>> MIB - Management Information Base

>> Table: sshDaemonCfg - (.1.3.6.1.4.1.272.4.44.1)

sshDaemonCfg
OIDNameTypeAccess
.1PortINTEGERRW
.2LoginGraceTimeINTEGERRW
.3HostbasedAuthenticationENUMRW
.4PubkeyAuthenticationENUMRW
.5PasswordAuthenticationENUMRW
.6ChallengeResponseAuthenticationENUMRW
.7KeepAlivesENUMRW
.8PermitEmptyPasswdENUMRW
.9CompressionENUMRW
.10VerifyReverseMappingENUMRW
.11LogFacilityENUMRW
.12LogLevelENUMRW
.13CiphersDisplayStringRW
.14MacsDisplayStringRW
.15ProtocolDisplayStringRW
.16MaxClientsINTEGERRW
.17ClientAliveIntervalINTEGERRW
.18ClientAliveCountMaxINTEGERRW
.19AllowTcpForwardingENUMRW
.20GatewayPortsENUMRW
.21UseLoginENUMRW
.22X11ForwardingENUMRW
.23X11DisplayOffsetINTEGERRW
.32PrintMotdENUMRW
.33BannerDisplayStringRW
.34PrintLastLogENUMRW
.35LastLoginDisplayStringR

Port
Specifies the port on which the server listens

for connections (default: 22).
LoginGraceTime
Gives the grace time for clients to authenticate themselves

(default 600 seconds).  If the client fails to authenticate

the user within this many seconds, the server disconnects.

A value of zero indicates no limit.
HostbasedAuthentication
Specifies whether ssh_known_hosts authentication together with

successful public key client host authentication is

allowed (hostbased authentication).

This option applies to protocol version 2 only.

The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
PubkeyAuthentication
Specifies whether public key authentication is allowed.

The default is 'yes'.

Note that this option applies to protocol version 2 only.
Enumerations:
  • yes (1)
  • no (2)
PasswordAuthentication
Specifies whether password authentication is allowed.

The default is 'yes'.
Enumerations:
  • yes (1)
  • no (2)
ChallengeResponseAuthentication
Specifies whether challenge response authentication is allowed.

The default is 'yes'.
Enumerations:
  • yes (1)
  • no (2)
KeepAlives
Specifies whether the system should send keepalive messages to

the other side. If they are sent, death of the connection or

crash of one of the machines will be properly noticed. However,

this means that connections will die if the route is down tem¼

porarily, and some people find it annoying. On the other hand,

if keepalives are not sent, sessions may hang indefinitely on

the server, leaving 'ghost' users and consuming server

resources.

The default is 'yes' (to send keepalives), and the server will

notice if the network goes down or the client host reboots.

This avoids infinitely hanging sessions.

To disable keepalives, the value should be set to 'no' in both

the server and the client configuration files.
Enumerations:
  • yes (1)
  • no (2)
PermitEmptyPasswd
When password authentication is allowed, it specifies

whether the server allows login to accounts with empty

password strings.

The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
Compression
Enables/disables the general use of compression.
Enumerations:
  • yes (1)
  • no (2)
VerifyReverseMapping
Specifies whether sshd should try to verify the remote

host name and check that the resolved host name for the

remote IP address maps back to the very same IP address.

The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
LogFacility
Gives the facility code that is used when logging messages

from sshd. The possible values are: 'daemon', 'user', 'auth',

'local0', 'local1', 'local2', 'local3', 'local4', 'local5',

'local6', 'local7'.

The default is 'auth'.
Enumerations:
  • daemon (1)
  • user (2)
  • auth (3)
  • authPriv (4)
  • local0 (7)
  • local1 (8)
  • local2 (9)
  • local3 (10)
  • local4 (11)
  • local5 (12)
  • local6 (13)
  • local7 (14)
LogLevel
Gives the verbosity level that is used when logging messages

from sshd. The possible values are: 'quiet', 'fatal', 'error',

'info', 'verbose' and 'debug'.

The default is 'info'.

Logging with level 'debug' violates the privacy of users

and is not recommended.
Enumerations:
  • quiet (1)
  • fatal (2)
  • error (3)
  • info (4)
  • verbose (5)
  • debug1 (6)
  • debug2 (7)
  • debug3 (8)
Ciphers
Specifies the ciphers allowed for protocol version 2.

Multiple ciphers must be comma-separated.

The default is

'aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour'.
Macs
Specifies the available MAC (message authentication code)

algorithms. The MAC algorithm is used in protocol version 2

for data integrity protection. Multiple algorithms must be

comma-separated. The default is

'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96'.
Protocol
Specifies the protocol versions sshd should support.

The possible values are '1' and '2'. Multiple versions

must be comma separated. Currently only protocol version 2

is supported by the BinTec implementation.

The default is '2'.
MaxClients
Specifies the maximum number of concurrent unauthenticated

connections to the sshd daemon. Additional connections will

be dropped until authentication succeeds or the LoginGraceTime

expires for a connection.

The default is 1.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has

been received from the client, sshd will send a message through

the encrypted channel to request a response from the client.

The default is 0, indicating that these messages will not be

sent to the client.

This option applies to protocol version 2 only.
ClientAliveCountMax
Sets the number of client alive messages (see above) which

may be sent without sshd receiving any messages back from

the client. If this threshold is reached while client alive

messages are being sent, sshd will disconnect the client,

terminating the session.

It is important to note that the use of client alive messages

is very different from KeepAlive (above). The client alive

messages are sent through the encrypted channel and therefore

will not be spoofable. The TCP keepalive option enabled by

KeepAlive is spoofable. The client alive mechanism is valuable

when the client or server depend on knowing when a connection

has become inactive.

The default value is 3.

If ClientAliveInterval (above) is set to 15, and

ClientAliveCountMax is left at the default, unresponsive ssh

clients will be disconnected after approximately 45 seconds.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted.

The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
GatewayPorts
Specifies whether remote hosts are allowed to connect to ports

forwarded for the client. By default, sshd binds remote port

forwardings to the loopback addresss. This prevents other

remote hosts from connecting to forwarded ports. GatewayPorts

can be used to specify that sshd should bind remote port

forwardings to the wildcard address, thus allowing remote

hosts to connect to forwarded ports.

The argument must be 'yes' or 'no'.

The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
UseLogin
Specifies whether login(1) is used for interactive login

sessions.

The default is 'yes'.

Note that login(1) is never used for remote command execution.

Note also, that if this is enabled, X11Forwarding will be

disabled because login(1) does not know how to handle

xauth(1) cookies.
Enumerations:
  • yes (1)
  • no (2)
X11Forwarding
Specifies whether X11 forwarding is permitted.

The default is 'no'.

X11 forwarding is automatically disabled

if UseLogin is enabled.
Enumerations:
  • yes (1)
  • no (2)
X11DisplayOffset
Specifies the first display number available for

sshd's X11 forwarding. This prevents sshd from

interfering with real X11 servers.

The default is 10.
PrintMotd
Specifies whether sshd should print 'motd' when a user

logs in interactively. (On some systems it is also printed

by the shell, /etc/profile, or equivalent.)

The default is 'yes'.
Enumerations:
  • yes (1)
  • no (2)
Banner
In some jurisdictions, sending a warning message before

authentication may be relevant for getting legal protection.

The contents of the specified file are sent to the remote user

before authentication is allowed.

This option is only available for protocol version 2.
PrintLastLog
Specifies whether sshd should print the date and time

when the user last logged in.

The default is 'yes'.
Enumerations:
  • yes (1)
  • no (2)
LastLogin
In some jurisdictions, sending a warning message before

authentication may be relevant for getting legal protection.

The contents of the specified file are sent to the remote user

before authentication is allowed.

This option is only available for protocol version 2.


Copyright ©2003 by BinTec Access Networks GmbH