<?xml version="1.0"?>

<!--SSH configuration -->

  <node name="service">
      <node name="ssh" owner="${vyos_sbindir}/vyos-config-ssh.py">
          <help>Secure SHell (SSH) protocol</help>
          <node name="access-control">
              <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help>
              <node name="allow">
                  <leafNode name="group">
                      <help>Login is allowed for users whose primary or supplementary group matches</help>
                  <leafNode name="user">
                      <help>Login is allowed only for user names that match</help>
              <node name="deny">
                  <leafNode name="group">
                      <help>Login is disallowed for users whose primary or supplementary group matches</help>
                  <leafNode name="user">
                      <help>Login is disallowed for user names that match</help>
          <leafNode name="ciphers">
              <help>Specifies allowed Ciphers</help>
                <script>ssh -Q cipher | tr '\n' ' '</script>
          <leafNode name="disable-host-validation">
              <help>Don't validate the remote host name with DNS</help>
          <leafNode name="disable-password-authentication">
              <help>Don't allow unknown user to login with password</help>
          <leafNode name="key-exchange">
              <help>Specifies available KEX (Key Exchange) algorithms</help>
                <script>ssh -Q kex | tr '\n' ' '</script>
          <leafNode name="listen-address">
              <help>Local addresses SSH service should listen on</help>
                <description>IP address to listen for incoming connections</description>
                <description>IPv6 address to listen for incoming connections</description>
                <validator name="ipv4-address"/>
                <validator name="ipv6-address"/>
          <leafNode name="loglevel">
              <help>Log level</help>
                <description>stay silent</description>
                <description>log fatals only</description>
                <description>log errors and fatals only</description>
                <description>default log level</description>
                <description>enable logging of failed login attempts</description>
          <leafNode name="mac">
                <help>Specifies available MAC (message authentication code) algorithms</help>
                <script>ssh -Q mac | tr '\n' ' '</script>
          <leafNode name="port">
              <help>Port for SSH service</help>
                <description>Numeric IP port</description>
                <validator name="numeric" argument="--range 1-65535"/>