that this option applies to protocol version 2 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated. The first argument is specified in bytes and may have a suffix of 'K', 'M', or 'G' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between '1G' and '4G', depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the TIME FORMATS section. The default value for RekeyLimit is "default none", which means that rekeying is performed after the cipher's default amount of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only. I< Optional. Type uniline. > =over 4 =item upstream_default value : default none =back =head2 RevokedKeys - Revoked keys file Specifies revoked public keys. Keys listed in this file will be refused for public key authentication. Note that if this file is not readable, then public key authentication will be refused for all users. Keys may be specified as a text file, listing one public key per line, or as an OpenSSH Key Revocation List (KRL) as generated by L. For more information on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1). I< Optional. Type uniline. > =head2 RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is "no". This option applies to protocol version 1 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 RSAAuthentication Specifies whether pure RSA authentication is allowed. This option applies to protocol version 1 only. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768. I< Optional. Type integer. > =over 4 =item upstream_default value : 768 =back =head2 StrictModes Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is "yes". I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 Subsystem Configures an external subsystem (e.g. file transfer daemon). Keys of the hash should be a subsystem name and hash value a command (with optional arguments) to execute upon subsystem request. The command sftp-server(8) implements the "sftp" file transfer subsystem. By default no subsystems are defined. Note that this option applies to protocol version 2 only. I< Optional. Type hash of uniline. > =head2 SyslogFacility Gives the facility code that is used when logging messages from sshd(8). The default is AUTH. I< Optional. Type enum. choice: 'DAEMON', 'USER', 'AUTH', 'LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7'. > =over 4 =item upstream_default value : AUTH =back =head2 KeepAlive B I< Optional. Type enum. choice: 'no', 'yes'. > =head2 TCPKeepAlive Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving "ghost" users and consuming server resources. This option was formerly called KeepAlive. I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back Here are some explanations on the possible values: =over =item 'no' disable TCP keepalive messages =item 'yes' Send TCP keepalive messages. The server will notice if the network goes down or the client host crashes. This avoids infinitely hanging sessions. =back Note: TCPKeepAlive is migrated with 'C<$keep_alive>' and with: =over =item * C<$keep_alive> => C<- KeepAlive> =back =head2 TrustedUserCAKeys Specifies a file containing public keys of certificate authorities that are trusted to sign user certificates for authentication. Keys are listed one per line; empty lines and comments starting with '#' are allowed. If a certificate is presented for authentication and has its signing CA key listed in this file, then it may be used for authentication for any user listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using TrustedUserCAKeys. For more details on certificates, see the CERTIFICATES section in ssh-keygen(1). I< Optional. Type uniline. > =head2 UseDNS Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is "yes" I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 UseLogin Deprecated in August 2016, removed in 2017. B I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication. If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is "no". I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : no =back =head2 UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is "yes". I< Optional. Type enum. choice: 'no', 'yes'. > =over 4 =item upstream_default value : yes =back =head2 VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. I< Optional. Type uniline. > =head2 XAuthLocation Specifies the full pathname of the xauth(1) program. I< Optional. Type uniline. > =over 4 =item upstream_default value : /usr/bin/X11/xauth =back =head2 X11DisplayOffset Specifies the first display number available for sshd(8)'s X11 forwarding. This prevents sshd from interfering with real X11 servers. I< Optional. Type integer. > =over 4 =item upstream_default value : 10 =back =head2 X11Forwarding Specifies whether X11 forwarding is permitted. Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders. X11 forwarding is automatically disabled if UseLogin is enabled. I< Optional. Type enum. choice: 'yes', 'no'. > =over 4 =item upstream_default value : no =back =head2 X11UseLocalhost Specifies whether sshd(8) should bind the X11 forwarding server to the loopback address or to the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to "localhost". This prevents remote hosts from connecting to the proxy display. However, some older X11 clients may not function with this configuration. X11UseLocalhost may be set to "no" to specify that the forwarding server should be bound to the wildcard address. I< Optional. Type enum. choice: 'yes', 'no'. > =over 4 =item upstream_default value : yes =back =head2 Match Specifies a match block. The criteria User, Group Host and Address can contain patterns. When all these criteria are satisfied (i.e. all patterns match the incoming connection), the parameters set in the block element will override the general settings. I< Optional. Type list of node of class L . > =head1 SEE ALSO =over =item * L =item * L =back =head1 AUTHOR =over =item Dominique Dumont =back =head1 COPYRIGHT =over =item 2009-2011 Dominique Dumont =back =head1 LICENSE =over =item LGPL2 =back =cut Config-Model-OpenSsh-1.238/lib/Config/Model/models/Sshd.pl0000644000175000017500000013463013166471154021564 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # [ { 'accept' => [ '.*', { 'summary' => 'boilerplate parameter that may hide a typo', 'type' => 'leaf', 'value_type' => 'uniline', 'warn' => 'Unknow parameter please make sure there\'s no typo and contact the author' } ], 'author' => [ 'Dominique Dumont' ], 'class_description' => 'Configuration class used by L to edit or validate /etc/ssh/sshd_config ', 'copyright' => [ '2009-2011 Dominique Dumont' ], 'element' => [ 'AcceptEnv', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies what environment variables sent by the client will be copied into the session\'s environ(7).', 'type' => 'list' }, 'AddressFamily', { 'choice' => [ 'any', 'inet', 'inet6' ], 'description' => 'Specifies which address family should be used by sshd(8).', 'type' => 'leaf', 'upstream_default' => 'any', 'value_type' => 'enum' }, 'AllowAgentForwarding', { 'description' => 'Specifies whether L forwarding is permitted. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean', 'write_as' => [ 'no', 'yes' ] }, 'AllowGroups', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.', 'type' => 'list' }, 'AllowUsers', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'List of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.', 'level' => 'important', 'type' => 'list' }, 'AuthenticationMethods', { 'description' => 'Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. For example, an argument of "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard-interactive authentication before public key. For keyboard interactive authentication it is also possible to restrict authentication to a specific device by appending a colon followed by the device identifier "bsdauth", "pam", or "skey", depending on the server configuration. For example, "keyboard-interactive:bsdauth" would restrict keyboard interactive authentication to the "bsdauth" device. This option is only available for SSH protocol 2 and will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled in the configuration. The default is not to require multiple authentication; successful completion of a single authentication method is sufficient.', 'summary' => 'authentication methods that must be successfully completed for a user to be granted access', 'type' => 'leaf', 'value_type' => 'uniline' }, 'AuthorizedKeysCommand', { 'description' => 'Specifies a program to be used to look up the user\'s public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in L). If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual AuthorizedKeysFile files. By default, no AuthorizedKeysCommand is run.', 'summary' => 'program to be used to look up the user\'s public keys', 'type' => 'leaf', 'value_type' => 'uniline' }, 'AuthorizedKeysCommandUser', { 'description' => 'Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands.', 'summary' => ' user under whose account the AuthorizedKeysCommand is run', 'type' => 'leaf', 'value_type' => 'uniline' }, 'AllowTcpForwarding', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether TCP forwarding is permitted. The default is "yes".Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'AuthorizedKeysFile2', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup.', 'status' => 'deprecated', 'type' => 'list' }, 'AuthorizedKeysFile', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies the file that contains the public keys that can be used for user authentication. The format is described in the AUTHORIZED_KEYS FILE FORMAT section of L. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal \'%\', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user\'s home directory. Multiple files may be listed, separated by whitespace. The default is ".ssh/authorized_keys .ssh/authorized_keys2".', 'migrate_values_from' => '- AuthorizedKeysFile2', 'type' => 'list' }, 'AuthorizedPrincipalsFile', { 'description' => 'Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in AUTHORIZED_KEYS FILE FORMAT in L). Empty lines and comments starting with \'#\' are ignored. AuthorizedPrincipalsFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal \'%\', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedPrincipalsFile is taken to be an absolute path or one relative to the user\'s home directory. The default is "none", i.e. not to use a principals file - in this case, the username of the user must appear in a certificate\'s principals list for it to be accepted. Note that AuthorizedPrincipalsFile is only used when authentication proceeds using a CA listed in TrustedUserCAKeys and is not consulted for certification authorities trusted via ~/.ssh/authorized_keys, though the principals= key option offers a similar facility (see L for details).', 'summary' => 'file that lists principal names that are accepted for certificate authentication', 'type' => 'leaf', 'value_type' => 'uniline' }, 'Banner', { 'description' => 'In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'ChallengeResponseAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether challenge-response authentication is allowed. All authentication styles from login.conf(5) are supported.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'ChrootDirectory', { 'description' => 'Specifies the pathname of a directory to L to after authentication. All components of the pathname must be root owned directories that are not writable by any other user or group. After the chroot, L changes the working directory to the user\'s home directory. The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal \'%\', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. The ChrootDirectory must contain the necessary files and directories to support the user\'s session. For an interactive session this requires at least a shell, typically L, and basic /dev nodes such as L, L, L, L, L, L and L devices. For file transfer sessions using "sftp", no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see L for details). The default is not to chroot(2).', 'summary' => 'pathname of a directory to chroot to after authentication', 'type' => 'leaf', 'value_type' => 'uniline' }, 'Ciphers', { 'choice' => [ '3des-cbc', 'aes128-cbc', 'aes192-cbc', 'aes256-cbc', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour128', 'arcfour256', 'arcfour', 'blowfish-cbc', 'cast128-cbc' ], 'description' => 'Specifies the ciphers allowed for protocol version 2. By default, all ciphers are allowed.', 'type' => 'check_list', 'upstream_default_list' => [ '3des-cbc', 'aes128-cbc', 'aes128-ctr', 'aes192-cbc', 'aes192-ctr', 'aes256-cbc', 'aes256-ctr', 'arcfour', 'arcfour128', 'arcfour256', 'blowfish-cbc', 'cast128-cbc' ] }, 'ClientAliveCountMax', { 'description' => 'Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.', 'min' => '1', 'type' => 'leaf', 'upstream_default' => '3', 'value_type' => 'integer' }, 'ClientAliveInterval', { 'min' => '1', 'type' => 'leaf', 'value_type' => 'integer' }, 'Compression', { 'choice' => [ 'yes', 'delayed', 'no' ], 'description' => 'Specifies whether compression is allowed, or delayed until the user has authenticated successfully.', 'type' => 'leaf', 'upstream_default' => 'delayed', 'value_type' => 'enum' }, 'DenyGroups', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.', 'type' => 'list' }, 'DenyUSers', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.', 'type' => 'list' }, 'ForceCommand', { 'description' => 'Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client. The command is invoked by using the user\'s login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'GatewayPorts', { 'choice' => [ 'yes', 'clientspecified', 'no' ], 'description' => 'Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect.', 'help' => { 'clientspecified' => 'allow the client to select the address to which the forwarding is bound', 'no' => 'No port forwarding ', 'yes' => 'force remote port forwardings to bind to the wildcard address' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'GSSAPIAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'GSSAPIKeyExchange', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange doesn\'t rely on ssh keys to verify host identity. Note that this option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'GSSAPICleanupCredentials', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether to automatically destroy the user\'s credentials cache on logout. Note that this option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'GSSAPIStrictAcceptorCheck', { 'choice' => [ 'no', 'yes' ], 'description' => 'Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against.This facility is provided to assist with operation on multi homed machines. Note that this option applies only to protocol version 2 GSSAPI connections, and setting it to "no" may only work with recent Kerberos GSSAPI libraries.', 'help' => { 'no' => 'the client may authenticate against any service key stored in the machine\'s default store', 'yes' => 'the client must authenticate against the host service on the current hostname.' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'GSSAPIStoreCredentialsOnRekey', { 'description' => 'Controls whether the user\'s GSSAPI credentials should be updated following a successful connection rekeying. This option can be used to accepted renewed or updated credentials from a compatible client.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean', 'write_as' => [ 'no', 'yes' ] }, 'HostbasedAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'HostbasedUsesNameFromPacketOnly', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during HostbasedAuthentication.', 'help' => { 'no' => 'sshd(8) attempts to resolve the name from the TCP connection itself.', 'yes' => 'sshd(8) uses the name supplied by the client' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'HostCertificate', { 'description' => 'Specifies a file containing a public host certificate. The certificate\'s public key must match a private host key already specified by HostKey. The default behaviour of sshd(8) is not to load any certificates.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'HostKey', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies a file containing a private host key used by SSH. The default is /etc/ssh/ssh_host_key for protocol version 1, and /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol version 2. Note that sshd(8) will refuse to use a file if it is group/world-accessible. It is possible to have multiple host key files. "rsa1" keys are used for version 1 and "dsa" or "rsa" are used for version 2 of the SSH protocol.', 'type' => 'list' }, 'HostKeyAgent', { 'description' => 'Identifies the UNIX-domain socket used to communicate with an agent that has access to the private host keys. If "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'IgnoreRhosts', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. ', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'IgnoreUserKnownHosts', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether sshd(8) should ignore the user\'s ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'IPQoS', { 'assert' => { '1_or_2' => { 'code' => 'return 1 unless defined $_; my @v = (/(\\w+)/g); return (@v < 3) ? 1 : 0; ', 'msg' => 'value must not have more than 2 fields.' }, 'accepted_values' => { 'code' => 'return 1 unless defined $_; my @v = (/(\\S+)/g); my @good = grep {/^(af[1-4][1-3]|cs[0-7]|ef|lowdelay|throughput|reliability|\\d+)/} @v ; return @good == @v ? 1 : 0; ', 'msg' => 'value must be 1 or 2 occurences of: "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value.' } }, 'description' => 'Specifies the IPv4 type-of-service or DSCP class for the connection. Accepted values are "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is "lowdelay" for interactive sessions and "throughput" for non-interactive sessions.', 'summary' => 'IPv4 type-of-service or DSCP class for the connection.', 'type' => 'leaf', 'upstream_default' => 'lowdelay throughput', 'value_type' => 'uniline' }, 'KbdInteractiveAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'No doc found in sshd documentation', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'KerberosAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC\'s identity. The default is "no".', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'KerberosGetAFSToken', { 'choice' => [ 'no', 'yes' ], 'description' => 'If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user\'s home directory.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'KerberosOrLocalPasswd', { 'choice' => [ 'no', 'yes' ], 'description' => 'If password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as /etc/passwd.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'KerberosTicketCleanup', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether to automatically destroy the user\'s ticket cache file on logout.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'KexAlgorithms', { 'choice' => [ 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1' ], 'description' => 'Specifies the available KEX (Key Exchange) algorithms.', 'type' => 'check_list', 'upstream_default_list' => [ 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521' ] }, 'KeyRegenerationInterval', { 'description' => 'In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). The purpose of regeneration is to prevent decrypting captured sessions by later breaking into the machine and stealing the keys. The key is never stored anywhere. If the value is 0, the key is never regenerated. The default is 3600 (seconds).', 'type' => 'leaf', 'upstream_default' => '3600', 'value_type' => 'integer' }, 'Port', { 'description' => 'Specifies the port number that sshd(8) listens on. The default is 22. Multiple options of this type are permitted. See also ListenAddress.', 'type' => 'leaf', 'upstream_default' => '22', 'value_type' => 'integer' }, 'ListenAddress', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies the local addresses sshd(8) should listen on. The following forms may be used: host|IPv4_addr|IPv6_addr host|IPv4_addr:port [host|IPv6_addr]:port If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Additionally, any Port options must precede this option for non-port qualified addresses.', 'type' => 'list' }, 'LoginGraceTime', { 'description' => 'The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.', 'type' => 'leaf', 'upstream_default' => '120', 'value_type' => 'integer' }, 'LogLevel', { 'choice' => [ 'SILENT', 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3' ], 'help' => { 'DEBUG' => 'Logging with this level violates the privacy of users and is not recommended', 'DEBUG1' => 'Logging with this level violates the privacy of users and is not recommended', 'DEBUG2' => 'Logging with this level violates the privacy of users and is not recommended', 'DEBUG3' => 'Logging with this level violates the privacy of users and is not recommended' }, 'type' => 'leaf', 'upstream_default' => 'INFO', 'value_type' => 'enum' }, 'MACs', { 'choice' => [ 'hmac-md5', 'hmac-md5-96', 'hmac-ripemd160', 'hmac-sha1', 'hmac-sha1-96', 'umac-64@openssh.com' ], 'description' => 'Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection.', 'type' => 'check_list' }, 'MaxAuthTries', { 'description' => 'Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.', 'type' => 'leaf', 'upstream_default' => '6', 'value_type' => 'integer' }, 'MaxSessions', { 'summary' => 'Specifies the maximum number of open sessions permitted per network connection', 'type' => 'leaf', 'upstream_default' => '10', 'value_type' => 'integer' }, 'MaxStartups', { 'description' => 'Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values "start:rate:full" (e.g. "10:30:60"). sshd(8) will refuse connection attempts with a probability of "rate/100" (30%) if there are currently "start" (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches "full" (60).', 'type' => 'leaf', 'upstream_default' => '10', 'value_type' => 'uniline' }, 'PasswordAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether password authentication is allowed.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'PermitBlacklistedKeys', { 'description' => 'Specifies whether sshd(8) should allow keys recorded in its blacklist of known-compromised keys (see L). If "yes", then attempts to authenticate with compromised keys will be logged but accepted. If "no", then attempts to authenticate with compromised keys will be rejected.', 'type' => 'leaf', 'value_type' => 'boolean', 'write_as' => [ 'no', 'yes' ] }, 'PermitEmptyPasswords', { 'choice' => [ 'no', 'yes' ], 'description' => 'When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is "no".', 'help' => { 'yes' => 'So, you want your machine to be part of a botnet ? ;-)' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'PermitOpen', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms: "host:port" or "IPv4_addr:port" or "[IPv6_addr]:port". An argument of "any" can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.', 'type' => 'list' }, 'PermitRootLogin', { 'choice' => [ 'yes', 'without-password', 'forced-commands-only', 'no' ], 'description' => 'Specifies whether root can log in using ssh(1).', 'help' => { 'forced-commands-only' => 'root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.', 'no' => 'root is not allowed to log in ', 'without-password' => 'password authentication is disabled for root' }, 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'PermitTunnel', { 'choice' => [ 'yes', 'point-to-point', 'ethernet', 'no' ], 'description' => 'Specifies whether tun(4) device forwarding is allowed. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" permits both "point-to-point" and "ethernet".', 'help' => { 'yes' => 'permits both "point-to-point" and "ethernet"' }, 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'PermitUserEnvironment', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is "no". Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'PidFile', { 'description' => 'Specifies the file that contains the process ID of the SSH daemon.', 'type' => 'leaf', 'upstream_default' => '/var/run/sshd.pid', 'value_type' => 'uniline' }, 'PrintLastLog', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether sshd(8) should print the date and time of the last user login when a user logs in interactively.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'PrintMotd', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether sshd(8) should print /etc/motd when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.)', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'Protocol', { 'choice' => [ '1', '2' ], 'description' => 'Specifies the protocol versions sshd(8) supports. Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server.', 'type' => 'check_list', 'upstream_default_list' => [ '1', '2' ] }, 'PubkeyAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether public key authentication is allowed. The default is "yes". Note that this option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'RekeyLimit', { 'description' => 'Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated. The first argument is specified in bytes and may have a suffix of \'K\', \'M\', or \'G\' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between \'1G\' and \'4G\', depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the TIME FORMATS section. The default value for RekeyLimit is "default none", which means that rekeying is performed after the cipher\'s default amount of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => 'default none', 'value_type' => 'uniline' }, 'RevokedKeys', { 'description' => 'Specifies revoked public keys. Keys listed in this file will be refused for public key authentication. Note that if this file is not readable, then public key authentication will be refused for all users. Keys may be specified as a text file, listing one public key per line, or as an OpenSSH Key Revocation List (KRL) as generated by L. For more information on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1).', 'summary' => 'Revoked keys file', 'type' => 'leaf', 'value_type' => 'uniline' }, 'RhostsRSAAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is "no". This option applies to protocol version 1 only.', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'RSAAuthentication', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether pure RSA authentication is allowed. This option applies to protocol version 1 only.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'ServerKeyBits', { 'description' => 'Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768.', 'min' => '512', 'type' => 'leaf', 'upstream_default' => '768', 'value_type' => 'integer' }, 'StrictModes', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether sshd(8) should check file modes and ownership of the user\'s files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is "yes". ', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'Subsystem', { 'cargo' => { 'mandatory' => 1, 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Configures an external subsystem (e.g. file transfer daemon). Keys of the hash should be a subsystem name and hash value a command (with optional arguments) to execute upon subsystem request. The command sftp-server(8) implements the "sftp" file transfer subsystem. By default no subsystems are defined. Note that this option applies to protocol version 2 only.', 'index_type' => 'string', 'type' => 'hash' }, 'SyslogFacility', { 'choice' => [ 'DAEMON', 'USER', 'AUTH', 'LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7' ], 'description' => 'Gives the facility code that is used when logging messages from sshd(8). The default is AUTH.', 'type' => 'leaf', 'upstream_default' => 'AUTH', 'value_type' => 'enum' }, 'KeepAlive', { 'choice' => [ 'no', 'yes' ], 'status' => 'deprecated', 'type' => 'leaf', 'value_type' => 'enum' }, 'TCPKeepAlive', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving "ghost" users and consuming server resources. This option was formerly called KeepAlive.', 'help' => { 'no' => 'disable TCP keepalive messages', 'yes' => 'Send TCP keepalive messages. The server will notice if the network goes down or the client host crashes. This avoids infinitely hanging sessions.' }, 'migrate_from' => { 'formula' => '$keep_alive', 'variables' => { 'keep_alive' => '- KeepAlive' } }, 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'TrustedUserCAKeys', { 'description' => 'Specifies a file containing public keys of certificate authorities that are trusted to sign user certificates for authentication. Keys are listed one per line; empty lines and comments starting with \'#\' are allowed. If a certificate is presented for authentication and has its signing CA key listed in this file, then it may be used for authentication for any user listed in the certificate\'s principals list. Note that certificates that lack a list of principals will not be permitted for authentication using TrustedUserCAKeys. For more details on certificates, see the CERTIFICATES section in ssh-keygen(1).', 'type' => 'leaf', 'value_type' => 'uniline' }, 'UseDNS', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is "yes"', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'UseLogin', { 'choice' => [ 'no', 'yes' ], 'description' => 'Deprecated in August 2016, removed in 2017', 'status' => 'deprecated', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'UsePAM', { 'choice' => [ 'no', 'yes' ], 'description' => 'Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication. If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is "no".', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'UsePrivilegeSeparation', { 'choice' => [ 'no', 'yes' ], 'description' => 'Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is "yes".', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'VersionAddendum', { 'description' => 'Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection', 'type' => 'leaf', 'value_type' => 'uniline' }, 'XAuthLocation', { 'description' => 'Specifies the full pathname of the xauth(1) program.', 'type' => 'leaf', 'upstream_default' => '/usr/bin/X11/xauth', 'value_type' => 'uniline' }, 'X11DisplayOffset', { 'description' => 'Specifies the first display number available for sshd(8)\'s X11 forwarding. This prevents sshd from interfering with real X11 servers.', 'type' => 'leaf', 'upstream_default' => '10', 'value_type' => 'integer' }, 'X11Forwarding', { 'choice' => [ 'yes', 'no' ], 'description' => 'Specifies whether X11 forwarding is permitted. Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders. X11 forwarding is automatically disabled if UseLogin is enabled.', 'level' => 'important', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'X11UseLocalhost', { 'choice' => [ 'yes', 'no' ], 'description' => 'Specifies whether sshd(8) should bind the X11 forwarding server to the loopback address or to the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to "localhost". This prevents remote hosts from connecting to the proxy display. However, some older X11 clients may not function with this configuration. X11UseLocalhost may be set to "no" to specify that the forwarding server should be bound to the wildcard address.', 'type' => 'leaf', 'upstream_default' => 'yes', 'value_type' => 'enum' }, 'Match', { 'cargo' => { 'config_class_name' => 'Sshd::MatchBlock', 'type' => 'node' }, 'description' => 'Specifies a match block. The criteria User, Group Host and Address can contain patterns. When all these criteria are satisfied (i.e. all patterns match the incoming connection), the parameters set in the block element will override the general settings.', 'type' => 'list' } ], 'license' => 'LGPL2', 'name' => 'Sshd', 'rw_config' => { 'backend' => 'OpenSsh::Sshd', 'config_dir' => '/etc/ssh', 'file' => 'sshd_config', 'os_config_dir' => { 'darwin' => '/etc' } } } ] ; Config-Model-OpenSsh-1.238/lib/Config/Model/models/Ssh/0000755000175000017500000000000013166471154021054 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/models/Ssh/HostElement.pod0000644000175000017500000010434613166471154024017 0ustar domidomi# PODNAME: Config::Model::models::Ssh::HostElement # ABSTRACT: Configuration class Ssh::HostElement =encoding utf8 =head1 NAME Config::Model::models::Ssh::HostElement - Configuration class Ssh::HostElement =head1 DESCRIPTION Configuration classes used by L Configuration class that represents all parameters available inside a Host directive of a ssh configuration. =head1 Elements =head2 AddressFamily Specifies which address family to use when connecting. I< Optional. Type enum. choice: 'any', 'inet', 'inet6'. > =over 4 =item upstream_default value : any =back =head2 BatchMode If set to 'yes', passphrase/password querying will be disabled. In addition, the ServerAliveInterval option will be set to 300 seconds by default. This option is useful in scripts and other batch jobs where no user is present to supply the password, and where it is desirable to detect a broken network swiftly. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 BindAddress Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address. Note that this option does not work if UsePrivilegedPort is set to 'yes'. I< Optional. Type uniline. > =head2 ChallengeResponseAuthentication Specifies whether to use challenge-response authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 CheckHostIP If enabled, ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If disbled, the check will not be executed. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 Cipher Specifies the cipher to use for encrypting the session in protocol version 1. "des" is only supported in the ssh(1) client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. I< Optional. Type enum. choice: 'blowfish', '3des', 'des'. > =over 4 =item upstream_default value : 3des =back =head2 Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. The supported ciphers are: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com The default is: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc The list of available ciphers may also be obtained using C I< Optional. Type uniline. > =head2 ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is primarily useful when used from the ssh(1) command line to clear port forwardings set in configuration files, and is automatically set by scp(1) and sftp(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 Compression Specifies whether to use compression. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 CompressionLevel I< Optional. Type integer. > =over 4 =item upstream_default value : 6 =back =head2 ConnectionAttempts Specifies the number of tries (one per second) to make before exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. I< Optional. Type integer. > =over 4 =item upstream_default value : 1 =back =head2 ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. This value is used only when the target is down or really unreachable, not when it refuses the connection. I< Optional. Type integer. > =head2 ControlMaster Enables the sharing of multiple sessions over a single network connection. When set to 'yes', ssh(1) will listen for connections on a control socket specified using the ControlPath argument. Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to 'no' (the default). These sessions will try to reuse the master instance's network connection rather than initiating new ones, but will fall back to connecting normally if the control socket does not exist, or is not listening. Setting this to 'ask' will cause ssh to listen for control connections, but require confirmation using the SSH_ASKPASS program before they are accepted (see ssh-add(1) for details). If the ControlPath cannot be opened, ssh will continue without connecting to a master instance. X11 and ssh-agent(1) forwarding is supported over these multiplexed connections, however the display and agent forwarded will be the one belonging to the master connection i.e. it is not pos sible to forward multiple displays or agents. Two additional options allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already exist. These options are: 'auto' and 'autoask'. The latter requires confirmation like the 'ask' option. I< Optional. Type enum. choice: 'no', 'yes', 'ask', 'auto', 'autoask'. > =over 4 =item upstream_default value : no =back =head2 ControlPath Specify the path to the control socket used for connection sharing as described in the ControlMaster section above or the string 'none' to disable connection sharing. In the path, '%l' will be substituted by the local host name, '%h' will be substituted by the target host name, '%p' the port, and '%r' by the remotelogin username. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h, %p, and %r. This ensures that shared connections are uniquely identified. I< Optional. Type uniline. > =head2 ControlPersist - persists the master connection in the background When used in conjunction with ControlMaster, specifies that the master connection should remain open in the background (waiting for future client connections) after the initial client connection has been closed. If set to ``no'', then the master connection will not be placed into the background, and will close as soon as the initial client connection is closed. If set to ``yes'', then the master connection will remain in the background indef- initely (until killed or closed via a mechanism such as the ssh(1) ``-O exit'' option). If set to a time in seconds, or a time in any of the formats documented in sshd_config(5), then the backgrounded master connection will automatically terminate after it has remained idle (with no client connections) for the specified time. I< Optional. Type uniline. > =head2 DynamicForward Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be [bind_address:]port. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address/]port. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of 'localhost' indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh(1) will act as a SOCKS server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. I< Optional. Type list of uniline. > =head2 EscapeChar Sets the escape character (default: '~'). The escape character can also be set on the command line. The argument should be a single character, '^' followed by a letter, or 'none' to disable the escape character entirely (making the connection transparent for binary data). I< Optional. Type uniline. > =over 4 =item upstream_default value : ~ =back =head2 ExitOnForwardFailure Specifies whether ssh(1) should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 dis play through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 ForwardX11Timeout - timeout for untrusted X11 forwarding Specify a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of L. X11 connections received by L after this time will be refused. The default is to disable untrusted X11 forwarding after twenty minutes has elapsed. I< Optional. Type uniline. > =head2 ForwardX11Trusted If this option is set, remote X11 clients will have full access to the original X11 display. If this option is not set, remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the xauth(1) token used for the session will be set to expire after 20 minutes. Remote clients will be refused access after this time. See the X11 SECURITY extension specification for full details on the restrictions imposed on untrusted clients. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, ssh(1) binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GlobalKnownHostsFile Specifies a file to use for the global host key database. I< Optional. Type uniline. > =over 4 =item upstream_default value : /etc/ssh/ssh_known_hosts =back =head2 GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIKeyExchange Specifies whether key exchange based on GSSAPI may be used. When using GSSAPI key exchange the server need not have a host key. Note that this option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIClientIdentity If set, specifies the GSSAPI client identity that ssh should use when connecting to the server. The default is unset, which means that the default identity will be used. I< Optional. Type uniline. > =head2 GSSAPIServerIdentity If set, specifies the GSSAPI server identity that ssh should expect when connecting to the server. The default is unset, which means that the expected GSSAPI server identity will be determined from the target hostname. I< Optional. Type uniline. > =head2 GSSAPIDelegateCredentials Forward (delegate) credentials to the server. Note that this option applies to protocol version 2 connections using GSSAPI. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPIRenewalForcesRekey If set to "yes" then renewal of the client's GSSAPI credentials will force the rekeying of the ssh connection. With a compatible server, this can delegate the renewed credentials to a session on the server. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 GSSAPITrustDns Set to "yes" to indicate that the DNS is trusted to securely canonicalize the name of the host being connected to. If "no", the hostname entered on the command line will be passed untouched to the GSSAPI library. This option only applies to protocol version 2 connections using GSSAPI. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HashKnownHosts Indicates that ssh(1) should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh(1) and sshd(8), but they do not reveal identifying information should the file's contents be disclosed. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. This option applies to protocol version 2 only and is similar to RhostsRSAAuthentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 HostKeyAlgorithms Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. I< Optional. Type check_list. choice: 'ssh-rsa', 'ssh-dss'. > =head2 HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host. I< Optional. Type uniline. > =head2 HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications). I< Optional. Type uniline. > =head2 IdentitiesOnly Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. This option is intended for situations where ssh-agent offers many different identities. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 IdentityFile Specifies a file from which the user's RSA or DSA authentication identity is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. The file name may use the tilde syntax to refer to a user's home directory or one of the following escape characters: '%d' (local user's home directory), '%u' (local user name), '%l' (local host name), '%h' (remote host name) or '%r' (remote user name). It is possible to have multiple identity files specified in con figuration files; all these identities will be tried in sequence. I< Optional. Type list of uniline. > =head2 IPQoS - IPv4 type-of-service or DSCP class for the connection. Specifies the IPv4 type-of-service or DSCP class for the connection. Accepted values are "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is "lowdelay" for interactive sessions and "throughput" for non-interactive sessions. I< Optional. Type uniline. > =over 4 =item upstream_default value : lowdelay throughput =back =head2 KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 KbdInteractiveDevices Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. The methods available vary depending on what the server supports. For an OpenSSH server, it may be zero or more of: 'bsdauth', 'pam', and 'skey'. I< Optional. Type list of uniline. > =head2 KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. I< Optional. Type check_list. choice: 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'. > =head2 LocalForward - Local port forwarding Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address/]port and host/hostport. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of "localhost" indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces. Example: LocalForward 20000 192.168.0.66:80 . I< Optional. Type list of node of class L . > =head2 LogLevel Gives the verbosity level that is used when logging messages from ssh(1). The possible values are: SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output. I< Optional. Type enum. choice: 'SILENT', 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3'. > =over 4 =item upstream_default value : INFO =back =head2 MACs Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. I< Optional. Type check_list. choice: 'hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-sha1-96', 'hmac-md5-96'. > =head2 NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warn ings about changed host keys. However, this option disables host authentication for localhost. The default is to check the host key for localhost. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 NumberOfPasswordPrompts Specifies the number of password prompts before giving up. I< Optional. Type integer. > =over 4 =item upstream_default value : 3 =back =head2 PasswordAuthentication Specifies whether to use password authentication. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 PermitLocalCommand Allow local command execution via the LocalCommand option or using the !command escape sequence in ssh(1). I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user's shell. The following escape character substitutions will be performed: '%d' (local user's home directory), '%h' (remote host name), '%l' (local host name), '%n' (host name as provided on the command line), '%p' (remote port), '%r' (remote user name) or '%u' (local user name). This directive is ignored unless PermitLocalCommand has been enabled. I< Optional. Type uniline. > =head2 PKCS11Provider Specifies which PKCS#11 provider to use. The argument to this keyword is the PKCS#11 shared library ssh(1) should use to communicate with a PKCS#11 token providing the user's private RSA key. I< Optional. Type uniline. > =head2 Port Specifies the port number to connect on the remote host. I< Optional. Type integer. > =over 4 =item upstream_default value : 22 =back =head2 PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). I< Optional. Type check_list. choice: 'gssapi-with-mic', 'hostbased', 'publickey', 'keyboard-interactive', 'password'. > =head2 Protocol Specifies the protocol versions ssh(1) should support in order of preference. The default is "2,1". This means that ssh tries version 2 and falls back to version 1 if version 2 is not available. I< Optional. Type check_list. choice: '2', '1'. > =head2 ProxyCommand Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell. In the command string, '%h' will be substi tuted by the host name to connect and '%p' by the port. The com mand can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to "none" disables this option entirely. Note that CheckHostIP is not available for connects with a proxy command. This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.0.2.0: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p. I< Optional. Type uniline. > =head2 PubkeyAuthentication Specifies whether to try public key authentication. This option applies to protocol version 2 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated. The argument is the number of bytes, with an optional suffix of 'K', 'M', or 'G' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between '1G' and '4G', depending on the cipher. This option applies to protocol version 2 only. I< Optional. Type uniline. > =head2 RemoteForward - remote port forward to local Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. If the bind_address is not specified, the default is to only bind to loopback addresses. If the bind_address is '*' or an empty string, then the forwarding is requested to listen on all inter faces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)). I< Optional. Type list of node of class L . > =head2 RequestTTY Specifies whether to request a pseudo-tty for the session. This option mirrors the -t and -T flags for C. I< Optional. Type enum. choice: 'yes', 'no', 'force', 'auto'. > Here are some explanations on the possible values: =over =item 'auto' request a TTY when opening a login session =item 'force' always request a TTY =item 'no' never request a TTY =item 'yes' always request a TTY when standard input is a TTY =back =head2 RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. This option applies to protocol version 1 only and requires ssh(1) to be setuid root. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 RSAAuthentication Specifies whether to try RSA authentication. RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. Note that this option applies to protocol version 1 only. I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 SendEnv Specifies what variables from the local environ(7) should be sent to the server. Note that environment passing is only supported for protocol 2. The server must also support it, and the server must be configured to accept these environment variables. Refer to AcceptEnv in sshd_config(5) for how to configure the server. Variables are specified by name, which may contain wildcard char acters. Multiple environment variables may be separated by whitespace or spread across multiple SendEnv directives. The default is not to send any environment variables. See PATTERNS in ssh_config(5) for more information on patterns. I< Optional. Type list of uniline. > =head2 ServerAliveCountMax Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. It is important to note that the use of server alive messages is very different from TCPKeepAlive. The server alive messages are sent through the encrypted channel and there fore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or server depend on knowing when a connec tion has become inactive. The default value is 3. If, for example, ServerAliveInterval is set to 15 and ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. This option applies to protocol version 2 only; in protocol version 1 there is no mechanism to request a response from the server to the server alive messages, so disconnection is the responsibility of the TCP stack. I< Optional. Type integer. > =over 4 =item upstream_default value : 3 =back =head2 ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server, or 300 if the BatchMode option is set. This option applies to protocol version 2 only. ProtocolKeepAlives and SetupTimeOut are Debian-specific compatibility aliases for this option. I< Optional. Type integer. > =over 4 =item upstream_default value : 0 =back =head2 SmartcardDevice Specifies which smartcard device to use. The argument to this keyword is the device ssh(1) should use to communicate with a smartcard used for storing the user's private RSA key. By default, no device is specified and smartcard support is not activated. I< Optional. Type uniline. > =head2 StrictHostKeyChecking If this flag is set to "yes", ssh(1) will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, though it can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to "no", ssh will automatically add new host keys to the user known hosts files. If this flag is set to "ask", new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be "yes", "no", or "ask". The default is "ask". I< Optional. Type enum. choice: 'yes', 'no', 'ask'. > =over 4 =item upstream_default value : ask =back =head2 TCPKeepAlive Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. This option only uses TCP keepalives (as opposed to using ssh level keepalives), so takes a long time to notice when the connection dies. As such, you probably want the ServerAliveInterval option as well. However, this means that connections will die if the route is down temporarily, and some people find it annoying. The default is "yes" (to send TCP keepalive messages), and the client will notice if the network goes down or the remote host dies. This is important in scripts, and many users want it too. To disable TCP keepalive messages, the value should be set to "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 1 =back =head2 Tunnel Request tun(4) device forwarding between the client and the server. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" requests the default tunnel mode, which is "point-to-point". The default is "no". I< Optional. Type enum. choice: 'yes', 'point-to-point', 'ethernet', 'no'. > =over 4 =item upstream_default value : no =back =head2 TunnelDevice Specifies the tun(4) devices to open on the client (local_tun) and the server (remote_tun). The argument must be local_tun[:remote_tun]. The devices may be specified by numerical ID or the keyword "any", which uses the next available tunnel device. If remote_tun is not specified, it defaults to "any". The default is "any:any". I< Optional. Type uniline. > =over 4 =item upstream_default value : any:any =back =head2 UseBlacklistedKeys Specifies whether ssh(1) should use keys recorded in its blacklist of known-compromised keys (see ssh-vulnkey(1)) for authentication. If "yes", then attempts to use compromised keys for authentication will be logged but accepted. It is strongly recommended that this be used only to install new authorized keys on the remote system, and even then only with the utmost care. If "no", then attempts to use compromised keys for authentication will be prevented. The default is "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be "yes" or "no". The default is "no". If set to "yes", ssh(1) must be setuid root. Note that this option must be set to "yes" for RhostsRSAAuthentication with older servers. I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 User Specifies the user to log in as. This can be useful when a dif ferent user name is used on different machines. This saves the trouble of having to remember to give the user name on the command line. I< Optional. Type uniline. > =head2 UserKnownHostsFile Specifies a file to use for the user host key database instead of ~/.ssh/known_hosts. I< Optional. Type uniline. > =head2 VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to "yes", the client will implicitly trust keys that match a secure fingerprint from DNS. Insecure fingerprints will be handled as if this option was set to "ask". If this option is set to "ask", information on fingerprint match will be displayed, but the user will still need to confirm new host keys according to the StrictHostKeyChecking option. The argument must be "yes", "no", or "ask". The default is "no". Note that this option applies to protocol version 2 only. See also VERIFYING HOST KEYS in ssh(1). I< Optional. Type enum. choice: 'yes', 'no', 'ask'. > =over 4 =item upstream_default value : no =back =head2 VisualHostKey If this flag is set to "yes", an ASCII art representation of the remote host key fingerprint is printed additionally to the hex fingerprint string. If this flag is set to "no", only the hex fingerprint string will be printed. The default is "no". I< Optional. Type boolean. > =over 4 =item upstream_default value : 0 =back =head2 XAuthLocation Specifies the full pathname of the xauth(1) program. The default is /usr/bin/X11/xauth. I< Optional. Type uniline. > =over 4 =item upstream_default value : /usr/X11R6/bin/xauth =back =head2 UseRsh This parameter is now ignored by Ssh. B I< Optional. Type uniline. > =head2 FallBackToRsh This parameter is now ignored by Ssh. B I< Optional. Type uniline. > =head1 SEE ALSO =over =item * L =item * L =back =head1 AUTHOR =over =item Dominique Dumont =back =head1 COPYRIGHT =over =item 2009-2011 Dominique Dumont =back =head1 LICENSE =over =item LGPL2 =back =cut Config-Model-OpenSsh-1.238/lib/Config/Model/models/Ssh/PortForward.pod0000644000175000017500000000312713166471154024034 0ustar domidomi# PODNAME: Config::Model::models::Ssh::PortForward # ABSTRACT: Configuration class Ssh::PortForward =encoding utf8 =head1 NAME Config::Model::models::Ssh::PortForward - Configuration class Ssh::PortForward =head1 DESCRIPTION Configuration classes used by L Configuration class that represents the parameters required to specify port forwarding in a ssh configuration. =head1 Elements =head2 ipv6 Specify if the forward is specified iwth IPv6 or IPv4. I< Optional. Type boolean. > =head2 bind_address - bind address to listen to Specify the address that the port will listen to. By default, only connections coming from localhost (127.0.0.1) will be forwarded. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of 'localhost' indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces. I< Optional. Type uniline. > =head2 port Listening port. Connection made to this port will be forwarded to the other side of the tunnel. I< Mandatory. Type uniline. > =head2 host - host name or address I< Mandatory. Type uniline. > =head2 hostport - destination port Port number to connect the tunnel to. I< Mandatory. Type uniline. > =head1 SEE ALSO =over =item * L =back =head1 AUTHOR =over =item Dominique Dumont =back =head1 COPYRIGHT =over =item 2009-2011 Dominique Dumont =back =head1 LICENSE =over =item LGPL2 =back =cut Config-Model-OpenSsh-1.238/lib/Config/Model/models/Ssh/HostElement.pl0000644000175000017500000012570413166471154023651 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # [ { 'author' => [ 'Dominique Dumont' ], 'class_description' => 'Configuration class that represents all parameters available inside a Host directive of a ssh configuration.', 'copyright' => [ '2009-2011 Dominique Dumont' ], 'element' => [ 'AddressFamily', { 'choice' => [ 'any', 'inet', 'inet6' ], 'description' => 'Specifies which address family to use when connecting.', 'type' => 'leaf', 'upstream_default' => 'any', 'value_type' => 'enum' }, 'BatchMode', { 'description' => 'If set to \'yes\', passphrase/password querying will be disabled. In addition, the ServerAliveInterval option will be set to 300 seconds by default. This option is useful in scripts and other batch jobs where no user is present to supply the password, and where it is desirable to detect a broken network swiftly. ', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'BindAddress', { 'description' => 'Use the specified address on the local machine as the source address of the connection. Only useful on systems with more than one address. Note that this option does not work if UsePrivilegedPort is set to \'yes\'.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'ChallengeResponseAuthentication', { 'description' => 'Specifies whether to use challenge-response authentication.', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean' }, 'CheckHostIP', { 'description' => 'If enabled, ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If disbled, the check will not be executed.', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean' }, 'Cipher', { 'choice' => [ 'blowfish', '3des', 'des' ], 'description' => 'Specifies the cipher to use for encrypting the session in protocol version 1. "des" is only supported in the ssh(1) client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses.', 'type' => 'leaf', 'upstream_default' => '3des', 'value_type' => 'enum' }, 'Ciphers', { 'description' => "Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. If the specified value begins with a \x{2018}+\x{2019} character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a \x{2018}-\x{2019} character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. The supported ciphers are: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm\@openssh.com aes256-gcm\@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305\@openssh.com The default is: chacha20-poly1305\@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm\@openssh.com,aes256-gcm\@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc The list of available ciphers may also be obtained using C", 'type' => 'leaf', 'value_type' => 'uniline' }, 'ClearAllForwardings', { 'description' => 'Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is primarily useful when used from the ssh(1) command line to clear port forwardings set in configuration files, and is automatically set by scp(1) and sftp(1).', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'Compression', { 'description' => 'Specifies whether to use compression.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'CompressionLevel', { 'level' => 'hidden', 'max' => '9', 'min' => '1', 'type' => 'leaf', 'upstream_default' => '6', 'value_type' => 'integer', 'warp' => { 'follow' => { 'compression' => '- Compression' }, 'rules' => [ '$compression == 1', { 'level' => 'normal' } ] } }, 'ConnectionAttempts', { 'description' => 'Specifies the number of tries (one per second) to make before exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails.', 'min' => '1', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'integer' }, 'ConnectTimeout', { 'description' => 'Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. This value is used only when the target is down or really unreachable, not when it refuses the connection. ', 'type' => 'leaf', 'value_type' => 'integer' }, 'ControlMaster', { 'choice' => [ 'no', 'yes', 'ask', 'auto', 'autoask' ], 'description' => 'Enables the sharing of multiple sessions over a single network connection. When set to \'yes\', ssh(1) will listen for connections on a control socket specified using the ControlPath argument. Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to \'no\' (the default). These sessions will try to reuse the master instance\'s network connection rather than initiating new ones, but will fall back to connecting normally if the control socket does not exist, or is not listening. Setting this to \'ask\' will cause ssh to listen for control connections, but require confirmation using the SSH_ASKPASS program before they are accepted (see ssh-add(1) for details). If the ControlPath cannot be opened, ssh will continue without connecting to a master instance. X11 and ssh-agent(1) forwarding is supported over these multiplexed connections, however the display and agent forwarded will be the one belonging to the master connection i.e. it is not pos sible to forward multiple displays or agents. Two additional options allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already exist. These options are: \'auto\' and \'autoask\'. The latter requires confirmation like the \'ask\' option. ', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'ControlPath', { 'description' => 'Specify the path to the control socket used for connection sharing as described in the ControlMaster section above or the string \'none\' to disable connection sharing. In the path, \'%l\' will be substituted by the local host name, \'%h\' will be substituted by the target host name, \'%p\' the port, and \'%r\' by the remotelogin username. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h, %p, and %r. This ensures that shared connections are uniquely identified. ', 'type' => 'leaf', 'value_type' => 'uniline' }, 'ControlPersist', { 'description' => 'When used in conjunction with ControlMaster, specifies that the master connection should remain open in the background (waiting for future client connections) after the initial client connection has been closed. If set to ``no\'\', then the master connection will not be placed into the background, and will close as soon as the initial client connection is closed. If set to ``yes\'\', then the master connection will remain in the background indef- initely (until killed or closed via a mechanism such as the ssh(1) ``-O exit\'\' option). If set to a time in seconds, or a time in any of the formats documented in sshd_config(5), then the backgrounded master connection will automatically terminate after it has remained idle (with no client connections) for the specified time.', 'match' => '^(?i)yes|no|\\d+$', 'summary' => 'persists the master connection in the background', 'type' => 'leaf', 'value_type' => 'uniline' }, 'DynamicForward', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be [bind_address:]port. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address/]port. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of \'localhost\' indicates that the listening port be bound for local use only, while an empty address or \'*\' indicates that the port should be available from all interfaces. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh(1) will act as a SOCKS server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. ', 'type' => 'list' }, 'EscapeChar', { 'description' => 'Sets the escape character (default: \'~\'). The escape character can also be set on the command line. The argument should be a single character, \'^\' followed by a letter, or \'none\' to disable the escape character entirely (making the connection transparent for binary data). ', 'type' => 'leaf', 'upstream_default' => '~', 'value_type' => 'uniline' }, 'ExitOnForwardFailure', { 'description' => 'Specifies whether ssh(1) should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'ForwardAgent', { 'description' => 'Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent\'s Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. ', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'ForwardX11', { 'description' => 'Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user\'s X11 authorization database) can access the local X11 dis play through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. ', 'level' => 'important', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'ForwardX11Timeout', { 'description' => 'Specify a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of L. X11 connections received by L after this time will be refused. The default is to disable untrusted X11 forwarding after twenty minutes has elapsed.', 'summary' => 'timeout for untrusted X11 forwarding', 'type' => 'leaf', 'value_type' => 'uniline' }, 'ForwardX11Trusted', { 'description' => 'If this option is set, remote X11 clients will have full access to the original X11 display. If this option is not set, remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the xauth(1) token used for the session will be set to expire after 20 minutes. Remote clients will be refused access after this time. See the X11 SECURITY extension specification for full details on the restrictions imposed on untrusted clients. ', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'GatewayPorts', { 'description' => 'Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, ssh(1) binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. ', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'GlobalKnownHostsFile', { 'description' => 'Specifies a file to use for the global host key database', 'type' => 'leaf', 'upstream_default' => '/etc/ssh/ssh_known_hosts', 'value_type' => 'uniline' }, 'GSSAPIAuthentication', { 'description' => 'Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'GSSAPIKeyExchange', { 'description' => 'Specifies whether key exchange based on GSSAPI may be used. When using GSSAPI key exchange the server need not have a host key. Note that this option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean', 'write_as' => [ 'no', 'yes' ] }, 'GSSAPIClientIdentity', { 'description' => 'If set, specifies the GSSAPI client identity that ssh should use when connecting to the server. The default is unset, which means that the default identity will be used.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'GSSAPIServerIdentity', { 'description' => 'If set, specifies the GSSAPI server identity that ssh should expect when connecting to the server. The default is unset, which means that the expected GSSAPI server identity will be determined from the target hostname.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'GSSAPIDelegateCredentials', { 'description' => 'Forward (delegate) credentials to the server. Note that this option applies to protocol version 2 connections using GSSAPI.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean', 'write_as' => [ 'no', 'yes' ] }, 'GSSAPIRenewalForcesRekey', { 'description' => 'If set to "yes" then renewal of the client\'s GSSAPI credentials will force the rekeying of the ssh connection. With a compatible server, this can delegate the renewed credentials to a session on the server.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean', 'write_as' => [ 'no', 'yes' ] }, 'GSSAPITrustDns', { 'description' => 'Set to "yes" to indicate that the DNS is trusted to securely canonicalize the name of the host being connected to. If "no", the hostname entered on the command line will be passed untouched to the GSSAPI library. This option only applies to protocol version 2 connections using GSSAPI.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean', 'write_as' => [ 'no', 'yes' ] }, 'HashKnownHosts', { 'description' => 'Indicates that ssh(1) should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh(1) and sshd(8), but they do not reveal identifying information should the file\'s contents be disclosed. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen(1). ', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'HostbasedAuthentication', { 'description' => 'Specifies whether to try rhosts based authentication with public key authentication. This option applies to protocol version 2 only and is similar to RhostsRSAAuthentication. ', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'HostKeyAlgorithms', { 'choice' => [ 'ssh-rsa', 'ssh-dss' ], 'description' => 'Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference.', 'ordered' => '1', 'type' => 'check_list', 'upstream_default_list' => [ 'ssh-rsa', 'ssh-dss' ] }, 'HostKeyAlias', { 'description' => 'Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'HostName', { 'description' => 'Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications).', 'type' => 'leaf', 'value_type' => 'uniline' }, 'IdentitiesOnly', { 'description' => 'Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. This option is intended for situations where ssh-agent offers many different identities.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'IdentityFile', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline', 'warn_if_match' => { '\\.pub$' => { 'fix' => 's/\\.pub$//;', 'msg' => 'identity file should be the private key ' } } }, 'description' => 'Specifies a file from which the user\'s RSA or DSA authentication identity is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. The file name may use the tilde syntax to refer to a user\'s home directory or one of the following escape characters: \'%d\' (local user\'s home directory), \'%u\' (local user name), \'%l\' (local host name), \'%h\' (remote host name) or \'%r\' (remote user name). It is possible to have multiple identity files specified in con figuration files; all these identities will be tried in sequence. ', 'type' => 'list' }, 'IPQoS', { 'assert' => { '1_or_2' => { 'code' => 'return 1 unless defined $_; my @v = (/(\\w+)/g); return (@v < 3) ? 1 : 0; ', 'msg' => 'value must not have more than 2 fields.' }, 'accepted_values' => { 'code' => 'return 1 unless defined $_; my @v = (/(\\S+)/g); my @good = grep {/^(af[1-4][1-3]|cs[0-7]|ef|lowdelay|throughput|reliability|\\d+)/} @v ; return @good == @v ? 1 : 0; ', 'msg' => 'value must be 1 or 2 occurences of: "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value.' } }, 'description' => 'Specifies the IPv4 type-of-service or DSCP class for the connection. Accepted values are "af11", "af12", "af13", "af21", "af22", "af23", "af31", "af32", "af33", "af41", "af42", "af43", "cs0", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "cs7", "ef", "lowdelay", "throughput", "reliability", or a numeric value. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is "lowdelay" for interactive sessions and "throughput" for non-interactive sessions.', 'summary' => 'IPv4 type-of-service or DSCP class for the connection.', 'type' => 'leaf', 'upstream_default' => 'lowdelay throughput', 'value_type' => 'uniline' }, 'KbdInteractiveAuthentication', { 'description' => 'Specifies whether to use keyboard-interactive authentication. ', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean' }, 'KbdInteractiveDevices', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. The methods available vary depending on what the server supports. For an OpenSSH server, it may be zero or more of: \'bsdauth\', \'pam\', and \'skey\'.', 'type' => 'list' }, 'KexAlgorithms', { 'choice' => [ 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1' ], 'description' => 'Specifies the available KEX (Key Exchange) algorithms.', 'type' => 'check_list', 'upstream_default_list' => [ 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521' ] }, 'LocalForward', { 'cargo' => { 'config_class_name' => 'Ssh::PortForward', 'type' => 'node' }, 'description' => 'Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport. IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: [bind_address/]port and host/hostport. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of "localhost" indicates that the listening port be bound for local use only, while an empty address or \'*\' indicates that the port should be available from all interfaces. Example: LocalForward 20000 192.168.0.66:80 ', 'summary' => 'Local port forwarding', 'type' => 'list' }, 'LogLevel', { 'choice' => [ 'SILENT', 'QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3' ], 'description' => 'Gives the verbosity level that is used when logging messages from ssh(1). The possible values are: SILENT, QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output.', 'type' => 'leaf', 'upstream_default' => 'INFO', 'value_type' => 'enum' }, 'MACs', { 'choice' => [ 'hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-sha1-96', 'hmac-md5-96' ], 'description' => 'Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection.', 'ordered' => '1', 'type' => 'check_list', 'upstream_default_list' => [ 'hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-sha1-96', 'hmac-md5-96' ] }, 'NoHostAuthenticationForLocalhost', { 'description' => 'This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warn ings about changed host keys. However, this option disables host authentication for localhost. The default is to check the host key for localhost.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'NumberOfPasswordPrompts', { 'description' => 'Specifies the number of password prompts before giving up.', 'type' => 'leaf', 'upstream_default' => '3', 'value_type' => 'integer' }, 'PasswordAuthentication', { 'description' => 'Specifies whether to use password authentication.', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean' }, 'PermitLocalCommand', { 'description' => 'Allow local command execution via the LocalCommand option or using the !command escape sequence in ssh(1).', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'LocalCommand', { 'description' => 'Specifies a command to execute on the local machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user\'s shell. The following escape character substitutions will be performed: \'%d\' (local user\'s home directory), \'%h\' (remote host name), \'%l\' (local host name), \'%n\' (host name as provided on the command line), \'%p\' (remote port), \'%r\' (remote user name) or \'%u\' (local user name). This directive is ignored unless PermitLocalCommand has been enabled.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'PKCS11Provider', { 'description' => 'Specifies which PKCS#11 provider to use. The argument to this keyword is the PKCS#11 shared library ssh(1) should use to communicate with a PKCS#11 token providing the user\'s private RSA key.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'Port', { 'description' => 'Specifies the port number to connect on the remote host.', 'type' => 'leaf', 'upstream_default' => '22', 'value_type' => 'integer' }, 'PreferredAuthentications', { 'choice' => [ 'gssapi-with-mic', 'hostbased', 'publickey', 'keyboard-interactive', 'password' ], 'description' => 'Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password).', 'ordered' => '1', 'type' => 'check_list', 'upstream_default_list' => [ 'gssapi-with-mic', 'hostbased', 'publickey', 'keyboard-interactive', 'password' ] }, 'Protocol', { 'choice' => [ '2', '1' ], 'description' => 'Specifies the protocol versions ssh(1) should support in order of preference. The default is "2,1". This means that ssh tries version 2 and falls back to version 1 if version 2 is not available.', 'ordered' => '1', 'type' => 'check_list', 'upstream_default_list' => [ '2', '1' ] }, 'ProxyCommand', { 'description' => 'Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user\'s shell. In the command string, \'%h\' will be substi tuted by the host name to connect and \'%p\' by the port. The com mand can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to "none" disables this option entirely. Note that CheckHostIP is not available for connects with a proxy command. This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.0.2.0: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p', 'type' => 'leaf', 'value_type' => 'uniline' }, 'PubkeyAuthentication', { 'description' => 'Specifies whether to try public key authentication. This option applies to protocol version 2 only.', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean' }, 'RekeyLimit', { 'description' => 'Specifies the maximum amount of data that may be transmitted before the session key is renegotiated. The argument is the number of bytes, with an optional suffix of \'K\', \'M\', or \'G\' to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between \'1G\' and \'4G\', depending on the cipher. This option applies to protocol version 2 only.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'RemoteForward', { 'cargo' => { 'config_class_name' => 'Ssh::PortForward', 'type' => 'node' }, 'description' => 'Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. If the bind_address is not specified, the default is to only bind to loopback addresses. If the bind_address is \'*\' or an empty string, then the forwarding is requested to listen on all inter faces. Specifying a remote bind_address will only succeed if the server\'s GatewayPorts option is enabled (see sshd_config(5)).', 'level' => 'important', 'summary' => 'remote port forward to local', 'type' => 'list' }, 'RequestTTY', { 'choice' => [ 'yes', 'no', 'force', 'auto' ], 'description' => 'Specifies whether to request a pseudo-tty for the session. This option mirrors the -t and -T flags for C.', 'help' => { 'auto' => 'request a TTY when opening a login session', 'force' => 'always request a TTY', 'no' => 'never request a TTY', 'yes' => 'always request a TTY when standard input is a TTY' }, 'type' => 'leaf', 'value_type' => 'enum' }, 'RhostsRSAAuthentication', { 'description' => 'Specifies whether to try rhosts based authentication with RSA host authentication. This option applies to protocol version 1 only and requires ssh(1) to be setuid root.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'RSAAuthentication', { 'description' => 'Specifies whether to try RSA authentication. RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. Note that this option applies to protocol version 1 only.', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean' }, 'SendEnv', { 'cargo' => { 'type' => 'leaf', 'value_type' => 'uniline' }, 'description' => 'Specifies what variables from the local environ(7) should be sent to the server. Note that environment passing is only supported for protocol 2. The server must also support it, and the server must be configured to accept these environment variables. Refer to AcceptEnv in sshd_config(5) for how to configure the server. Variables are specified by name, which may contain wildcard char acters. Multiple environment variables may be separated by whitespace or spread across multiple SendEnv directives. The default is not to send any environment variables. See PATTERNS in ssh_config(5) for more information on patterns.', 'type' => 'list' }, 'ServerAliveCountMax', { 'description' => 'Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. It is important to note that the use of server alive messages is very different from TCPKeepAlive. The server alive messages are sent through the encrypted channel and there fore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or server depend on knowing when a connec tion has become inactive. The default value is 3. If, for example, ServerAliveInterval is set to 15 and ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. This option applies to protocol version 2 only; in protocol version 1 there is no mechanism to request a response from the server to the server alive messages, so disconnection is the responsibility of the TCP stack.', 'type' => 'leaf', 'upstream_default' => '3', 'value_type' => 'integer' }, 'ServerAliveInterval', { 'description' => 'Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server, or 300 if the BatchMode option is set. This option applies to protocol version 2 only. ProtocolKeepAlives and SetupTimeOut are Debian-specific compatibility aliases for this option.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'integer', 'warp' => { 'follow' => { 'batch_mode' => '?BatchMode' }, 'rules' => [ '$batch_mode eq \'1\'', { 'upstream_default' => '300' } ] } }, 'SmartcardDevice', { 'description' => 'Specifies which smartcard device to use. The argument to this keyword is the device ssh(1) should use to communicate with a smartcard used for storing the user\'s private RSA key. By default, no device is specified and smartcard support is not activated.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'StrictHostKeyChecking', { 'choice' => [ 'yes', 'no', 'ask' ], 'description' => 'If this flag is set to "yes", ssh(1) will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, though it can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to "no", ssh will automatically add new host keys to the user known hosts files. If this flag is set to "ask", new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be "yes", "no", or "ask". The default is "ask".', 'type' => 'leaf', 'upstream_default' => 'ask', 'value_type' => 'enum' }, 'TCPKeepAlive', { 'description' => 'Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. This option only uses TCP keepalives (as opposed to using ssh level keepalives), so takes a long time to notice when the connection dies. As such, you probably want the ServerAliveInterval option as well. However, this means that connections will die if the route is down temporarily, and some people find it annoying. The default is "yes" (to send TCP keepalive messages), and the client will notice if the network goes down or the remote host dies. This is important in scripts, and many users want it too. To disable TCP keepalive messages, the value should be set to "no".', 'type' => 'leaf', 'upstream_default' => '1', 'value_type' => 'boolean' }, 'Tunnel', { 'choice' => [ 'yes', 'point-to-point', 'ethernet', 'no' ], 'description' => 'Request tun(4) device forwarding between the client and the server. The argument must be "yes", "point-to-point" (layer 3), "ethernet" (layer 2), or "no". Specifying "yes" requests the default tunnel mode, which is "point-to-point". The default is "no".', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'TunnelDevice', { 'description' => 'Specifies the tun(4) devices to open on the client (local_tun) and the server (remote_tun). The argument must be local_tun[:remote_tun]. The devices may be specified by numerical ID or the keyword "any", which uses the next available tunnel device. If remote_tun is not specified, it defaults to "any". The default is "any:any".', 'type' => 'leaf', 'upstream_default' => 'any:any', 'value_type' => 'uniline' }, 'UseBlacklistedKeys', { 'description' => 'Specifies whether ssh(1) should use keys recorded in its blacklist of known-compromised keys (see ssh-vulnkey(1)) for authentication. If "yes", then attempts to use compromised keys for authentication will be logged but accepted. It is strongly recommended that this be used only to install new authorized keys on the remote system, and even then only with the utmost care. If "no", then attempts to use compromised keys for authentication will be prevented. The default is "no".', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'UsePrivilegedPort', { 'description' => 'Specifies whether to use a privileged port for outgoing connections. The argument must be "yes" or "no". The default is "no". If set to "yes", ssh(1) must be setuid root. Note that this option must be set to "yes" for RhostsRSAAuthentication with older servers.', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'User', { 'description' => 'Specifies the user to log in as. This can be useful when a dif ferent user name is used on different machines. This saves the trouble of having to remember to give the user name on the command line.', 'level' => 'important', 'type' => 'leaf', 'value_type' => 'uniline' }, 'UserKnownHostsFile', { 'description' => 'Specifies a file to use for the user host key database instead of ~/.ssh/known_hosts.', 'type' => 'leaf', 'value_type' => 'uniline' }, 'VerifyHostKeyDNS', { 'choice' => [ 'yes', 'no', 'ask' ], 'description' => 'Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to "yes", the client will implicitly trust keys that match a secure fingerprint from DNS. Insecure fingerprints will be handled as if this option was set to "ask". If this option is set to "ask", information on fingerprint match will be displayed, but the user will still need to confirm new host keys according to the StrictHostKeyChecking option. The argument must be "yes", "no", or "ask". The default is "no". Note that this option applies to protocol version 2 only. See also VERIFYING HOST KEYS in ssh(1).', 'type' => 'leaf', 'upstream_default' => 'no', 'value_type' => 'enum' }, 'VisualHostKey', { 'description' => 'If this flag is set to "yes", an ASCII art representation of the remote host key fingerprint is printed additionally to the hex fingerprint string. If this flag is set to "no", only the hex fingerprint string will be printed. The default is "no".', 'type' => 'leaf', 'upstream_default' => '0', 'value_type' => 'boolean' }, 'XAuthLocation', { 'description' => 'Specifies the full pathname of the xauth(1) program. The default is /usr/bin/X11/xauth.', 'type' => 'leaf', 'upstream_default' => '/usr/X11R6/bin/xauth', 'value_type' => 'uniline' }, 'UseRsh', { 'description' => 'This parameter is now ignored by Ssh', 'status' => 'deprecated', 'type' => 'leaf', 'value_type' => 'uniline' }, 'FallBackToRsh', { 'description' => 'This parameter is now ignored by Ssh', 'status' => 'deprecated', 'type' => 'leaf', 'value_type' => 'uniline' } ], 'license' => 'LGPL2', 'name' => 'Ssh::HostElement' } ] ; Config-Model-OpenSsh-1.238/lib/Config/Model/models/Ssh/PortForward.pl0000644000175000017500000000402613166471154023664 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # [ { 'author' => [ 'Dominique Dumont' ], 'class_description' => 'Configuration class that represents the parameters required to specify port forwarding in a ssh configuration.', 'copyright' => [ '2009-2011 Dominique Dumont' ], 'element' => [ 'ipv6', { 'description' => 'Specify if the forward is specified iwth IPv6 or IPv4', 'type' => 'leaf', 'value_type' => 'boolean' }, 'bind_address', { 'description' => 'Specify the address that the port will listen to. By default, only connections coming from localhost (127.0.0.1) will be forwarded. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of \'localhost\' indicates that the listening port be bound for local use only, while an empty address or \'*\' indicates that the port should be available from all interfaces.', 'summary' => 'bind address to listen to', 'type' => 'leaf', 'value_type' => 'uniline' }, 'port', { 'description' => 'Listening port. Connection made to this port will be forwarded to the other side of the tunnel.', 'mandatory' => '1', 'type' => 'leaf', 'value_type' => 'uniline' }, 'host', { 'mandatory' => '1', 'summary' => 'host name or address', 'type' => 'leaf', 'value_type' => 'uniline' }, 'hostport', { 'description' => 'Port number to connect the tunnel to.', 'mandatory' => '1', 'summary' => 'destination port', 'type' => 'leaf', 'value_type' => 'uniline' } ], 'license' => 'LGPL2', 'name' => 'Ssh::PortForward' } ] ; Config-Model-OpenSsh-1.238/lib/Config/Model/Backend/0000755000175000017500000000000013166471154020363 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/Backend/OpenSsh.pm0000644000175000017500000001575513166471154022315 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # package Config::Model::Backend::OpenSsh ; $Config::Model::Backend::OpenSsh::VERSION = '1.238'; use 5.10.1; use Config::Model 2.050; use Mouse ; extends "Config::Model::Backend::Any" ; has 'current_node' => ( is => 'rw', isa => 'Config::Model::Node', weak_ref => 1 ) ; use Carp ; use IO::File ; use Log::Log4perl 1.11; use File::Copy ; use File::Path ; my $logger = Log::Log4perl::get_logger("Backend::OpenSsh"); my @dispatch = ( qr/match/i => 'match', qr/host\b/i => 'host', qr/(local|remote)forward/i => 'forward', qr/localcommand/i => 'assign', qr/\w/ => 'assign', ); sub suffix {return '';} sub read { my $self = shift ; my %args = @_ ; my $config_root = $args{object} || croak __PACKAGE__," read_ssh_file: undefined config root object"; $logger->info("loading config file ".$args{file_path}); my $fh = $args{io_handle} ; if (not defined $fh) { $logger->warn("cannot read $args{file_path}"); return 0; } my @lines = $fh->getlines ; # try to get global comments (comments before a blank line) $self->read_global_comments(\@lines,'#') ; # need to reset this when reading user ssh file after system ssh file $self->current_node($config_root) ; my @assoc = $self->associates_comments_with_data( \@lines, '#' ) ; foreach my $item (@assoc) { my ( $vdata, $comment ) = @$item; my ( $k, @v ) = split /\s+/, $vdata; my $i = 0; while ( $i < @dispatch ) { my ( $regexp, $sub ) = @dispatch[ $i++, $i++ ]; if ( $k =~ $regexp and $self->can($sub)) { $logger->trace("read_ssh_file: dispatch calls $sub"); $self->$sub( $config_root, $k, \@v, $comment, $args{check} ); last; } warn __PACKAGE__, " unknown keyword: $k" if $i >= @dispatch; } } $fh->close; return 1; } sub ssh_write { my $self = shift ; my %args = @_ ; my $config_root = $args{object} || croak __PACKAGE__," ssh_write: undefined config root object"; $logger->info("writing config file $args{file_path}"); my $ioh = $args{io_handle} || croak __PACKAGE__," ssh_write: undefined io_handle";; $self->write_global_comment($ioh,'#') ; my $result = $self->write_node_content($config_root,$args{ssh_mode}); $ioh->print ($result); return 1; } sub assign { my ($self,$root, $raw_key,$arg,$comment, $check) = @_ ; $logger->debug("assign: $raw_key @$arg # $comment"); # keys are case insensitive, try to find a match my $key = $self->current_node->find_element ($raw_key, case => 'any') ; if (not defined $key) { if ($check eq 'yes') { # drop if -force is not set die "Error: unknown parameter: '$raw_key'. Use -force option to drop this parameter\n"; } else { say "Dropping parameter '$raw_key'" ; } return; } my $elt = $self->current_node->fetch_element($key) ; my $type = $elt->get_type; #print "got $key type $type and ",join('+',@$arg),"\n"; $elt->annotation($comment) if $comment and $type ne 'hash'; if ($type eq 'leaf') { $elt->store( join(' ',@$arg) ) ; } elsif ($type eq 'list') { $elt->push ( @$arg ) ; } elsif ($type eq 'hash') { my $hv = $elt->fetch_with_id($arg->[0]); $hv->store( $arg->[1] ); $hv->annotation($comment) if $comment; } elsif ($type eq 'check_list') { my @check = split /,/,$arg->[0] ; $elt->set_checked_list (@check) ; } else { die "OpenSsh::assign did not expect $type for $key\n"; } } sub write_line { my ($self, $k, $v, $note) = @_ ; return '' unless length($v) ; return $self->write_data_and_comments( undef, '#',sprintf("%-20s %s",$k,$v),$note) ; } sub write_list { my ($self,$name,$mode,$elt) = @_; my @r = map { $self->write_line($name,$_->fetch($mode), $_->annotation) ;} $elt->fetch_all() ; return join('',@r) ; } sub write_list_in_one_line { my ($self,$name,$mode,$elt) = @_; my @v = $elt->fetch_all_values(mode => $mode) ; return $self->write_line($name,join(' ',@v)) ; } # list there list element that must be written on one line with items # separated by a white space my %list_as_one_line = ( 'AuthorizedKeysFile' => 1 , ) ; sub write_node_content { my $self= shift ; my $node = shift ; my $mode = shift || ''; my $result = '' ; my $match = '' ; foreach my $name ($node->get_element_name() ) { next unless $node->is_element_defined($name) ; my $elt = $node->fetch_element($name) ; my $type = $elt->get_type; my $note = $elt->annotation ; #print "got $key type $type and ",join('+',@arg),"\n"; if ($name eq 'Match') { $match .= $self->write_all_match_block($elt,$mode) ; } elsif ($name eq 'Host') { $match .= $self->write_all_host_block($elt,$mode) ; } elsif ($name =~ /^(Local|Remote)Forward$/) { map { $result .= $self->write_forward($_,$mode) ;} $elt->fetch_all() ; } elsif ($type eq 'leaf') { my $v = $elt->fetch($mode) ; if (defined $v and $elt->value_type eq 'boolean') { $v = $v == 1 ? 'yes':'no' ; } $result .= $self->write_line($name,$v,$note); } elsif ($type eq 'check_list') { my $v = $elt->fetch($mode) ; $result .= $self->write_line($name,$v,$note); } elsif ($type eq 'list') { $result .= $self->write_data_and_comments(undef,'#', undef, $note) ; $result .= $list_as_one_line{$name} ? $self->write_list_in_one_line($name,$mode,$elt) : $self->write_list($name,$mode,$elt) ; } elsif ($type eq 'hash') { foreach my $k ( $elt->fetch_all_indexes ) { my $o = $elt->fetch_with_id($k); my $v = $o->fetch($mode) ; $result .= $self->write_line($name,"$k $v", $o->annotation) ; } } else { die "OpenSsh::write did not expect $type for $name\n"; } } return $result.$match ; } no Mouse; 1; # ABSTRACT: Common backend methods for Ssh and Sshd backends __END__ =pod =encoding UTF-8 =head1 NAME Config::Model::Backend::OpenSsh - Common backend methods for Ssh and Sshd backends =head1 VERSION version 1.238 =head1 SYNOPSIS None. Inherited by L and L. =head1 DESCRIPTION Methods used by both L and L. =head1 SEE ALSO L, L, L =head1 AUTHOR Dominique Dumont =head1 COPYRIGHT AND LICENSE This software is Copyright (c) 2008-2014 by Dominique Dumont. This is free software, licensed under: The GNU Lesser General Public License, Version 2.1, February 1999 =cut Config-Model-OpenSsh-1.238/lib/Config/Model/Backend/OpenSsh/0000755000175000017500000000000013166471154021742 5ustar domidomiConfig-Model-OpenSsh-1.238/lib/Config/Model/Backend/OpenSsh/Sshd.pm0000644000175000017500000001221113166471154023176 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # package Config::Model::Backend::OpenSsh::Sshd ; $Config::Model::Backend::OpenSsh::Sshd::VERSION = '1.238'; use Mouse ; extends "Config::Model::Backend::OpenSsh" ; use Carp ; use IO::File ; use Log::Log4perl; use File::Copy ; use File::Path ; my $logger = Log::Log4perl::get_logger("Backend::OpenSsh"); sub _host { my ($self,$root,$patterns,$comment) = @_; $logger->debug("host: pattern @$patterns # $comment"); my $hash_obj = $root->fetch_element('Host'); $logger->info("ssh: load host patterns '".join("','", @$patterns)."'"); $self->current_node = $hash_obj->fetch_with_id("@$patterns"); } sub _forward { my ($self,$root,$key,$args,$comment) = @_; $logger->debug("forward: $key @$args # $comment"); $self->current_node($root) unless defined $self->current_node ; my $elt_name = $key =~ /local/i ? 'Localforward' : 'RemoteForward' ; my $size = $self->current_node->fetch_element($key)->fetch_size; $logger->info("ssh: load $key '".join("','", @$args)."'"); my $v6 = ($args->[1] =~ m![/\[\]]!) ? 1 : 0; # cleanup possible square brackets used for IPv6 foreach (@$args) {s/[\[\]]+//g;} # reverse enable to assign string to port even if no bind_adress # is specified my $re = $v6 ? qr!/! : qr!:! ; my ($port,$bind_adr ) = reverse split $re,$args->[0] ; my ($host,$host_port) = split $re,$args->[1] ; my $load_str = ''; $load_str .= "GatewayPorts=1 " if $bind_adr ; $load_str .= "$key:$size "; $load_str .= 'ipv6=1 ' if $v6 ; $load_str .= "bind_address=$bind_adr " if defined $bind_adr ; $load_str .= "port=$port host=$host hostport=$host_port"; $self->current_node -> load($load_str) ; } sub match { my ($self,$root, $key, $pairs,$comment) = @_ ; $logger->debug("match: @$pairs # $comment"); my $list_obj = $root->fetch_element('Match'); # create new match block my $nb_of_elt = $list_obj->fetch_size; my $block_obj = $list_obj->fetch_with_id($nb_of_elt) ; $block_obj->annotation($comment) ; while (@$pairs) { my $criteria = shift @$pairs; my $pattern = shift @$pairs; $block_obj->load(qq!Condition $criteria="$pattern"!); } $self->current_node( $block_obj->fetch_element('Settings') ); } # now the write part sub write { my $self = shift; $self->ssh_write(@_) ; } sub _write_line { return sprintf("%-20s %s\n",@_) ; } sub write_all_match_block { my $self = shift ; my $match_elt = shift ; my $mode = shift || ''; my $result = ''; foreach my $elt ($match_elt->fetch_all($mode) ) { $result .= $self->write_match_block($elt,$mode) ; } return $result ; } sub write_match_block { my $self = shift ; my $match_elt = shift ; my $mode = shift || ''; my $match_line ; my $match_body ; foreach my $name ($match_elt->get_element_name() ) { my $elt = $match_elt->fetch_element($name) ; if ($name eq 'Settings') { $match_body .= $self->write_node_content($elt,$mode)."\n" ; } elsif ($name eq 'Condition') { $match_line = $self->write_line( Match => $self->write_match_condition($elt,$mode) , $match_elt -> annotation ) ; } else { die "write_match_block: unexpected element: $name"; } } return $match_line.$match_body ; } sub write_match_condition { my $self = shift ; my $cond_elt = shift ; my $mode = shift || ''; my $result = '' ; foreach my $name ($cond_elt->get_element_name() ) { my $elt = $cond_elt->fetch_element($name) ; my $v = $elt->fetch($mode) ; $result .= " $name $v" if defined $v; } return $result ; } no Mouse; 1; # ABSTRACT: Backend for sshd configuration files __END__ =pod =encoding UTF-8 =head1 NAME Config::Model::Backend::OpenSsh::Sshd - Backend for sshd configuration files =head1 VERSION version 1.238 =head1 SYNOPSIS None =head1 DESCRIPTION This calls provides a backend to read and write sshd client configuration files. =head1 STOP The documentation provides on the reader and writer of OpenSsh configuration files. These details are not needed for the basic usages explained in L. =head1 Methods These read/write functions are part of C read/write backend. They are declared in sshd configuration model and are called back when needed to read the configuration file and write it back. =head2 read (object => , config_dir => ...) Read F in C and load the data in the C configuration tree. =head2 write (object => , config_dir => ...) Write F in C from the data stored in C configuration tree. =head1 SEE ALSO L, L, =head1 AUTHOR Dominique Dumont =head1 COPYRIGHT AND LICENSE This software is Copyright (c) 2008-2014 by Dominique Dumont. This is free software, licensed under: The GNU Lesser General Public License, Version 2.1, February 1999 =cut Config-Model-OpenSsh-1.238/lib/Config/Model/Backend/OpenSsh/Ssh.pm0000644000175000017500000001163613166471154023044 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # package Config::Model::Backend::OpenSsh::Ssh ; $Config::Model::Backend::OpenSsh::Ssh::VERSION = '1.238'; use Mouse ; use 5.10.1; extends "Config::Model::Backend::OpenSsh" ; use Carp ; use IO::File ; use Log::Log4perl; use File::Copy ; use File::Path ; use File::HomeDir ; my $logger = Log::Log4perl::get_logger("Backend::OpenSsh"); sub write { my $self = shift; $self->ssh_write(@_, ssh_mode => 'custom') ; } sub host { my ($self,$root,$key, $patterns,$comment) = @_; $logger->debug("host: pattern @$patterns # $comment"); my $hash_obj = $root->fetch_element('Host'); $logger->info("ssh: load host patterns '".join("','", @$patterns)."'"); my $hv = $hash_obj->fetch_with_id("@$patterns") ; $hv -> annotation($comment) if $comment ; $self->current_node($hv); } sub forward { my ($self,$root,$key,$args,$comment) = @_; $logger->debug("forward: $key @$args # $comment"); $self->current_node = $root unless defined $self->current_node ; my $elt_name = $key =~ /local/i ? 'Localforward' : 'RemoteForward' ; my $size = $self->current_node->fetch_element($key)->fetch_size; my $v6 = ($args->[1] =~ m![/\[\]]!) ? 1 : 0; $logger->info("ssh: load $key '".join("','", @$args)."' ". ( $v6 ? 'IPv6' : 'IPv4')); # cleanup possible square brackets used for IPv6 foreach (@$args) {s/[\[\]]+//g;} # reverse enable to assign string to port even if no bind_adress # is specified my $re = $v6 ? qr!/! : qr!:! ; my ($port,$bind_adr ) = reverse split $re,$args->[0] ; my ($host,$host_port) = split $re,$args->[1] ; my $load_str = ''; $load_str .= "GatewayPorts=1 " if $bind_adr ; my $note = $comment || '' ; $note =~ s/"/\\"/g; $note = qq!#"$note"! if $note ; $load_str .= "$key:$size$note "; $load_str .= 'ipv6=1 ' if $v6 ; $load_str .= "bind_address=$bind_adr " if defined $bind_adr ; $load_str .= "port=$port host=$host hostport=$host_port"; $logger->debug("load string $load_str") ; $self->current_node -> load($load_str) ; } sub write_all_host_block { my $self = shift ; my $host_elt = shift ; my $mode = shift || ''; my $result = '' ; foreach my $pattern ( $host_elt->fetch_all_indexes) { my $block_elt = $host_elt->fetch_with_id($pattern) ; $logger->debug("write_all_host_block on ".$block_elt->location." mode $mode"); my $block_data = $self->write_node_content($block_elt,'custom') ; # write data only if custom pattern or custom data is found this # is necessary to avoid writing data from /etc/ssh/ssh_config that # were entered as 'preset' data if ($block_data) { $result .= $self->write_line(Host => $pattern, $block_elt->annotation); $result .= "$block_data\n" ; } } return $result ; } sub write_forward { my $self = shift ; my $forward_elt = shift ; my $mode = shift || ''; my $result = '' ; my $v6 = $forward_elt->grab_value('ipv6') ; my $sep = $v6 ? '/' : ':'; my $line = ''; foreach my $name ($forward_elt->get_element_name() ) { next if $name eq 'ipv6' ; my $elt = $forward_elt->fetch_element($name) ; my $v = $elt->fetch($mode) ; next unless length($v); $line .= $name =~ /bind|host$/ ? "$v$sep" : $name eq 'port' ? "$v " : $v ; } return $self->write_line($forward_elt->element_name,$line,$forward_elt->annotation) ; } 1; no Mouse; # ABSTRACT: Backend for ssh configuration files __END__ =pod =encoding UTF-8 =head1 NAME Config::Model::Backend::OpenSsh::Ssh - Backend for ssh configuration files =head1 VERSION version 1.238 =head1 SYNOPSIS None =head1 DESCRIPTION This calls provides a backend to read and write ssh client configuration files. =head1 STOP The documentation provides on the reader and writer of OpenSsh configuration files. These details are not needed for the basic usages explained in L. =head1 Methods These read/write functions are part of C read/write backend. They are declared in Ssh configuration model and are called back when needed to read the configuration file and write it back. =head2 read (object => , config_dir => ...) Read F in C and load the data in the C configuration tree. =head2 write (object => , config_dir => ...) Write F in C from the data stored in C configuration tree. =head1 SEE ALSO L, L, L =head1 AUTHOR Dominique Dumont =head1 COPYRIGHT AND LICENSE This software is Copyright (c) 2008-2014 by Dominique Dumont. This is free software, licensed under: The GNU Lesser General Public License, Version 2.1, February 1999 =cut Config-Model-OpenSsh-1.238/README.pod0000644000175000017500000000611513166471154015465 0ustar domidomi=begin html =end html =head1 Config::Model::OpenSsh - OpenSSH graphical configuration editor This module provides a graphical configuration editor for: =over =item C =item C =item C<~/.ssh/config> =back =head1 Installation =head2 Debian or Ubuntu As root,type: sudo apt install cme libconfig-model-openssh-perl To get the GUI, you should also do: sudo apt install libconfig-model-tkui-perl =head2 On Mac or Windows The easiest way is to: =over =item * install Perl from L, =item * Run PPM =item * Select and install C, C and C =back =head2 Other You can also install these modules from CPAN: cpanm App::Cme cpanm Config::Model::OpenSsh cpanm Config::Model::TkUI =head1 Usage Once this module is installed, you can launch a GUI to edit C with: $ sudo cme edit sshd If L fails to load your C, you can try L with C<-force> option. Likewise, you can edit your C<~/.ssh/config> file with: $ cme edit ssh Or to edit C, run as root: $ sudo cme edit system-ssh More details are given in L wiki page. =head1 Build from git repository See L. =head1 More information For more information, see: =over =item * L wiki page =item * L wiki page =item * L =item * L =back =head1 Installation from git L is built with L. Please follow the L to install all modules related to L. Then, make sure that L is installed. On debian or ubuntu, do: sudo apt-get build-dep libconfig-model-openssh-perl Then run: dzil build If you want to install this software without packaging, you can also run: dzil install =head1 Update OpenSSH model To update the model, the easiest way is to use the following command in the git repo: $ cme meta edit This command requires L. On debian or ubuntu, do: sudo apt install libconfig-model-itself-perl Then you can explore the configuration elements in the GUI. For more information on model update, see this L Config-Model-OpenSsh-1.238/META.json0000644000175000017500000000367113166471154015451 0ustar domidomi{ "abstract" : "OpenSSH config editor", "author" : [ "Dominique Dumont" ], "dynamic_config" : 0, "generated_by" : "Dist::Zilla version 6.010, CPAN::Meta::Converter version 2.150010", "license" : [ "lgpl_2_1" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", "version" : "2" }, "name" : "Config-Model-OpenSsh", "prereqs" : { "build" : { "requires" : { "Module::Build" : "0.34" } }, "configure" : { "requires" : { "Module::Build" : "0.34" } }, "runtime" : { "recommends" : { "Config::Model::CursesUI" : "0", "Config::Model::TkUI" : "0" }, "requires" : { "Carp" : "0", "Config::Model" : "2.111", "Config::Model::Backend::Any" : "0", "File::Copy" : "0", "File::HomeDir" : "0", "File::Path" : "0", "IO::File" : "0", "Log::Log4perl" : "1.11", "Mouse" : "0", "perl" : "5.010" } }, "test" : { "requires" : { "Config::Model::BackendMgr" : "0", "Config::Model::Tester" : "2.042", "English" : "0", "Test::Differences" : "0", "Test::More" : "0", "Test::Warn" : "0" } } }, "release_status" : "stable", "resources" : { "bugtracker" : { "mailto" : "ddumont at cpan.org", "web" : "https://github.com/dod38fr/config-model-openssh/issues" }, "homepage" : "https://github.com/dod38fr/config-model/wiki", "repository" : { "type" : "git", "url" : "git://github.com/dod38fr/config-model-openssh.git", "web" : "http://github.com/dod38fr/config-model-openssh.git" } }, "version" : "1.238", "x_serialization_backend" : "JSON::XS version 3.04" } Config-Model-OpenSsh-1.238/MANIFEST.SKIP0000644000175000017500000000016113166471154015715 0ustar domidomidebian/ ~$ \.ptkdb$ \.old$ dist.ini libconfig _build \.orig$ ^MYMETA.yml$ blib wr_root wr_test demo/lib demo/etc Config-Model-OpenSsh-1.238/META.yml0000644000175000017500000000206213166471154015272 0ustar domidomi--- abstract: 'OpenSSH config editor' author: - 'Dominique Dumont' build_requires: Config::Model::BackendMgr: '0' Config::Model::Tester: '2.042' English: '0' Module::Build: '0.34' Test::Differences: '0' Test::More: '0' Test::Warn: '0' configure_requires: Module::Build: '0.34' dynamic_config: 0 generated_by: 'Dist::Zilla version 6.010, CPAN::Meta::Converter version 2.150010' license: lgpl meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html version: '1.4' name: Config-Model-OpenSsh recommends: Config::Model::CursesUI: '0' Config::Model::TkUI: '0' requires: Carp: '0' Config::Model: '2.111' Config::Model::Backend::Any: '0' File::Copy: '0' File::HomeDir: '0' File::Path: '0' IO::File: '0' Log::Log4perl: '1.11' Mouse: '0' perl: '5.010' resources: bugtracker: https://github.com/dod38fr/config-model-openssh/issues homepage: https://github.com/dod38fr/config-model/wiki repository: git://github.com/dod38fr/config-model-openssh.git version: '1.238' x_serialization_backend: 'YAML::Tiny version 1.70' Config-Model-OpenSsh-1.238/demo/0000755000175000017500000000000013166471154014745 5ustar domidomiConfig-Model-OpenSsh-1.238/demo/maintainer-demo.pl0000644000175000017500000000734713166471154020366 0ustar domidomi#!/usr/bin/perl # # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # use strict; use warnings; use lib '../lib' ; use Text::Wrap ; use File::Path qw(make_path remove_tree); sub go_on { print "continue (Y/n/q)?"; my $ans = ; exit if $ans =~ /^q/i; return if $ans =~ /^n/i ; } sub done { print "Done.\nHit return to continue ... "; my $ans = ; print "\n"; } sub my_system { my $run = shift ; my $show = shift || 0 ; print "Will run: $run\n" if $show ; go_on ; system($run) ; done ; print "\n"; } print wrap('','', "This program will provide a short demo of the configuration", "upgrade feature of Config::Model seen from user's point of view.\n"); remove_tree('etc','lib') ; make_path('etc/ssh') ; print "Creating dummy config file\n"; open(CONF,">etc/ssh/sshd_config") ; print CONF << "EOC" ; # dummy config made for demo HostKey /etc/ssh/ssh_host_key KeepAlive no # another comment IgnoreRhosts no EOC close CONF ; my $pid = fork ; if (not $pid) { # child die "Cannot fork: $!" unless defined $pid ; exec ("xterm -e watch -n 1 cat etc/ssh/sshd_config") ; } print "Forked terminal with pid $pid\n"; $SIG{KILL} = sub { kill "QUIT",$pid } ; print "Copying ssh model\n\n\n"; make_path('lib/Config/Model/') ; my $lib_path ; foreach my $inc (@INC) { my $model_path = "$inc/Config/Model/models" ; if (-d "$model_path/Sshd") { print "Copying model from $model_path\n" ; # required to be able to modify the model for the demo system("cp -r $model_path lib/Config/Model/") ; $lib_path = $model_path ; last; } } my $showpostinst = "perl -I../lib -S cme migrate sshd" ; my $postinst = $showpostinst . " -model_dir lib/Config/Model/models " . "-root_dir . "; print "Upstream upgrade: KeepAlive is to be changed to TCPKeepAlive\n"; print "postinst will run: $showpostinst\n" ; go_on ; system($postinst) ; print "\n"; print "Add distro policy: Debian dev patches OpenSsh model...\n"; my_system("perl -I../lib -S config-model-edit -model Sshd -save ". qq!class:Sshd element:PermitRootLogin default=no upstream_default~!, 1) ; print "\n"; print "Add distro policy: show the diff...\n"; my_system("diff -Naur -b -B $lib_path lib/Config/Model/models") ; print "\n"; print "Package upgrade: PermitRootLogin is updated\n"; go_on ; system($postinst) ; print "\n"; print "Add another distro policy: Patch model with reduced default cipher list...\n"; my_system("perl -I../lib -S config-model-edit -model Sshd -save ". qq!class:Sshd element:Ciphers !. qq!default_list=aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr!,1) ; print "\n"; print "Package upgrade: Ciphers is added in config file\n"; go_on ; system($postinst) ; print "\n"; if (0) { # bug: -force does not work print "Big problem: aes-128-* are compromised. Need to help user remove these ciphers\n"; print "Patch model to have a hard restriction on cipher list...\n"; my_system("perl -I../lib -S config-model-edit -model Sshd -save ". 'class:Sshd element:Ciphers '. 'choice=arcfour256,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr '. 'default_list=aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr',1) ; print "standard upgrade: Ciphers restriction leads to error\n"; system($postinst) ; go_on ; print "Possibility to use -force to override\n"; my_system("$postinst -force",1) ; } print "Usability for maintainers is not forgotten\n", "There's also a GUI to edit models\n"; my_system("perl -I../lib -S config-model-edit -model Sshd",1) ; END { kill "QUIT",$pid ; } Config-Model-OpenSsh-1.238/demo/user-demo.pl0000644000175000017500000000757013166471154017213 0ustar domidomi#!/usr/bin/perl # # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # use feature ":5.10" ; use strict; use warnings; use Text::Wrap ; use File::Path qw(make_path remove_tree); use lib '../lib' ; sub go_on { print "continue (Y/n/q)?"; my $ans = ; exit if $ans =~ /^q/i; return if $ans =~ /^n/i ; } sub pause { print "Done.\nHit return to continue ... "; my $ans = ; print "\n"; } sub my_system { my $run = shift ; my $show = shift || 0 ; print "Will run: $run\n" if $show ; go_on ; print '\/ ' x 15,"\n"; system($run) ; print '/\ ' x 15,"\n"; pause ; } print wrap('','', "This program will provide a short demo of the configuration", "upgrade feature of Config::Model seen from user's point of view.\n"); remove_tree('etc','lib') ; make_path('etc/ssh') ; print "Creating dummy config file\n"; open(CONF,">etc/ssh/sshd_config") ; print CONF << "EOC" ; # dummy config made for demo HostKey /etc/ssh/ssh_host_key KeepAlive no # another comment IgnoreRhosts no EOC close CONF ; my $pid = fork ; if (not $pid) { # child die "Cannot fork: $!" unless defined $pid ; exec ("xterm -e watch -n 1 cat etc/ssh/sshd_config") ; } print "Forked terminal with pid $pid\n"; $SIG{KILL} = sub { kill "QUIT",$pid } ; die "Must be run in demo directory\n" unless -d "../lib" ; print "Copying ssh model\n\n\n"; make_path('lib/Config/Model/') ; foreach my $inc (@INC) { my $model_path = "$inc/Config/Model/models" ; if (-d "$model_path/Sshd") { print "Copying model from $model_path\n" ; # required to be able to modify the model for the demo system("cp -r $model_path lib/Config/Model/") ; last; } } my $postinst = "perl -I../lib -S cme migrate sshd -model-dir lib/Config/Model/models " . "-root-dir . "; print "Upstream changelog: KeepAlive is changed to TCPKeepAlive\n"; print "User file is updated by package postinst...\n"; my_system($postinst) ; print "Changing model to reflect maintainer's work. Please wait ..." ; system("perl -I../lib -S config-model-edit -model Sshd -save ". qq!class:Sshd element:PermitRootLogin default=no upstream_default~!) ; print "done\n\n"; print "Maintainer changelog: new policy, PermitRootLogin should be set to 'no'\n"; print "Package upgrade triggers same postinst script\n"; my_system($postinst) ; print "Changing model to reflect maintainer's work. Please wait ..." ; system("perl -I../lib -S config-model-edit -model Sshd -save ". qq!class:Sshd element:Ciphers !. qq!default_list=aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr!) ; print "done\n\n"; print "Maintainer changelog: reduced default cipher list...\n"; print "Package upgrade: same postinst, Cipher list is added in config file\n"; my_system($postinst) ; print "Even command line is safe for users: try to modify IgnoreRhosts with bad value\n"; my_system("perl -I../lib -S cme modify sshd -model_dir lib/Config/Model/models ". "-root_dir . IgnoreRhosts=oui", 'cme modify sshd IgnoreRhosts=oui') ; my $fuse_dir = 'my_fuse' ; say "If you prefer to use a virtual file system (script ?)" ; mkdir ($fuse_dir,0755) unless -d $fuse_dir ; my_system("perl -I../lib -S cme fusefs sshd -model_dir lib/Config/Model/models ". "-root_dir . -fuse_dir $fuse_dir", "cme fusefs sshd -fuse_dir $fuse_dir" ) ; my_system("ls --classify $fuse_dir",1); my_system(qq!echo "/etc/my_banner.txt" > $fuse_dir/Banner!,1) ; my_system("fusermount -u $fuse_dir",1); print "Beginners will probably prefer a GUI\n"; my_system("perl -I../lib -S cme edit sshd -model_dir lib/Config/Model/models ". "-root_dir . ", 'cme edit sshd') ; END { system("fusermount -u $fuse_dir"); kill "QUIT",$pid ; } Config-Model-OpenSsh-1.238/Build.PL0000644000175000017500000000554713166471154015330 0ustar domidomi# # This file is part of Config-Model-OpenSsh # # This software is Copyright (c) 2008-2014 by Dominique Dumont. # # This is free software, licensed under: # # The GNU Lesser General Public License, Version 2.1, February 1999 # # Copyright (c) 2008-2013 Dominique Dumont. # # This file is part of Config-Model-OpenSsh. # # Config-Model is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser Public License as # published by the Free Software Foundation; either version 2.1 of # the License, or (at your option) any later version. # # Config-Model is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser Public License for more details. # # You should have received a copy of the GNU Lesser Public License # along with Config-Model; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA # 02110-1301 USA use Module::Build; use warnings FATAL => qw(all) ; use strict ; require 5.010; my %appli_files = map { ( $_, $_ ) } glob("lib/Config/Model/*.d/*"); # check that pod docs are up-to-date this is redundant with work done by # dzil. But this enable to re-build the docs downstream. # Use $^X in there as requested in # https://rt.cpan.org/Public/Bug/Display.html?id=74891 my $class = Module::Build->subclass( class => "Module::Build::Custom", code => <<'SUBCLASS' ); sub ACTION_build { my $self = shift; # below requires Config::Model 2.026 system ($^X, '-MConfig::Model::Utils::GenClassPod', '-e','gen_class_pod();') == 0 or die "gen-class-pod failed: $?"; $self->SUPER::ACTION_build; } SUBCLASS my $build = $class->new ( module_name => 'Config::Model::OpenSsh', license => 'lgpl', dist_author => "Dominique Dumont (ddumont at cpan dot org)", dist_abstract => "OpenSsh configuration files graphical editor", appli_files => \%appli_files , 'build_requires' => { 'Config::Model::BackendMgr' => '0', 'Config::Model::Tester' => '2.042', 'English' => '0', 'Module::Build' => '0.34', 'Test::Differences' => '0', 'Test::More' => '0', 'Test::Warn' => '0' }, 'configure_requires' => { 'Module::Build' => '0.34' }, 'recommends' => { 'Config::Model::CursesUI' => '0', 'Config::Model::TkUI' => '0' }, 'requires' => { 'Carp' => '0', 'Config::Model' => '2.111', 'Config::Model::Backend::Any' => '0', 'File::Copy' => '0', 'File::HomeDir' => '0', 'File::Path' => '0', 'IO::File' => '0', 'Log::Log4perl' => '1.11', 'Mouse' => '0', 'perl' => '5.010' }, add_to_cleanup => [qw/wr_test/] , ); $build->add_build_element('pl'); $build->add_build_element('appli'); $build->create_build_script;