summaryrefslogtreecommitdiff
path: root/interface-definitions/service_ssh.xml.in
blob: 14d358c78b0682424831fe4719caa9548ce13ee8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
<?xml version="1.0"?>
<interfaceDefinition>
  <node name="service">
    <properties>
      <help>System services</help>
    </properties>
    <children>
      <node name="ssh" owner="${vyos_conf_scripts_dir}/service_ssh.py">
        <properties>
          <help>Secure Shell (SSH)</help>
          <priority>1000</priority>
        </properties>
        <children>
          <node name="access-control">
            <properties>
              <help>SSH user/group access controls</help>
            </properties>
            <children>
              <node name="allow">
                <properties>
                  <help>Allow user/group SSH access</help>
                </properties>
                <children>
                  #include <include/ssh-group.xml.i>
                  #include <include/ssh-user.xml.i>
                </children>
              </node>
              <node name="deny">
                <properties>
                  <help>Deny user/group SSH access</help>
                </properties>
                <children>
                  #include <include/ssh-group.xml.i>
                  #include <include/ssh-user.xml.i>
                </children>
              </node>
            </children>
          </node>
          <leafNode name="ciphers">
            <properties>
              <help>Allowed ciphers</help>
              <completionHelp>
                <!-- generated by ssh -Q cipher | tr '\n' ' ' as this will not change dynamically  -->
                <list>3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com</list>
              </completionHelp>
                <constraint>
                  <regex>(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se|aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh.com|aes256-gcm@openssh.com|chacha20-poly1305@openssh.com)</regex>
                </constraint>
              <multi/>
            </properties>
          </leafNode>
          <leafNode name="disable-host-validation">
            <properties>
              <help>Disable IP Address to Hostname lookup</help>
              <valueless/>
            </properties>
          </leafNode>
          <leafNode name="disable-password-authentication">
            <properties>
              <help>Disable password-based authentication</help>
              <valueless/>
            </properties>
          </leafNode>
          <node name="dynamic-protection">
            <properties>
              <help>Allow dynamic protection</help>
            </properties>
            <children>
              <leafNode name="block-time">
                <properties>
                  <help>Block source IP in seconds. Subsequent blocks increase by a factor of 1.5</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Time interval in seconds for blocking</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
                <defaultValue>120</defaultValue>
              </leafNode>
              <leafNode name="detect-time">
                <properties>
                  <help>Remember source IP in seconds before reset their score</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Time interval in seconds</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
                <defaultValue>1800</defaultValue>
              </leafNode>
              <leafNode name="threshold">
                <properties>
                  <help>Block source IP when their cumulative attack score exceeds threshold</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Threshold score</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
                <defaultValue>30</defaultValue>
              </leafNode>
              <leafNode name="allow-from">
                <properties>
                  <help>Always allow inbound connections from these systems</help>
                  <valueHelp>
                    <format>ipv4</format>
                    <description>Address to match against</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv4net</format>
                    <description>IPv4 address and prefix length</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv6</format>
                    <description>IPv6 address to match against</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv6net</format>
                    <description>IPv6 address and prefix length</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ip-address"/>
                    <validator name="ip-prefix"/>
                  </constraint>
                  <multi/>
                </properties>
              </leafNode>
            </children>
          </node>
          <leafNode name="hostkey-algorithm">
            <properties>
              <help>Allowed host key signature algorithms</help>
              <completionHelp>
                <!-- generated by ssh -Q HostKeyAlgorithms | tr '\n' ' ' as this will not change dynamically  -->
                <list>ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ecdsa-sha2-nistp256@openssh.com webauthn-sk-ecdsa-sha2-nistp256@openssh.com ssh-rsa-cert-v01@openssh.com rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com</list>
              </completionHelp>
              <multi/>
              <constraint>
                <regex>(ssh-ed25519|ssh-ed25519-cert-v01@openssh.com|sk-ssh-ed25519@openssh.com|sk-ssh-ed25519-cert-v01@openssh.com|ssh-rsa|rsa-sha2-256|rsa-sha2-512|ssh-dss|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|sk-ecdsa-sha2-nistp256@openssh.com|webauthn-sk-ecdsa-sha2-nistp256@openssh.com|ssh-rsa-cert-v01@openssh.com|rsa-sha2-256-cert-v01@openssh.com|rsa-sha2-512-cert-v01@openssh.com|ssh-dss-cert-v01@openssh.com|ecdsa-sha2-nistp256-cert-v01@openssh.com|ecdsa-sha2-nistp384-cert-v01@openssh.com|ecdsa-sha2-nistp521-cert-v01@openssh.com|sk-ecdsa-sha2-nistp256-cert-v01@openssh.com)</regex>
              </constraint>
            </properties>
          </leafNode>
          <leafNode name="pubkey-accepted-algorithm">
            <properties>
              <help>Allowed pubkey signature algorithms</help>
              <completionHelp>
                <!-- generated by ssh -Q PubkeyAcceptedAlgorithms | tr '\n' ' ' as this will not change dynamically  -->
                <list>ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com sk-ecdsa-sha2-nistp256@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com webauthn-sk-ecdsa-sha2-nistp256@openssh.com ssh-dss ssh-dss-cert-v01@openssh.com ssh-rsa ssh-rsa-cert-v01@openssh.com rsa-sha2-256 rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512 rsa-sha2-512-cert-v01@openssh.com</list>
              </completionHelp>
              <multi/>
              <constraint>
                <regex>(ssh-ed25519|ssh-ed25519-cert-v01@openssh.com|sk-ssh-ed25519@openssh.com|sk-ssh-ed25519-cert-v01@openssh.com|ecdsa-sha2-nistp256|ecdsa-sha2-nistp256-cert-v01@openssh.com|ecdsa-sha2-nistp384|ecdsa-sha2-nistp384-cert-v01@openssh.com|ecdsa-sha2-nistp521|ecdsa-sha2-nistp521-cert-v01@openssh.com|sk-ecdsa-sha2-nistp256@openssh.com|sk-ecdsa-sha2-nistp256-cert-v01@openssh.com|webauthn-sk-ecdsa-sha2-nistp256@openssh.com|ssh-dss|ssh-dss-cert-v01@openssh.com|ssh-rsa|ssh-rsa-cert-v01@openssh.com|rsa-sha2-256|rsa-sha2-256-cert-v01@openssh.com|rsa-sha2-512|rsa-sha2-512-cert-v01@openssh.com)</regex>
              </constraint>
            </properties>
          </leafNode>
          <leafNode name="key-exchange">
            <properties>
              <help>Allowed key exchange (KEX) algorithms</help>
              <completionHelp>
                <!-- generated by ssh -Q kex | tr '\n' ' ' as this will not change dynamically  -->
                <list>diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org</list>
              </completionHelp>
              <multi/>
              <constraint>
                <regex>(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group14-sha256|diffie-hellman-group16-sha512|diffie-hellman-group18-sha512|diffie-hellman-group-exchange-sha1|diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp256|ecdh-sha2-nistp384|ecdh-sha2-nistp521|curve25519-sha256|curve25519-sha256@libssh.org)</regex>
              </constraint>
            </properties>
          </leafNode>
          #include <include/listen-address.xml.i>
          <leafNode name="loglevel">
            <properties>
              <help>Log level</help>
              <completionHelp>
                <list>quiet fatal error info verbose</list>
              </completionHelp>
              <valueHelp>
                <format>quiet</format>
                <description>stay silent</description>
              </valueHelp>
              <valueHelp>
                <format>fatal</format>
                <description>log fatals only</description>
              </valueHelp>
              <valueHelp>
                <format>error</format>
                <description>log errors and fatals only</description>
              </valueHelp>
              <valueHelp>
                <format>info</format>
                <description>default log level</description>
              </valueHelp>
              <valueHelp>
                <format>verbose</format>
                <description>enable logging of failed login attempts</description>
              </valueHelp>
              <constraint>
                <regex>(quiet|fatal|error|info|verbose)</regex>
              </constraint>
            </properties>
            <defaultValue>info</defaultValue>
          </leafNode>
          <leafNode name="mac">
            <properties>
              <help>Allowed message authentication code (MAC) algorithms</help>
              <completionHelp>
                <!-- generated by ssh -Q mac | tr '\n' ' ' as this will not change dynamically  -->
                <list>hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com</list>
              </completionHelp>
              <constraint>
                <regex>(hmac-sha1|hmac-sha1-96|hmac-sha2-256|hmac-sha2-512|hmac-md5|hmac-md5-96|umac-64@openssh.com|umac-128@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|hmac-sha2-256-etm@openssh.com|hmac-sha2-512-etm@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com)</regex>
              </constraint>
              <multi/>
            </properties>
          </leafNode>
          <leafNode name="port">
            <properties>
              <help>Port for SSH service</help>
              <valueHelp>
                <format>u32:1-65535</format>
                <description>Numeric IP port</description>
              </valueHelp>
              <multi/>
              <constraint>
                <validator name="numeric" argument="--range 1-65535"/>
              </constraint>
            </properties>
            <defaultValue>22</defaultValue>
          </leafNode>
          <node name="rekey">
            <properties>
              <help>SSH session rekey limit</help>
            </properties>
            <children>
              <leafNode name="data">
                <properties>
                  <help>Threshold data in megabytes</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Megabytes</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
              </leafNode>
              <leafNode name="time">
                <properties>
                  <help>Threshold time in minutes</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Minutes</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
              </leafNode>
            </children>
          </node>
          <leafNode name="client-keepalive-interval">
            <properties>
              <help>Enable transmission of keepalives from server to client</help>
              <valueHelp>
                <format>u32:1-65535</format>
                <description>Time interval in seconds for keepalive message</description>
              </valueHelp>
              <constraint>
                <validator name="numeric" argument="--range 1-65535"/>
              </constraint>
            </properties>
          </leafNode>
          <node name="trusted-user-ca-key">
            <properties>
              <help>Trusted user CA key</help>
            </properties>
            <children>
              #include <include/pki/ca-certificate.xml.i>
            </children>
          </node>
          #include <include/vrf-multi.xml.i>
        </children>
      </node>
    </children>
  </node>
</interfaceDefinition>