Metadata schema specifications for OpenSSH server

Metadata schema specifications for OpenSSH server

Core Properties

Name Type Description
protocol integer


Specifies the protocol versions sshd(8) supports. The possible values are “1” and “2”. Multiple versions must be comma-separated. The default is “2”. Protocol 1 suffers from a number of cryptographic weaknesses and should not be used. It is only offered to support legacy devices. Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. Specifying “2,1” is identical to “1,2”.

kerberos_auth boolean


Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC`s identity. The default is False (“no”).

enabled boolean Enables / disabled specific algorithm.
force_command string Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present.
syslog_facility ERROR


Gives the facility code that is used when logging messages from sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.

public_key_auth boolean


Specifies whether public key authentication is allowed. The default is True (“yes”).

enabled boolean Enables / disabled specific method.
password_auth boolean


Specifies whether password authentication is allowed. The default is True(“yes”).

permit_user_environment boolean


Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is False (“no”). Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.

banner string


The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is “none” then no banner is displayed. By default, no banner is displayed.

login_grace_time integer


The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.

alive object Configure ClientAlive* option’s.
log_level ERROR


Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended.

enabled boolean description_notset
permit_empty_passwords boolean


When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is False (“no”).

port integer Specifies the local addresses sshd should listen on.
address string Specifies the port on which the server listens for connections. Multiple options are permitted.
enabled boolean Enables openssh server configurathion.
max_auth_tries integer


Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.

use_dns boolean Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address
enabled boolean description_notset
enabled boolean Enables / disabled specific method.
host_auth boolean


Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). The default is False(“no”).

permit_root_login boolean


Specifies whether root can log in using ssh(1). The argument must be “yes”, “prohibit-password”, “without-password”, “forced-commands-only”, or “no”. The default is “prohibit-password”.

If this option is set to “prohibit-password” or “without-password”, password and keyboard-interactive authentication are disabled for root.

If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to “no”, root is not allowed to log in.

# TODO Currently its only boolean option, however, support for other # values has been added recently to sshd_config template, now # it may use both booleans and strings. # Now the next step is to update reclass models and switch # from boolean values to strings.

ignore_rhosts boolean


Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The default is True (“yes”).

enabled boolean description_notset
challenge_response_auth boolean

ChallengeResponseAuthentication controls support for the ‘keyboard-interactive’ authentication scheme defined in RFC-4256.

The ‘keyboard-interactive’ authentication scheme could, in theory, ask a user any number of multi-facited questions. It’s using for duo 2FA authorization.

enabled boolean Enables / disabled specific MAC algorithm.
enabled boolean description_notset
user object List of openssh user’s, to be configured.

global_useradd_user definition

Name Type Description
shell string description_notset
name string description_notset
sudo boolean Allow user to use sudo
enabled boolean description_notset
full_name string description_notset
home string description_notset
password string description_notset
email string description_notset
uid integer description_notset