view release on metacpan or  search on metacpan

lib/Config/Model/models/Sshd/MatchElement.pod  view on Meta::CPAN

key option offers a similar facility (see L<sshd(8)> for
details). I< Optional. Type uniline.  > 

=over 4

=item upstream_default value :

none

=back



=head2 Banner

B<Banner>The contents of
the specified file are sent to the remote user before
authentication is allowed. If the argument is B<none>
then no banner is displayed. By default, no banner is
displayed. I< Optional. Type uniline.  > 

=head2 ChrootDirectory

B<ChrootDirectory>Specifies the pathname of a
directory to L<chroot(2)> to after authentication. At session
startup L<sshd(8)> checks that all components of the pathname
are root-owned directories which are not writable by any
other user or group. After the chroot, L<sshd(8)> changes the
working directory to the user’s home directory.
Arguments to B<ChrootDirectory> accept the tokens
described in the I<TOKENS> section.The
B<ChrootDirectory> must contain the necessary files and
directories to support the user’s session. For an
interactive session this requires at least a shell,
typically L<sh(1)>, and basic I</dev> nodes such as
L<null(4)>, L<zero(4)>, L<stdin(4)>, L<stdout(4)>, L<stderr(4)>, and L<tty(4)>
devices. For file transfer sessions using SFTP no additional
configuration of the environment is necessary if the
in-process sftp-server is used, though sessions which use
logging may require I</dev/log> inside the chroot
directory on some operating systems (see L<sftp-server(8)> for
details).For safety, it
is very important that the directory hierarchy be prevented
from modification by other processes on the system
(especially those outside the jail). Misconfiguration can
lead to unsafe environments which L<sshd(8)> cannot detect.The default is
B<none>, indicating not to L<chroot(2)>. I< Optional. Type uniline.  > 

=over 4

=item upstream_default value :

none

=back



=head2 ClientAliveCountMax

B<ClientAliveCountMax>Sets the number of client alive
messages which may be sent without L<sshd(8)> receiving any
messages back from the client. If this threshold is reached
while client alive messages are being sent, sshd will
disconnect the client, terminating the session. It is
important to note that the use of client alive messages is
very different from B<TCPKeepAlive>. The client alive
messages are sent through the encrypted channel and
therefore will not be spoofable. The TCP keepalive option
enabled by B<TCPKeepAlive> is spoofable. The client
alive mechanism is valuable when the client or server depend
on knowing when a connection has become inactive.The default
value is 3. If B<ClientAliveInterval> is set to 15, and
B<ClientAliveCountMax> is left at the default,
unresponsive SSH clients will be disconnected after
approximately 45 seconds. I< Optional. Type integer.  > 

=over 4

=item upstream_default value :

3

=back



=head2 ClientAliveInterval

B<ClientAliveInterval>Sets a timeout interval in
seconds after which if no data has been received from the
client, L<sshd(8)> will send a message through the encrypted
channel to request a response from the client. The default
is 0, indicating that these messages will not be sent to the
client. I< Optional. Type integer.  > 

=over 4

=item upstream_default value :

0

=back



=head2 DenyGroups

B<DenyGroups>This keyword can be followed by
a list of group name patterns, separated by spaces. Login is
disallowed for users whose primary group or supplementary
group list matches one of the patterns. Only group names are
valid; a numerical group ID is not recognized. By default,
login is allowed for all groups. The allow/deny directives
are processed in the following order: B<DenyUsers>,
B<AllowUsers>, B<DenyGroups>, and finally
B<AllowGroups>.See PATTERNS in
L<ssh_config(5)> for more information on patterns. I< Optional. Type list of uniline.  > 

=head2 DenyUsers

B<DenyUsers>This keyword can be followed by
a list of user name patterns, separated by spaces. Login is
disallowed for user names that match one of the patterns.
Only user names are valid; a numerical user ID is not
recognized. By default, login is allowed for all users. If
the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users
from particular hosts. HOST criteria may additionally
contain addresses to match in CIDR address/masklen format.
The allow/deny directives are processed in the following