view release on metacpan or  search on metacpan

lib/Config/Model/models/Sshd.pod  view on Meta::CPAN

key option offers a similar facility (see L<sshd(8)> for
details). I< Optional. Type uniline.  > 

=over 4

=item upstream_default value :

none

=back



=head2 Banner

B<Banner>The contents of
the specified file are sent to the remote user before
authentication is allowed. If the argument is B<none>
then no banner is displayed. By default, no banner is
displayed. I< Optional. Type uniline.  > 

=head2 ChrootDirectory

B<ChrootDirectory>Specifies the pathname of a
directory to L<chroot(2)> to after authentication. At session
startup L<sshd(8)> checks that all components of the pathname
are root-owned directories which are not writable by any
other user or group. After the chroot, L<sshd(8)> changes the
working directory to the user’s home directory.
Arguments to B<ChrootDirectory> accept the tokens
described in the I<TOKENS> section.The
B<ChrootDirectory> must contain the necessary files and
directories to support the user’s session. For an
interactive session this requires at least a shell,
typically L<sh(1)>, and basic I</dev> nodes such as
L<null(4)>, L<zero(4)>, L<stdin(4)>, L<stdout(4)>, L<stderr(4)>, and L<tty(4)>
devices. For file transfer sessions using SFTP no additional
configuration of the environment is necessary if the
in-process sftp-server is used, though sessions which use
logging may require I</dev/log> inside the chroot
directory on some operating systems (see L<sftp-server(8)> for
details).For safety, it
is very important that the directory hierarchy be prevented
from modification by other processes on the system
(especially those outside the jail). Misconfiguration can
lead to unsafe environments which L<sshd(8)> cannot detect.The default is
B<none>, indicating not to L<chroot(2)>. I< Optional. Type uniline.  > 

=over 4

=item upstream_default value :

none

=back



=head2 ClientAliveCountMax

B<ClientAliveCountMax>Sets the number of client alive
messages which may be sent without L<sshd(8)> receiving any
messages back from the client. If this threshold is reached
while client alive messages are being sent, sshd will
disconnect the client, terminating the session. It is
important to note that the use of client alive messages is
very different from B<TCPKeepAlive>. The client alive
messages are sent through the encrypted channel and
therefore will not be spoofable. The TCP keepalive option
enabled by B<TCPKeepAlive> is spoofable. The client
alive mechanism is valuable when the client or server depend
on knowing when a connection has become inactive.The default
value is 3. If B<ClientAliveInterval> is set to 15, and
B<ClientAliveCountMax> is left at the default,
unresponsive SSH clients will be disconnected after
approximately 45 seconds. I< Optional. Type integer.  > 

=over 4

=item upstream_default value :

3

=back



=head2 ClientAliveInterval

B<ClientAliveInterval>Sets a timeout interval in
seconds after which if no data has been received from the
client, L<sshd(8)> will send a message through the encrypted
channel to request a response from the client. The default
is 0, indicating that these messages will not be sent to the
client. I< Optional. Type integer.  > 

=over 4

=item upstream_default value :

0

=back



=head2 DenyGroups

B<DenyGroups>This keyword can be followed by
a list of group name patterns, separated by spaces. Login is
disallowed for users whose primary group or supplementary
group list matches one of the patterns. Only group names are
valid; a numerical group ID is not recognized. By default,
login is allowed for all groups. The allow/deny directives
are processed in the following order: B<DenyUsers>,
B<AllowUsers>, B<DenyGroups>, and finally
B<AllowGroups>.See PATTERNS in
L<ssh_config(5)> for more information on patterns. I< Optional. Type list of uniline.  > 

=head2 DenyUsers

B<DenyUsers>This keyword can be followed by
a list of user name patterns, separated by spaces. Login is
disallowed for user names that match one of the patterns.
Only user names are valid; a numerical user ID is not
recognized. By default, login is allowed for all users. If
the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users
from particular hosts. HOST criteria may additionally
contain addresses to match in CIDR address/masklen format.
The allow/deny directives are processed in the following

lib/Config/Model/models/Sshd.pod  view on Meta::CPAN

=back



=head2 StrictModes

B<StrictModes>Specifies whether L<sshd(8)>
should check file modes and ownership of the user’s
files and home directory before accepting login. This is
normally desirable because novices sometimes accidentally
leave their directory or files world-writable. The default
is B<yes>. Note that this does not apply to
B<ChrootDirectory>, whose permissions and ownership are
checked unconditionally. I< Optional. Type boolean.  > 

=over 4

=item upstream_default value :

yes

=back



=head2 Subsystem

B<Subsystem>Configures an external
subsystem (e.g. file transfer daemon). Arguments should be a
subsystem name and a command (with optional arguments) to
execute upon subsystem request.The command
B<sftp-server> implements the SFTP file transfer
subsystem.Alternately the
name B<internal-sftp> implements an in-process SFTP
server. This may simplify configurations using
B<ChrootDirectory> to force a different filesystem root
on clients.By default no
subsystems are defined. I< Optional. Type hash of uniline.  > 

=head2 SyslogFacility

B<SyslogFacility>Gives the facility code that is
used when logging messages from L<sshd(8)>. The possible values
are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. I< Optional. Type enum. choice: 'DAEMON', 'USER', 'AUTH', 'LOCAL0', 'LOCAL1', 'LOCAL2', 'LOCAL3', 'LOCAL4', 'LOCAL5', 'LOCAL6', 'LOCAL7'.  > 

=over 4

=item upstream_default value :

AUTH

=back



=head2 TCPKeepAlive

B<TCPKeepAlive>Specifies whether the system
should send TCP keepalive messages to the other side. If
they are sent, death of the connection or crash of one of
the machines will be properly noticed. However, this means
that connections will die if the route is down temporarily,
and some people find it annoying. On the other hand, if TCP
keepalives are not sent, sessions may hang indefinitely on
the server, leaving "ghost" users and consuming
server resources.The default is
B<yes> (to send TCP keepalive messages), and the server
will notice if the network goes down or the client host
crashes. This avoids infinitely hanging sessions.To disable TCP
keepalive messages, the value should be set to
B<no>.This option was
formerly called B<KeepAlive>. I< Optional. Type boolean.  > 

=over 4

=item upstream_default value :

yes

=back



=head2 UseDNS

B<UseDNS>Specifies
whether L<sshd(8)> should look up the remote host name, and to
check that the resolved host name for the remote IP address
maps back to the very same IP address.If this option
is set to B<no> (the default) then only addresses and
not host names may be used in I<~/.ssh/authorized_keys>B<from> and B<sshd_config Match Host>
directives. I< Optional. Type boolean.  > 

=over 4

=item upstream_default value :

no

=back



=head2 UsePAM

B<UsePAM>Enables the
Pluggable Authentication Module interface. If set to
B<yes> this will enable PAM authentication using
B<ChallengeResponseAuthentication> and
B<PasswordAuthentication> in addition to PAM account and
session module processing for all authentication types.Because PAM
challenge-response authentication usually serves an
equivalent role to password authentication, you should
disable either B<PasswordAuthentication> or
B<ChallengeResponseAuthentication.>If
B<UsePAM> is enabled, you will not be able to run
L<sshd(8)> as a non-root user. The default is B<no>. I< Optional. Type boolean.  > 

=over 4

=item upstream_default value :

no

=back



=head2 VersionAddendum