Myzel394/config-lsp
1
0
Fork 0
mirror of https://github.com/Myzel394/config-lsp.git synced 2025-06-18 23:15:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add more documentation data (add queryable support)

Browse Source
This commit is contained in:
Myzel394 2024-07-28 19:06:52 +02:00
parent 1d55158fc8
commit b9e8fc6e55
No known key found for this signature in database
GPG Key ID: DEC4AAB876F73185
4 changed files with 215 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
common/documentation.go
View File

@ -13,6 +13,10 @@ type Value interface {
type EnumValue struct {
Values []string
// If `true`, the value MUST be one of the values in the Values array
// Otherwise an error is shown
// If `false`, the value is just a hint
EnforceValues bool
}
func (v EnumValue) getTypeDescription() []string {
@ -113,6 +117,34 @@ func (v PrefixWithMeaningValue) getTypeDescription() []string {
)
}
type PathType uint8
const (
PathTypeExistenceOptional PathType = 0
PathTypeFile PathType = 1
PathTypeDirectory PathType = 2
)
type PathValue struct {
RequiredType PathType
}
func (v PathValue) getTypeDescription() []string {
hints := make([]string, 0)
switch v.RequiredType {
case PathTypeExistenceOptional:
hints = append(hints, "Optional")
break;
case PathTypeFile:
hints = append(hints, "File")
case PathTypeDirectory:
hints = append(hints, "Directory")
}
return []string{strings.Join(hints, ", ")}
}
type Option struct {
Documentation string
Value Value

3
common/extra-values.go
View File

@ -52,7 +52,7 @@ func fetchPasswdInfo() ([]passwdInfo, error) {
// UserValue returns a Value that fetches user names from /etc/passwd
// if `separatorForMultiple` is not empty, it will return an ArrayValue
func UserValue(separatorForMultiple string) Value {
func UserValue(separatorForMultiple string, enforceValues bool) Value {
return CustomValue{
FetchValue: func() Value {
infos, err := fetchPasswdInfo()
@ -62,6 +62,7 @@ func UserValue(separatorForMultiple string) Value {
}
enumValues := EnumValue{
EnforceValues: enforceValues,
Values: Map(infos, func(info passwdInfo) string {
return info.Name
}),

42
handlers/openssh/documentation-values.go Normal file
View File

@ -0,0 +1,42 @@
package handlers
import (
"os/exec"
"strings"
)
var _cachedQueries map[string][]string = make(map[string][]string)
func queryValues(query string) ([]string, error) {
cmd := exec.Command("ssh", "-Q", query)
output, err := cmd.Output()
if err != nil {
return []string{}, err
}
return strings.Split(string(output), "\n"), nil
}
func QueryOpenSSHOptions(
query string,
) ([]string, error) {
var availableQueries []string
key := query
if _cachedQueries[key] != nil && len(_cachedQueries[key]) > 0 {
return _cachedQueries[key], nil
} else {
availableQueries, err := queryValues(query)
if err != nil {
return []string{}, err
}
_cachedQueries[key] = availableQueries
}
return availableQueries, nil
}

168
handlers/openssh/documentation.go
View File

@ -5,9 +5,25 @@ import (
)
var BooleanEnumValue = common.EnumValue{
EnforceValues: true,
Values: []string{"yes", "no"},
}
var plusMinuxCaretPrefixes = []common.Prefix{
{
Prefix: "+",
Meaning: "Append to the default set",
},
{
Prefix: "-",
Meaning: "Remove from the default set",
},
{
Prefix: "^",
Meaning: "Place at the head of the default set",
},
}
func PrefixPlusMinusCaret(values []string) common.PrefixWithMeaningValue {
return common.PrefixWithMeaningValue{
Prefixes: []common.Prefix{
@ -42,6 +58,7 @@ var Options = map[string]common.Option{
"AddressFamily": common.NewOption(
`Specifies which address family should be used by sshd(8). Valid arguments are any (the default), inet (use IPv4 only), or inet6 (use IPv6 only).`,
common.EnumValue{
EnforceValues: true,
Values: []string{"any", "inet", "inet6"},
},
),
@ -66,19 +83,21 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
"AllowStreamLocalForwarding": common.NewOption(
`Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted. The available options are yes (the default) or all to allow StreamLocal forwarding, no to prevent all StreamLocal forwarding, local to allow local (from the perspective of ssh(1)) forwarding only or remote to allow remote forwarding only. Note that disabling StreamLocal forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.`,
common.EnumValue{
EnforceValues: true,
Values: []string{"yes", "all", "no", "local", "remote"},
},
),
"AllowTcpForwarding": common.NewOption(
`Specifies whether TCP forwarding is permitted. The available options are yes (the default) or all to allow TCP forwarding, no to prevent all TCP forwarding, local to allow local (from the perspective of ssh(1)) forwarding only or remote to allow remote forwarding only. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.`,
common.EnumValue{
EnforceValues: true,
Values: []string{"yes", "all", "no", "local", "remote"},
},
),
"AllowUsers": common.NewOption(
`This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The allow/deny users directives are processed in the following order: DenyUsers, AllowUsers.
See PATTERNS in ssh_config(5) for more information on patterns. This keyword may appear multiple times in sshd_config with each instance appending to the list.`,
common.UserValue(" "),
common.UserValue(" ", false),
),
"AuthenticationMethods": common.NewOption(
`Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more lists of comma-separated authentication method names, or by the single string any to indicate the default behaviour of accepting any single authentication method. If the default is overridden, then successful authentication requires completion of every method in at least one of these lists.
@ -89,10 +108,14 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
The available authentication methods are: "gssapi-with-mic", "hostbased", "keyboard-interactive", "none" (used for access to password-less accounts when PermitEmptyPasswords is enabled), "password" and "publickey".`,
common.OrValue{
Values: []common.Value{
common.EnumValue{Values: []string{"any"}},
common.EnumValue{
EnforceValues: true,
Values: []string{"any"},
},
common.ArrayValue{
AllowDuplicates: true,
SubValue: common.EnumValue{
EnforceValues: true,
Values: []string{
"none",
@ -127,7 +150,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
"AuthorizedKeysCommandUser": common.NewOption(
`Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands. If AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not, then sshd(8) will refuse to start.`,
common.UserValue(""),
common.UserValue("", true),
),
"AuthorizedKeysFile": common.NewOption(
`Specifies the file that contains the public keys used for user authentication. The format is described in the AUTHORIZED_KEYS FILE FORMAT section of sshd(8). Arguments to AuthorizedKeysFile accept the tokens described in the “TOKENS” section. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace. Alternately this option may be set to none to skip checking for user keys in files. The default is ".ssh/authorized_keys .ssh/authorized_keys2".`,
@ -144,16 +167,20 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
),
"AuthorizedPrincipalsCommandUser": common.NewOption(
`Specifies the user under whose account the AuthorizedPrincipalsCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized principals commands. If AuthorizedPrincipalsCommand is specified but AuthorizedPrincipalsCommandUser is not, then sshd(8) will refuse to start.`,
common.UserValue(""),
common.UserValue("", true),
),
"AuthorizedPrincipalsFile": common.NewOption(
`Specifies a file that lists principal names that are accepted for certificate authentication. When using certificates signed by a key listed in TrustedUserCAKeys, this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described in AUTHORIZED_KEYS FILE FORMAT in sshd(8)). Empty lines and comments starting with # are ignored.
Arguments to AuthorizedPrincipalsFile accept the tokens described in the TOKENS section. After expansion, AuthorizedPrincipalsFile is taken to be an absolute path or one relative to the user's home directory. The default is none, i.e. not to use a principals file in this case, the username of the user must appear in a certificate's principals list for it to be accepted.
Note that AuthorizedPrincipalsFile is only used when authentication proceeds using a CA listed in TrustedUserCAKeys and is not consulted for certification authorities trusted via ~/.ssh/authorized_keys, though the principals= key option offers a similar facility (see sshd(8) for details).`,
common.StringValue{},
common.PathValue{
RequiredType: common.PathTypeFile,
},
),
"Banner": common.NewOption(`The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is none then no banner is displayed. By default, no banner is displayed.`,
common.StringValue{},
common.PathValue{
RequiredType: common.PathTypeFile,
},
),
"CASignatureAlgorithms": common.NewOption(
`Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is:
@ -229,6 +256,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
"Compression": common.NewOption(
`Specifies whether compression is enabled after the user has authenticated successfully. The argument must be yes, delayed (a legacy synonym for yes) or no. The default is yes.`,
common.EnumValue{
EnforceValues: true,
Values: []string{
"yes",
"delayed",
@ -238,8 +266,10 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
),
// "DenyGroups": `This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny groups directives are processed in the following order: DenyGroups, AllowGroups.
// See PATTERNS in ssh_config(5) for more information on patterns. This keyword may appear multiple times in sshd_config with each instance appending to the list.`,
// "DenyUsers": common.NewOption(`This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The allow/deny users directives are processed in the following order: DenyUsers, AllowUsers.
// See PATTERNS in ssh_config(5) for more information on patterns. This keyword may appear multiple times in sshd_config with each instance appending to the list.`,
"DenyUsers": common.NewOption(`This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format. The allow/deny users directives are processed in the following order: DenyUsers, AllowUsers.
See PATTERNS in ssh_config(5) for more information on patterns. This keyword may appear multiple times in sshd_config with each instance appending to the list.`,
common.UserValue(" ", false),
),
"DisableForwarding": common.NewOption(
`Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding-related options and may simplify restricted configurations.`,
BooleanEnumValue,
@ -251,6 +281,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
"FingerprintHash": common.NewOption(
`Specifies the hash algorithm used when logging key fingerprints. Valid options are: md5 and sha256. The default is sha256.`,
common.EnumValue{
EnforceValues: true,
Values: []string{
"md5",
"sha256",
@ -277,9 +308,23 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
`Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. If set to yes then the client must authenticate against the host service on the current hostname. If set to no then the client may authenticate against any service key stored in the machine's default store. This facility is provided to assist with operation on multi homed machines. The default is yes.`,
BooleanEnumValue,
),
// "HostbasedAcceptedAlgorithms": `Specifies the signature algorithms that will be accepted for hostbased authentication as a list of comma-separated patterns. Alternately if the specified list begins with a + character, then the specified signature algorithms will be appended to the default set instead of replacing them. If the specified list begins with a - character, then the specified signature algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ^ character, then the specified signature algorithms will be placed at the head of the default set. The default for this option is:
// ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256
// The list of available signature algorithms may also be obtained using "ssh -Q HostbasedAcceptedAlgorithms". This was formerly named HostbasedAcceptedKeyTypes.`,
"HostbasedAcceptedAlgorithms": common.NewOption(`Specifies the signature algorithms that will be accepted for hostbased authentication as a list of comma-separated patterns. Alternately if the specified list begins with a + character, then the specified signature algorithms will be appended to the default set instead of replacing them. If the specified list begins with a - character, then the specified signature algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ^ character, then the specified signature algorithms will be placed at the head of the default set. The default for this option is:
ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256
The list of available signature algorithms may also be obtained using "ssh -Q HostbasedAcceptedAlgorithms". This was formerly named HostbasedAcceptedKeyTypes.`,
common.CustomValue{
FetchValue: func() common.Value {
options, err := QueryOpenSSHOptions("HostbasedAcceptedAlgorithms")
if err != nil {
// Fallback
options, _ = QueryOpenSSHOptions("HostbasedAcceptedKeyTypes")
}
return PrefixPlusMinusCaret(options)
},
},
),
"HostbasedAuthentication": common.NewOption(
`Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). The default is no.`,
BooleanEnumValue,
@ -302,18 +347,28 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
common.OrValue{
Values: []common.Value{
common.EnumValue{
EnforceValues: true,
Values: []string{"SSH_AUTH_SOCK"},
},
common.StringValue{},
},
},
),
// "HostKeyAlgorithms": `Specifies the host key signature algorithms that the server offers. The default for this option is:
// ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256
// The list of available signature algorithms may also be obtained using "ssh -Q HostKeyAlgorithms".`,
"HostKeyAlgorithms": common.NewOption(`Specifies the host key signature algorithms that the server offers. The default for this option is:
ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256
The list of available signature algorithms may also be obtained using "ssh -Q HostKeyAlgorithms".`,
common.CustomValue{
FetchValue: func() common.Value {
options, _ := QueryOpenSSHOptions("HostKeyAlgorithms")
return PrefixPlusMinusCaret(options)
},
},
),
"IgnoreRhosts": common.NewOption(`Specifies whether to ignore per-user .rhosts and .shosts files during HostbasedAuthentication. The system-wide /etc/hosts.equiv and /etc/shosts.equiv are still used regardless of this setting.
Accepted values are yes (the default) to ignore all per- user files, shosts-only to allow the use of .shosts but to ignore .rhosts or no to allow both .shosts and rhosts.`,
common.EnumValue{
EnforceValues: true,
Values: []string{"yes", "shosts-only", "no"},
},
),
@ -333,6 +388,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
Values: []common.Value{
common.PositiveNumberValue{},
common.EnumValue{
EnforceValues: true,
Values: []string{
"af11", "af12", "af13",
"af21", "af22", "af23",
@ -362,11 +418,27 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
"KerberosTicketCleanup": common.NewOption(`Specifies whether to automatically destroy the user's ticket cache file on logout. The default is yes.`,
BooleanEnumValue,
),
// "KexAlgorithms": `Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. Alternately if the specified list begins with a + character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ^ character, then the specified algorithms will be placed at the head of the default set. The supported algorithms are:
// curve25519-sha256 curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 sntrup761x25519-sha512@openssh.com
// The default is:
// sntrup761x25519-sha512@openssh.com, curve25519-sha256,curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, diffie-hellman-group14-sha256
// The list of available key exchange algorithms may also be obtained using "ssh -Q KexAlgorithms".`,
"KexAlgorithms": common.NewOption(`Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. Alternately if the specified list begins with a + character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ^ character, then the specified algorithms will be placed at the head of the default set. The supported algorithms are:
curve25519-sha256 curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 sntrup761x25519-sha512@openssh.com
The default is:
sntrup761x25519-sha512@openssh.com, curve25519-sha256,curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, diffie-hellman-group14-sha256
The list of available key exchange algorithms may also be obtained using "ssh -Q KexAlgorithms".`,
PrefixPlusMinusCaret([]string{
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group1-sha1",
"diffie-hellman-group14-sha1",
"diffie-hellman-group14-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha1",
"diffie-hellman-group-exchange-sha256",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"sntrup761x25519-sha512@openssh.com",
}),
),
// "ListenAddress": `Specifies the local addresses sshd(8) should listen on. The following forms may be used:
// ListenAddress hostname|address [rdomain domain] ListenAddress hostname:port [rdomain domain] ListenAddress IPv4_address:port [rdomain domain] ListenAddress [hostname|address]:port [rdomain domain]
// The optional rdomain qualifier requests sshd(8) listen in an explicit routing domain. If port is not specified, sshd will listen on the address and all Port options specified. The default is to listen on all local addresses on the current default routing domain. Multiple ListenAddress options are permitted. For more information on routing domains, see rdomain(4).`,
@ -375,6 +447,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
),
"LogLevel": common.NewOption(`Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended.`,
common.EnumValue{
EnforceValues: true,
Values: []string{
"QUIET",
"FATAL",
@ -432,7 +505,11 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
),
// "MaxStartups": `Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10:30:100.
// Alternatively, random early drop can be enabled by specifying the three colon separated values start:rate:full (e.g. "10:30:60"). sshd(8) will refuse connection attempts with a probability of rate/100 (30%) if there are currently start (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60).`,
// "ModuliFile": `Specifies the moduli(5) file that contains the Diffie- Hellman groups used for the “diffie-hellman-group-exchange-sha1” and “diffie-hellman-group-exchange-sha256” key exchange methods. The default is /etc/moduli.`,
"ModuliFile": common.NewOption(`Specifies the moduli(5) file that contains the Diffie- Hellman groups used for the “diffie-hellman-group-exchange-sha1” and “diffie-hellman-group-exchange-sha256” key exchange methods. The default is /etc/moduli.`,
common.PathValue{
RequiredType: common.PathTypeFile,
},
),
"PasswordAuthentication": common.NewOption(`Specifies whether password authentication is allowed. The default is yes.`,
BooleanEnumValue,
),
@ -450,6 +527,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to no, root is not allowed to log in.`,
common.EnumValue{
EnforceValues: true,
Values: []string{
"yes",
"prohibit-password",
@ -464,6 +542,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
"PermitTunnel": common.NewOption(`Specifies whether tun(4) device forwarding is allowed. The argument must be yes, point-to-point (layer 3), ethernet (layer 2), or no. Specifying yes permits both point-to-point and ethernet. The default is no.
Independent of this setting, the permissions of the selected tun(4) device must allow access to the user.`,
common.EnumValue{
EnforceValues: true,
Values: []string{
"yes",
"point-to-point",
@ -472,7 +551,20 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
},
},
),
// "PermitUserEnvironment": `Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). Valid options are yes, no or a pattern-list specifying which environment variable names to accept (for example "LANG,LC_*"). The default is no. Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.`,
"PermitUserEnvironment": common.NewOption(`Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd(8). Valid options are yes, no or a pattern-list specifying which environment variable names to accept (for example "LANG,LC_*"). The default is no. Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.`,
common.OrValue{
Values: []common.Value{
common.EnumValue{
Values: []string{"yes", "no"},
},
common.ArrayValue{
SubValue: common.StringValue{},
Separator: ",",
AllowDuplicates: false,
},
},
},
),
"PermitUserRC": common.NewOption(`Specifies whether any ~/.ssh/rc file is executed. The default is yes.`,
BooleanEnumValue,
),
@ -480,6 +572,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
common.OrValue{
Values: []common.Value{
common.EnumValue{
EnforceValues: true,
Values: []string{"none"},
},
common.PositiveNumberValue{},
@ -500,9 +593,17 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
"PrintMotd": common.NewOption(`Specifies whether sshd(8) should print /etc/motd when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.) The default is yes.`,
BooleanEnumValue,
),
// "PubkeyAcceptedAlgorithms": `Specifies the signature algorithms that will be accepted for public key authentication as a list of comma- separated patterns. Alternately if the specified list begins with a + character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ^ character, then the specified algorithms will be placed at the head of the default set. The default for this option is:
// ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256
// The list of available signature algorithms may also be obtained using "ssh -Q PubkeyAcceptedAlgorithms".`,
"PubkeyAcceptedAlgorithms": common.NewOption(`Specifies the signature algorithms that will be accepted for public key authentication as a list of comma- separated patterns. Alternately if the specified list begins with a + character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ^ character, then the specified algorithms will be placed at the head of the default set. The default for this option is:
ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256
The list of available signature algorithms may also be obtained using "ssh -Q PubkeyAcceptedAlgorithms".`,
common.CustomValue{
FetchValue: func() common.Value {
options, _ := QueryOpenSSHOptions("PubkeyAcceptedAlgorithms")
return PrefixPlusMinusCaret(options)
},
},
),
"PubkeyAuthOptions": common.NewOption(`Sets one or more public key authentication options. The supported keywords are: none (the default; indicating no additional options are enabled), touch-required and verify-required.
The touch-required option causes public key authentication using a FIDO authenticator algorithm (i.e. ecdsa-sk or ed25519-sk) to always require the signature to attest that a physically present user explicitly confirmed the authentication (usually by touching the authenticator). By default, sshd(8) requires user presence unless overridden with an authorized_keys option. The touch-required flag disables this override.
The verify-required option requires a FIDO key signature attest that the user was verified, e.g. via a PIN.
@ -511,6 +612,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
AllowDuplicates: true,
Separator: ",",
SubValue: common.EnumValue{
EnforceValues: true,
Values: []string{"none", "touch-required", "verify-required"},
},
},
@ -526,11 +628,17 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
common.StringValue{},
),
// "RDomain": `Specifies an explicit routing domain that is applied after authentication has completed. The user session, as well as any forwarded or listening IP sockets, will be bound to this rdomain(4). If the routing domain is set to %D, then the domain in which the incoming connection was received will be applied.`,
// "SecurityKeyProvider": `Specifies a path to a library that will be used when loading FIDO authenticator-hosted keys, overriding the default of using the built-in USB HID support.
//
// SetEnv Specifies one or more environment variables to set in child sessions started by sshd(8) as “NAME=VALUE”. The environment value may be quoted (e.g. if it contains whitespace characters). Environment variables set by SetEnv override the default environment and any variables specified by the user via AcceptEnv or PermitUserEnvironment.`,
// "StreamLocalBindMask": `Sets the octal file creation mode mask (umask) used when creating a Unix-domain socket file for local or remote port forwarding. This option is only used for port forwarding to a Unix-domain socket file.
// The default value is 0177, which creates a Unix-domain socket file that is readable and writable only by the owner. Note that not all operating systems honor the file mode on Unix-domain socket files.`,
"SecurityKeyProvider": common.NewOption(`Specifies a path to a library that will be used when loading FIDO authenticator-hosted keys, overriding the default of using the built-in USB HID support.`,
common.PathValue{
RequiredType: common.PathTypeFile,
},
),
// "SetEnv": common.NewOption(`Specifies one or more environment variables to set in child sessions started by sshd(8) as “NAME=VALUE”. The environment value may be quoted (e.g. if it contains whitespace characters). Environment variables set by SetEnv override the default environment and any variables specified by the user via AcceptEnv or PermitUserEnvironment.`,
"StreamLocalBindMask": common.NewOption(`Sets the octal file creation mode mask (umask) used when creating a Unix-domain socket file for local or remote port forwarding. This option is only used for port forwarding to a Unix-domain socket file.
The default value is 0177, which creates a Unix-domain socket file that is readable and writable only by the owner. Note that not all operating systems honor the file mode on Unix-domain socket files.`,
common.PositiveNumberValue{},
),
"StreamLocalBindUnlink": common.NewOption(`Specifies whether to remove an existing Unix-domain socket file for local or remote port forwarding before creating a new one. If the socket file already exists and StreamLocalBindUnlink is not enabled, sshd will be unable to forward the port to the Unix-domain socket file. This option is only used for port forwarding to a Unix-domain socket file.
The argument must be yes or no. The default is no.`,
BooleanEnumValue,
@ -544,6 +652,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
// By default no subsystems are defined.`,
"SyslogFacility": common.NewOption(`Gives the facility code that is used when logging messages from sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.`,
common.EnumValue{
EnforceValues: true,
Values: []string{
"DAEMON",
"USER",
@ -585,6 +694,7 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
common.OrValue{
Values: []common.Value{
common.EnumValue{
EnforceValues: true,
Values: []string{"none"},
},
common.StringValue{},