cd_ssh | Parameters

  • pkg_ensure (string) (defaults to: = true)

    which package type to choose, i.e. latest or present.

  • sshd_manage_sshclient (boolean) (defaults to: )

    Whether or not to manage the client configuration.

  • sshd_enable_nagios (boolean) (defaults to: '/et)
  • sshd_target_service (string) (defaults to: , $sshd_user = 'r)

    Specify the path to the configuration file in nagios for this nagios check.

  • sshd_user (string) (defaults to: = '22')

    specify the user to run sshd daemon.

  • sshd_port (string) (defaults to: 'any)

    port to use for the sshd daemon. used both for daemon configuration and in firewall settings.

  • sshd_addressfamily (string) (defaults to: ['0.)

    Specifies which address family should be used by sshd(8). Valid arguments are any, inet (use IPv4 only), or inet6 (use IPv6 only). The default is any.

  • sshd_listenaddress (string) (defaults to: = '2',)

    Specifies the local addresses sshd(8) should listen on. The following forms may be used: ListenAddress host|IPv4_addr|IPv6_addr ListenAddress host|IPv4_addr:port

  • sshd_protocol (string) (defaults to: 'ss)

    Specifies the protocol versions sshd(8) supports. The possible values are '1' and '2'.

  • sshd_hostkey (string) (defaults to: key'], $sshd_rekeylimit = 'def)

    Specifies a file containing a private host key used by SSH.

  • sshd_rekeylimit (string) (defaults to: = 'AUT)

    Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated.

  • sshd_logfacility (string) (defaults to: = 'INF)

    Gives the facility code that is used when logging messages from sshd(8).

  • sshd_loglevel (string) (defaults to: = '2m')

    Gives the verbosity level that is used when logging messages from sshd(8).

  • sshd_logingracetime (string) (defaults to: 'no')

    The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.

  • sshd_root_login (string) (defaults to: 'yes)

    Whether or not to allow the root user to login through SSH. NOT recommended

  • sshd_strict_modes (string) (defaults to: '3',)

    Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login.

  • sshd_max_auth_tries (string) (defaults to: 10')

    Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.

  • sshd_max_sessions (string) (defaults to: 'yes)

    Specifies the maximum number of open sessions permitted per network connection.

  • sshd_pubkey_auth (string) (defaults to: '.ss)

    Specifies whether public key authentication is allowed.

  • sshd_auth_key_files (string) (defaults to: rincipals_file = 'non)

    Specifies the file that contains the public keys that can be used for user authentication.

  • sshd_auth_principals_file (string) (defaults to: = 'non)

    Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication.

  • sshd_auth_key_cmd (string) (defaults to: = 'nob)

    Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others.

  • sshd_auth_key_cmd_user (string) (defaults to: = 'yes)

    Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands.

  • sshd_kerberos_use_kuserok (string) (defaults to: 'no')

    Specifies whether to look at .k5login file for user's aliases

  • sshd_hostbased_auth (string) (defaults to: 'no')

    Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication).

  • sshd_ign_user_known_hosts (string) (defaults to: 'yes)

    Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication.

  • sshd_ignore_rhosts (string) (defaults to: 'no')

    Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.

  • sshd_password_auth (string) (defaults to: 'no')

    Specifies whether password authentication is allowed.

  • sshd_permit_empty_pw (string) (defaults to: 'no')

    When password authentication is allowed ,it specifies whether the server allows login to accounts with empty password strings.

  • sshd_challengeresponseauth (string) (defaults to: 'no')

    Specifies whether challenge-response authentication is allowed (e.g. via PAM or though authentication styles supported in login.conf(5)).

  • sshd_kerberos_auth (string) (defaults to: 'yes)

    Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity.

  • sshd_kerb_or_local_pw (string) (defaults to: 'yes)

    If password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as /etc/passwd.

  • sshd_kerb_ticket_cleanup (string) (defaults to: 'no')

    Specifies whether to automatically destroy the user's ticket cache file on logout.

  • sshd_kerb_getafstoken (string) (defaults to: 'no')

    If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user's home directory.

  • sshd_gssapiauthentication (string) (defaults to: 'yes)

    Specifies whether user authentication based on GSSAPI is allowed.

  • sshd_gssapicleanupcreds (string) (defaults to: 'yes)

    Specifies whether to automatically destroy the user's credentials cache on logout.

  • sshd_gssapi_strict_acc_chk (string) (defaults to: 'no')

    Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against.

  • sshd_gssapi_key_exchange (string) (defaults to: 'yes)

    Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange doesn't rely on ssh keys to verify host identity.

  • sshd_use_pam (string) (defaults to: 'yes)

    Enables the Pluggable Authentication Module interface.

  • sshd_allowagentforwarding (string) (defaults to: 'yes)

    Specifies whether ssh-agent(1) forwarding is permitted.

  • sshd_allowtcpforwarding (string) (defaults to: 'no')

    Specifies whether TCP forwarding is permitted.

  • sshd_gatewayports (string) (defaults to: 'no')

    Specifies whether remote hosts are allowed to connect to ports forwarded for the client.

  • sshd_x11forwarding (string) (defaults to: '10')

    Specifies whether X11 forwarding is permitted.

  • sshd_x11displayoffset (string) (defaults to: 'yes)

    Specifies the first display number available for sshd(8)'s X11 forwarding. This prevents sshd from interfering with real X11 servers.

  • sshd_x11uselocalhost (string) (defaults to: 'yes)

    Specifies whether sshd(8) should bind the X11 forwarding server to the loopback address or to the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to “localhost”. This prevents remote hosts from connecting to the proxy display. However, some older X11 clients may not function with this configuration.

  • sshd_print_motd (string) (defaults to: 'yes)

    Specifies whether sshd(8) should print /etc/motd when a user logs in interactively.

  • sshd_printlastlog (string) (defaults to: 'yes)

    Specifies whether sshd(8) should print the date and time of the last user login when a user logs in interactively.

  • sshd_tcpkeepalive (string) (defaults to: 'no')

    Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving “ghost” users and consuming server resources.

  • sshd_uselogin (string) (defaults to: 'yes)

    Specifies whether login(1) is used for interactive login sessions.

  • sshd_useprivseparation (string) (defaults to: 'no')

    Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes.

  • sshd_permituserenvironment (string) (defaults to: 'del)

    Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8).

  • sshd_compression (string) (defaults to: = '15')

    Specifies whether compression is allowed, or delayed until the user has authenticated successfully.

  • sshd_clientaliveinterval (string) (defaults to: '3',)

    Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.

  • sshd_clientalivecountmax (string) (defaults to: no')

    Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.

  • sshd_usedns (string) (defaults to: '/va)

    Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.

  • sshd_pidfile (string) (defaults to: ps = '10')

    Specifies the file that contains the process ID of the SSH daemon.

  • sshd_maxstartups (string) (defaults to: 'no')

    Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection.

  • sshd_permittunnel (string) (defaults to: 'non)

    Specifies whether tun(4) device forwarding is allowed. The argument must be “yes”, “point-to-point” (layer 3), “ethernet” (layer 2), or “no”. Specifying “yes” permits both “point-to-point” and “ethernet”.

  • sshd_chrootdirectory (string) (defaults to: = 'non)

    Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

  • sshd_version_addendum (string) (defaults to: = 'ban)

    Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection.

  • sshd_banner (string) (defaults to: = unde)

    The contents of the specified file are sent to the remote user before authentication is allowed.

  • sshd_banner_content (string) (defaults to: ['sf)

    Specify the content of the banner here. only active if sshd_banner is set to banner.

  • sshd_subsystems (string) (defaults to: ver'], # fail2ban $sshd_fail2ban_max_ret)

    Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.

  • sshd_fail2ban_max_retry (string) (defaults to: als)

    Specify the amount of maximum retries for logging on to SSH before fail2ban bans the client IP address temporarily.

  • sshd_fail2ban_enable (string) (defaults to: 'ssh)

    Whether to enable fail2ban monitoring for the sshd service.

  • sshd_fail2ban_config (string) (defaults to: ble_firewall)

    Specify the name of the jail file.

  • sshd_fail2ban_path (string)

    Specify the path for the jail file.

  • sshd_enable_firewall (string) (defaults to: '008)

    Whether or not to manage the firewall for sshd

  • sshd_fw_order_ipv4 (string) (defaults to: '009)

    Ordering number for the ipv4 firewall, i.e. where in the firewall the rule will show up.

  • sshd_fw_order_ipv6 (string) (defaults to: $req)

    Ordering number for the ipv6 firewall, i.e. where in the firewall the rule will show up.

Leave a Reply