Metadata schema specifications for OpenSSH server

Metadata schema specifications for OpenSSH server

Core Properties

Name

Type

Description

protocol

integer

Protocol

Specifies the protocol versions sshd(8) supports. The possible values are “1” and “2”. Multiple versions must be comma-separated. The default is “2”. Protocol 1 suffers from a number of cryptographic weaknesses and should not be used. It is only offered to support legacy devices. Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. Specifying “2,1” is identical to “1,2”.

kerberos_auth

boolean

KerberosAuthentication

Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC`s identity. The default is False (“no”).

enabled

boolean

Enables / disabled specific algorithm.

force_command

string

Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present.

syslog_facility

ERROR

SyslogFacility

Gives the facility code that is used when logging messages from sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.

public_key_auth

boolean

PubkeyAuthentication

Specifies whether public key authentication is allowed. The default is True (“yes”).

enabled

boolean

Enables / disabled specific method.

password_auth

boolean

PasswordAuthentication

Specifies whether password authentication is allowed. The default is True(“yes”).

permit_user_environment

boolean

PermitUserEnvironment

Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is False (“no”). Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.

banner

string

Banner

The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is “none” then no banner is displayed. By default, no banner is displayed.

login_grace_time

integer

LoginGraceTime

The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.

alive

object

Configure ClientAlive* option’s.

log_level

ERROR

LogLevel

Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended.

enabled

boolean

description_notset

permit_empty_passwords

boolean

PermitEmptyPasswords

When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is False (“no”).

port

integer

Specifies the local addresses sshd should listen on.

address

string

Specifies the port on which the server listens for connections. Multiple options are permitted.

enabled

boolean

Enables openssh server configurathion.

max_auth_tries

integer

MaxAuthTries

Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.

use_dns

boolean

Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address

enabled

boolean

description_notset

enabled

boolean

Enables / disabled specific method.

host_auth

boolean

HostbasedAuthentication

Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). The default is False(“no”).

permit_root_login

boolean

PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be “yes”, “prohibit-password”, “without-password”, “forced-commands-only”, or “no”. The default is “prohibit-password”.

If this option is set to “prohibit-password” or “without-password”, password and keyboard-interactive authentication are disabled for root.

If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to “no”, root is not allowed to log in.

# TODO Currently its only boolean option, however, support for other # values has been added recently to sshd_config template, now # it may use both booleans and strings. # Now the next step is to update reclass models and switch # from boolean values to strings.

ignore_rhosts

boolean

IgnoreRhosts

Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The default is True (“yes”).

enabled

boolean

description_notset

challenge_response_auth

boolean

ChallengeResponseAuthentication controls support for the ‘keyboard-interactive’ authentication scheme defined in RFC-4256.

The ‘keyboard-interactive’ authentication scheme could, in theory, ask a user any number of multi-facited questions. It’s using for duo 2FA authorization.

enabled

boolean

Enables / disabled specific MAC algorithm.

enabled

boolean

description_notset

user

object

List of openssh user’s, to be configured.

global_useradd_user definition

Name

Type

Description

shell

string

description_notset

name

string

description_notset

sudo

boolean

Allow user to use sudo

enabled

boolean

description_notset

full_name

string

description_notset

home

string

description_notset

password

string

description_notset

email

string

description_notset

uid

integer

description_notset