>> MIB - Management Information Base

>> Table: sshDaemonCfg - (.1.3.6.1.4.1.272.4.44.1)

sshDaemonCfg
OIDNameTypeAccess
.1PortINTEGERRW
.2LoginGraceTimeINTEGERRW
.3HostbasedAuthenticationENUMRW
.4PubkeyAuthenticationENUMRW
.5PasswordAuthenticationENUMRW
.6ChallengeResponseAuthenticationENUMRW
.7KeepAlivesENUMRW
.8PermitEmptyPasswdENUMRW
.9CompressionENUMRW
.10VerifyReverseMappingENUMRW
.11LogFacilityENUMRW
.12LogLevelENUMRW
.13CiphersDisplayStringRW
.14MacsDisplayStringRW
.15ProtocolDisplayStringRW
.16MaxClientsINTEGERRW
.17ClientAliveIntervalINTEGERRW
.18ClientAliveCountMaxINTEGERRW
.19AllowTcpForwardingENUMRW
.20GatewayPortsENUMRW
.21UseLoginENUMRW
.22X11ForwardingENUMRW
.23X11DisplayOffsetINTEGERRW
.32PrintMotdENUMRW
.33BannerDisplayStringRW
.34PrintLastLogENUMRW
.35LastLoginDisplayStringR

Port
Specifies the port on which the server listens
for connections (default: 22).
LoginGraceTime
Gives the grace time for clients to authenticate themselves
(default 600 seconds).  If the client fails to authenticate
the user within this many seconds, the server disconnects.
A value of zero indicates no limit.
HostbasedAuthentication
Specifies whether ssh_known_hosts authentication together with
successful public key client host authentication is
allowed (hostbased authentication).
This option applies to protocol version 2 only.
The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
PubkeyAuthentication
Specifies whether public key authentication is allowed.
The default is 'yes'.
Note that this option applies to protocol version 2 only.
Enumerations:
  • yes (1)
  • no (2)
PasswordAuthentication
Specifies whether password authentication is allowed.
The default is 'yes'.
Enumerations:
  • yes (1)
  • no (2)
ChallengeResponseAuthentication
Specifies whether challenge response authentication is allowed.
The default is 'yes'.
Enumerations:
  • yes (1)
  • no (2)
KeepAlives
Specifies whether the system should send keepalive messages to
the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tem¼
porarily, and some people find it annoying. On the other hand,
if keepalives are not sent, sessions may hang indefinitely on
the server, leaving 'ghost' users and consuming server
resources.
The default is 'yes' (to send keepalives), and the server will
notice if the network goes down or the client host reboots.
This avoids infinitely hanging sessions.
To disable keepalives, the value should be set to 'no' in both
the server and the client configuration files.
Enumerations:
  • yes (1)
  • no (2)
PermitEmptyPasswd
When password authentication is allowed, it specifies
whether the server allows login to accounts with empty
password strings.
The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
Compression
Enables/disables the general use of compression.
Enumerations:
  • yes (1)
  • no (2)
VerifyReverseMapping
Specifies whether sshd should try to verify the remote
host name and check that the resolved host name for the
remote IP address maps back to the very same IP address.
The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
LogFacility
Gives the facility code that is used when logging messages
from sshd. The possible values are: 'daemon', 'user', 'auth',
'local0', 'local1', 'local2', 'local3', 'local4', 'local5',
'local6', 'local7'.
The default is 'auth'.
Enumerations:
  • daemon (1)
  • user (2)
  • auth (3)
  • authPriv (4)
  • local0 (7)
  • local1 (8)
  • local2 (9)
  • local3 (10)
  • local4 (11)
  • local5 (12)
  • local6 (13)
  • local7 (14)
LogLevel
Gives the verbosity level that is used when logging messages
from sshd. The possible values are: 'quiet', 'fatal', 'error',
'info', 'verbose' and 'debug'.
The default is 'info'.
Logging with level 'debug' violates the privacy of users
and is not recommended.
Enumerations:
  • quiet (1)
  • fatal (2)
  • error (3)
  • info (4)
  • verbose (5)
  • debug1 (6)
  • debug2 (7)
  • debug3 (8)
Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated.
The default is
'aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour'.
Macs
Specifies the available MAC (message authentication code)
algorithms. The MAC algorithm is used in protocol version 2
for data integrity protection. Multiple algorithms must be
comma-separated. The default is
'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96'.
Protocol
Specifies the protocol versions sshd should support.
The possible values are '1' and '2'. Multiple versions
must be comma separated. Currently only protocol version 2
is supported by the BinTec implementation.
The default is '2'.
MaxClients
Specifies the maximum number of concurrent unauthenticated
connections to the sshd daemon. Additional connections will
be dropped until authentication succeeds or the LoginGraceTime
expires for a connection.
The default is 1.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the client, sshd will send a message through
the encrypted channel to request a response from the client.
The default is 0, indicating that these messages will not be
sent to the client.
This option applies to protocol version 2 only.
ClientAliveCountMax
Sets the number of client alive messages (see above) which
may be sent without sshd receiving any messages back from
the client. If this threshold is reached while client alive
messages are being sent, sshd will disconnect the client,
terminating the session.
It is important to note that the use of client alive messages
is very different from KeepAlive (above). The client alive
messages are sent through the encrypted channel and therefore
will not be spoofable. The TCP keepalive option enabled by
KeepAlive is spoofable. The client alive mechanism is valuable
when the client or server depend on knowing when a connection
has become inactive.
The default value is 3.
If ClientAliveInterval (above) is set to 15, and
ClientAliveCountMax is left at the default, unresponsive ssh
clients will be disconnected after approximately 45 seconds.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client. By default, sshd binds remote port
forwardings to the loopback addresss. This prevents other
remote hosts from connecting to forwarded ports. GatewayPorts
can be used to specify that sshd should bind remote port
forwardings to the wildcard address, thus allowing remote
hosts to connect to forwarded ports.
The argument must be 'yes' or 'no'.
The default is 'no'.
Enumerations:
  • yes (1)
  • no (2)
UseLogin
Specifies whether login(1) is used for interactive login
sessions.
The default is 'yes'.
Note that login(1) is never used for remote command execution.
Note also, that if this is enabled, X11Forwarding will be
disabled because login(1) does not know how to handle
xauth(1) cookies.
Enumerations:
  • yes (1)
  • no (2)
X11Forwarding
Specifies whether X11 forwarding is permitted.
The default is 'no'.
X11 forwarding is automatically disabled
if UseLogin is enabled.
Enumerations:
  • yes (1)
  • no (2)
X11DisplayOffset
Specifies the first display number available for
sshd's X11 forwarding. This prevents sshd from
interfering with real X11 servers.
The default is 10.
PrintMotd
Specifies whether sshd should print 'motd' when a user
logs in interactively. (On some systems it is also printed
by the shell, /etc/profile, or equivalent.)
The default is 'yes'.
Enumerations:
  • yes (1)
  • no (2)
Banner
In some jurisdictions, sending a warning message before
authentication may be relevant for getting legal protection.
The contents of the specified file are sent to the remote user
before authentication is allowed.
This option is only available for protocol version 2.
PrintLastLog
Specifies whether sshd should print the date and time
when the user last logged in.
The default is 'yes'.
Enumerations:
  • yes (1)
  • no (2)
LastLogin
In some jurisdictions, sending a warning message before
authentication may be relevant for getting legal protection.
The contents of the specified file are sent to the remote user
before authentication is allowed.
This option is only available for protocol version 2.


Copyright ©2003 by BinTec Access Networks GmbH