summaryrefslogtreecommitdiff
path: root/interface-definitions/ssh.xml.in
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/ssh.xml.in')
-rw-r--r--interface-definitions/ssh.xml.in207
1 files changed, 207 insertions, 0 deletions
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in
new file mode 100644
index 000000000..d253c2f34
--- /dev/null
+++ b/interface-definitions/ssh.xml.in
@@ -0,0 +1,207 @@
+<?xml version="1.0"?>
+<!--SSH configuration -->
+<interfaceDefinition>
+ <node name="service">
+ <children>
+ <node name="ssh" owner="${vyos_conf_scripts_dir}/ssh.py">
+ <properties>
+ <help>Secure Shell (SSH)</help>
+ <priority>500</priority>
+ </properties>
+ <children>
+ <node name="access-control">
+ <properties>
+ <help>SSH user/group access controls. Directives are processed
+ in the following order: deny-users, allow-users, deny-groups and
+ allow-groups.</help>
+ </properties>
+ <children>
+ <node name="allow">
+ <properties>
+ <help>Allow user/group SSH access</help>
+ </properties>
+ <children>
+ <leafNode name="group">
+ <properties>
+ <help>Allow members of a group to login</help>
+ <constraint>
+ <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex>
+ </constraint>
+ <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="user">
+ <properties>
+ <help>Allow specific users to login</help>
+ <constraint>
+ <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex>
+ </constraint>
+ <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="deny">
+ <properties>
+ <help>Deny user/group SSH access</help>
+ </properties>
+ <children>
+ <leafNode name="group">
+ <properties>
+ <help>Disallow members of a group to login</help>
+ <constraint>
+ <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex>
+ </constraint>
+ <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="user">
+ <properties>
+ <help>Disallow specific users to login</help>
+ <constraint>
+ <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex>
+ </constraint>
+ <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <leafNode name="ciphers">
+ <properties>
+ <help>Allowed ciphers</help>
+ <completionHelp>
+ <!-- generated by ssh -Q cipher | tr '\n' ' ' as this will not change dynamically -->
+ <list>3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com</list>
+ </completionHelp>
+ <constraint>
+ <regex>^(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se|aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh.com|aes256-gcm@openssh.com|chacha20-poly1305@openssh.com)$</regex>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="disable-host-validation">
+ <properties>
+ <help>Disable IP Address to Hostname lookup</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="disable-password-authentication">
+ <properties>
+ <help>Disable password-based authentication</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="key-exchange">
+ <properties>
+ <help>Allowed key exchange (KEX) algorithms</help>
+ <completionHelp>
+ <!-- generated by ssh -Q kex | tr '\n' ' ' as this will not change dynamically -->
+ <list>diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org</list>
+ </completionHelp>
+ <multi/>
+ <constraint>
+ <regex>^(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group14-sha256|diffie-hellman-group16-sha512|diffie-hellman-group18-sha512|diffie-hellman-group-exchange-sha1|diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp256|ecdh-sha2-nistp384|ecdh-sha2-nistp521|curve25519-sha256|curve25519-sha256@libssh.org)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="listen-address">
+ <properties>
+ <help>Local addresses SSH service should listen on</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IP address to listen for incoming connections</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address to listen for incoming connections</description>
+ </valueHelp>
+ <multi/>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="ipv6-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="loglevel">
+ <properties>
+ <help>Log level</help>
+ <completionHelp>
+ <list>quiet fatal error info verbose</list>
+ </completionHelp>
+ <valueHelp>
+ <format>quiet</format>
+ <description>stay silent</description>
+ </valueHelp>
+ <valueHelp>
+ <format>fatal</format>
+ <description>log fatals only</description>
+ </valueHelp>
+ <valueHelp>
+ <format>error</format>
+ <description>log errors and fatals only</description>
+ </valueHelp>
+ <valueHelp>
+ <format>info</format>
+ <description>default log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>verbose</format>
+ <description>enable logging of failed login attempts</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(quiet|fatal|error|info|verbose)$</regex>
+ </constraint>
+ </properties>
+ <defaultValue>INFO</defaultValue>
+ </leafNode>
+ <leafNode name="mac">
+ <properties>
+ <help>Allowed message authentication code (MAC) algorithms</help>
+ <completionHelp>
+ <!-- generated by ssh -Q mac | tr '\n' ' ' as this will not change dynamically -->
+ <list>hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com</list>
+ </completionHelp>
+ <constraint>
+ <regex>^(hmac-sha1|hmac-sha1-96|hmac-sha2-256|hmac-sha2-512|hmac-md5|hmac-md5-96|umac-64@openssh.com|umac-128@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|hmac-sha2-256-etm@openssh.com|hmac-sha2-512-etm@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com)$</regex>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="port">
+ <properties>
+ <help>Port for SSH service</help>
+ <valueHelp>
+ <format>1-65535</format>
+ <description>Numeric IP port</description>
+ </valueHelp>
+ <multi/>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>22</defaultValue>
+ </leafNode>
+ <leafNode name="client-keepalive-interval">
+ <properties>
+ <help>Enable transmission of keepalives from server to client</help>
+ <valueHelp>
+ <format>1-65535</format>
+ <description>Time interval in seconds for keepalive message</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/interface-vrf.xml.i>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-30 19:47:52 +0000