| Name | Type | Description |
|---|---|---|
| protocol | integer | Protocol Specifies the protocol versions sshd(8) supports. The possible values are “1” and “2”. Multiple versions must be comma-separated. The default is “2”. Protocol 1 suffers from a number of cryptographic weaknesses and should not be used. It is only offered to support legacy devices. Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. Specifying “2,1” is identical to “1,2”. |
| kerberos_auth | boolean | KerberosAuthentication Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC`s identity. The default is False (“no”). |
| enabled | boolean | Enables / disabled specific algorithm. |
| force_command | string | Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. |
| syslog_facility | ERROR | SyslogFacility Gives the facility code that is used when logging messages from sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. |
| public_key_auth | boolean | PubkeyAuthentication Specifies whether public key authentication is allowed. The default is True (“yes”). |
| enabled | boolean | Enables / disabled specific method. |
| password_auth | boolean | PasswordAuthentication Specifies whether password authentication is allowed. The default is True(“yes”). |
| permit_user_environment | boolean | PermitUserEnvironment Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). The default is False (“no”). Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD. |
| banner | string | Banner The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is “none” then no banner is displayed. By default, no banner is displayed. |
| login_grace_time | integer | LoginGraceTime The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds. |
| alive | object | Configure ClientAlive* option’s. |
| log_level | ERROR | LogLevel Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended. |
| enabled | boolean | description_notset |
| permit_empty_passwords | boolean | PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is False (“no”). |
| port | integer | Specifies the local addresses sshd should listen on. |
| address | string | Specifies the port on which the server listens for connections. Multiple options are permitted. |
| enabled | boolean | Enables openssh server configurathion. |
| max_auth_tries | integer | MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6. |
| use_dns | boolean | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address |
| enabled | boolean | description_notset |
| enabled | boolean | Enables / disabled specific method. |
| host_auth | boolean | HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). The default is False(“no”). |
| permit_root_login | boolean | PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be “yes”, “prohibit-password”, “without-password”, “forced-commands-only”, or “no”. The default is “prohibit-password”. If this option is set to “prohibit-password” or “without-password”, password and keyboard-interactive authentication are disabled for root. If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. If this option is set to “no”, root is not allowed to log in. # TODO Currently its only boolean option, however, support for other # values has been added recently to sshd_config template, now # it may use both booleans and strings. # Now the next step is to update reclass models and switch # from boolean values to strings. |
| ignore_rhosts | boolean | IgnoreRhosts Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The default is True (“yes”). |
| enabled | boolean | description_notset |
| challenge_response_auth | boolean | ChallengeResponseAuthentication controls support for the ‘keyboard-interactive’ authentication scheme defined in RFC-4256. The ‘keyboard-interactive’ authentication scheme could, in theory, ask a user any number of multi-facited questions. It’s using for duo 2FA authorization. |
| enabled | boolean | Enables / disabled specific MAC algorithm. |
| enabled | boolean | description_notset |
| user | object | List of openssh user’s, to be configured. |
| Name | Type | Description |
|---|---|---|
| shell | string | description_notset |
| name | string | description_notset |
| sudo | boolean | Allow user to use sudo |
| enabled | boolean | description_notset |
| full_name | string | description_notset |
| home | string | description_notset |
| password | string | description_notset |
| string | description_notset | |
| uid | integer | description_notset |