582 lines
16 KiB
Plaintext
582 lines
16 KiB
Plaintext
-- This file is corresponding to Release 9.1.10.101 from 2014/08/11 00:00:00
|
|
|
|
|
|
-- (C)opyright 1999-2014 bintec elmeg GmbH
|
|
-- $RCSfile: mibssh,v $
|
|
-- $Revision: 1.11 $
|
|
|
|
BIANCA-BRICK-SSH-MIB DEFINITIONS ::= BEGIN
|
|
IMPORTS
|
|
IpAddress, Counter, TimeTicks, enterprises
|
|
FROM RFC1155-SMI
|
|
|
|
DisplayString
|
|
FROM RFC1158-MIB
|
|
|
|
Date, BitValue, HexValue
|
|
FROM BINTEC-MIB
|
|
|
|
OBJECT-TYPE
|
|
FROM RFC-1212;
|
|
|
|
bintec OBJECT IDENTIFIER ::= { enterprises 272 }
|
|
bibo OBJECT IDENTIFIER ::= { bintec 4 }
|
|
|
|
-- Management Information for the SSH Subsystem of the BIANCA/BRICK,
|
|
ssh OBJECT IDENTIFIER
|
|
::= { bibo 44 }
|
|
|
|
|
|
-- Global SSH Daemon Settings
|
|
|
|
sshDaemonCfg OBJECT IDENTIFIER ::= { ssh 1 }
|
|
|
|
sshdCfgPort OBJECT-TYPE
|
|
SYNTAX INTEGER(1..65535)
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies the port on which the server listens
|
|
for connections (default: 22)."
|
|
DEFVAL { 22 }
|
|
::= { sshDaemonCfg 1 }
|
|
|
|
sshdCfgLoginGraceTime OBJECT-TYPE
|
|
SYNTAX INTEGER(10..65535)
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Gives the grace time for clients to authenticate themselves
|
|
(default 600 seconds). If the client fails to authenticate
|
|
the user within this many seconds, the server disconnects.
|
|
This timer can't be disabled for security reasons."
|
|
DEFVAL { 600 }
|
|
::= { sshDaemonCfg 2 }
|
|
|
|
sshdCfgHostbasedAuthentication OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether ssh_known_hosts authentication together with
|
|
successful public key client host authentication is
|
|
allowed (hostbased authentication).
|
|
This option applies to protocol version 2 only.
|
|
The default is 'no'."
|
|
DEFVAL { no }
|
|
::= { sshDaemonCfg 3 }
|
|
|
|
sshdCfgPubkeyAuthentication OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether public key authentication is allowed.
|
|
The default is 'yes'.
|
|
Note that this option applies to protocol version 2 only."
|
|
DEFVAL { yes }
|
|
::= { sshDaemonCfg 4 }
|
|
|
|
sshdCfgPasswordAuthentication OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether password authentication is allowed.
|
|
The default is 'yes'."
|
|
DEFVAL { yes }
|
|
::= { sshDaemonCfg 5 }
|
|
|
|
sshdCfgChallengeResponseAuthentication OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether challenge response authentication is allowed.
|
|
The default is 'yes'."
|
|
DEFVAL { yes }
|
|
::= { sshDaemonCfg 6 }
|
|
|
|
sshdCfgKeepAlives OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether the system should send keepalive messages to
|
|
the other side. If they are sent, death of the connection or
|
|
crash of one of the machines will be properly noticed. However,
|
|
this means that connections will die if the route is down tem-
|
|
porarily, and some people find it annoying. On the other hand,
|
|
if keepalives are not sent, sessions may hang indefinitely on
|
|
the server, leaving 'ghost' users and consuming server
|
|
resources.
|
|
|
|
The default is 'yes' (to send keepalives), and the server will
|
|
notice if the network goes down or the client host reboots.
|
|
This avoids infinitely hanging sessions.
|
|
|
|
To disable keepalives, the value should be set to 'no' in both
|
|
the server and the client configuration files."
|
|
DEFVAL { yes }
|
|
::= { sshDaemonCfg 7 }
|
|
|
|
sshdCfgPermitEmptyPasswd OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"When password authentication is allowed, it specifies
|
|
whether the server allows login to accounts with empty
|
|
password strings.
|
|
The default is 'no'."
|
|
DEFVAL { no }
|
|
::= { sshDaemonCfg 8 }
|
|
|
|
sshdCfgCompression OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Enables/disables the general use of compression."
|
|
DEFVAL { no }
|
|
::= { sshDaemonCfg 9 }
|
|
|
|
sshdCfgVerifyReverseMapping OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether sshd should try to verify the remote
|
|
host name and check that the resolved host name for the
|
|
remote IP address maps back to the very same IP address.
|
|
The default is 'no'."
|
|
DEFVAL { no }
|
|
::= { sshDaemonCfg 10 }
|
|
|
|
sshdCfgLogFacility OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
daemon(1),
|
|
user(2),
|
|
auth(3),
|
|
authPriv(4),
|
|
local0(7),
|
|
local1(8),
|
|
local2(9),
|
|
local3(10),
|
|
local4(11),
|
|
local5(12),
|
|
local6(13),
|
|
local7(14)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Gives the facility code that is used when logging messages
|
|
from sshd. The possible values are: 'daemon', 'user', 'auth',
|
|
'local0', 'local1', 'local2', 'local3', 'local4', 'local5',
|
|
'local6', 'local7'.
|
|
The default is 'auth'."
|
|
DEFVAL { auth }
|
|
::= { sshDaemonCfg 11 }
|
|
|
|
sshdCfgLogLevel OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
quiet(1),
|
|
fatal(2),
|
|
error(3),
|
|
info(4),
|
|
verbose(5),
|
|
debug1(6),
|
|
debug2(7),
|
|
debug3(8)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Gives the verbosity level that is used when logging messages
|
|
from sshd. The possible values are: 'quiet', 'fatal', 'error',
|
|
'info', 'verbose' and 'debug'.
|
|
The default is 'info'.
|
|
Logging with level 'debug' violates the privacy of users
|
|
and is not recommended."
|
|
DEFVAL { info }
|
|
::= { sshDaemonCfg 12 }
|
|
|
|
sshdCfgCiphers OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies the ciphers allowed for protocol version 2.
|
|
Multiple ciphers must be comma-separated.
|
|
The default is
|
|
'aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour'."
|
|
DEFVAL { "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour" }
|
|
::= { sshDaemonCfg 13 }
|
|
|
|
sshdCfgMacs OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies the available MAC (message authentication code)
|
|
algorithms. The MAC algorithm is used in protocol version 2
|
|
for data integrity protection. Multiple algorithms must be
|
|
comma-separated. The default is
|
|
'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96'."
|
|
DEFVAL { "hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96" }
|
|
::= { sshDaemonCfg 14 }
|
|
|
|
sshdCfgProtocol OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies the protocol versions sshd should support.
|
|
The possible values are '1' and '2'. Multiple versions
|
|
must be comma separated. Currently only protocol version 2
|
|
is supported by the BinTec implementation.
|
|
The default is '2'."
|
|
DEFVAL { "2" }
|
|
::= { sshDaemonCfg 15 }
|
|
|
|
sshdCfgMaxClients OBJECT-TYPE
|
|
SYNTAX INTEGER(1..100)
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies the maximum number of concurrent unauthenticated
|
|
connections to the sshd daemon. Additional connections will
|
|
be dropped until authentication succeeds or the LoginGraceTime
|
|
expires for a connection.
|
|
The default is 1."
|
|
DEFVAL { 1 }
|
|
::= { sshDaemonCfg 16 }
|
|
|
|
sshdCfgClientAliveInterval OBJECT-TYPE
|
|
SYNTAX INTEGER(1..3600)
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Sets a timeout interval in seconds after which if no data has
|
|
been received from the client, sshd will send a message through
|
|
the encrypted channel to request a response from the client.
|
|
The default is 0, indicating that these messages will not be
|
|
sent to the client.
|
|
This option applies to protocol version 2 only."
|
|
DEFVAL { 10 }
|
|
::= { sshDaemonCfg 17 }
|
|
|
|
sshdCfgClientAliveCountMax OBJECT-TYPE
|
|
SYNTAX INTEGER(0..10)
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Sets the number of client alive messages (see above) which
|
|
may be sent without sshd receiving any messages back from
|
|
the client. If this threshold is reached while client alive
|
|
messages are being sent, sshd will disconnect the client,
|
|
terminating the session.
|
|
It is important to note that the use of client alive messages
|
|
is very different from KeepAlive (above). The client alive
|
|
messages are sent through the encrypted channel and therefore
|
|
will not be spoofable. The TCP keepalive option enabled by
|
|
KeepAlive is spoofable. The client alive mechanism is valuable
|
|
when the client or server depend on knowing when a connection
|
|
has become inactive.
|
|
|
|
The default value is 3.
|
|
If ClientAliveInterval (above) is set to 15, and
|
|
ClientAliveCountMax is left at the default, unresponsive ssh
|
|
clients will be disconnected after approximately 45 seconds."
|
|
DEFVAL { 3 }
|
|
::= { sshDaemonCfg 18 }
|
|
|
|
sshdCfgAllowTcpForwarding OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether TCP forwarding is permitted.
|
|
The default is 'no'."
|
|
DEFVAL { no }
|
|
::= { sshDaemonCfg 19 }
|
|
|
|
sshdCfgGatewayPorts OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether remote hosts are allowed to connect to ports
|
|
forwarded for the client. By default, sshd binds remote port
|
|
forwardings to the loopback addresss. This prevents other
|
|
remote hosts from connecting to forwarded ports. GatewayPorts
|
|
can be used to specify that sshd should bind remote port
|
|
forwardings to the wildcard address, thus allowing remote
|
|
hosts to connect to forwarded ports.
|
|
The argument must be 'yes' or 'no'.
|
|
The default is 'no'."
|
|
DEFVAL { no }
|
|
::= { sshDaemonCfg 20 }
|
|
|
|
sshdCfgUseLogin OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether login(1) is used for interactive login
|
|
sessions.
|
|
The default is 'yes'.
|
|
Note that login(1) is never used for remote command execution.
|
|
Note also, that if this is enabled, X11Forwarding will be
|
|
disabled because login(1) does not know how to handle
|
|
xauth(1) cookies."
|
|
DEFVAL { yes }
|
|
::= { sshDaemonCfg 21 }
|
|
|
|
sshdCfgX11Forwarding OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether X11 forwarding is permitted.
|
|
The default is 'no'.
|
|
X11 forwarding is automatically disabled
|
|
if UseLogin is enabled."
|
|
DEFVAL { no }
|
|
::= { sshDaemonCfg 22 }
|
|
|
|
sshdCfgX11DisplayOffset OBJECT-TYPE
|
|
SYNTAX INTEGER(0..65535)
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies the first display number available for
|
|
sshd's X11 forwarding. This prevents sshd from
|
|
interfering with real X11 servers.
|
|
The default is 10."
|
|
DEFVAL { 10 }
|
|
::= { sshDaemonCfg 23 }
|
|
|
|
sshdCfgPrintMotd OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether sshd should print 'motd' when a user
|
|
logs in interactively. (On some systems it is also printed
|
|
by the shell, /etc/profile, or equivalent.)
|
|
The default is 'yes'."
|
|
DEFVAL { yes }
|
|
::= { sshDaemonCfg 32 }
|
|
|
|
sshdCfgBanner OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"In some jurisdictions, sending a warning message before
|
|
authentication may be relevant for getting legal protection.
|
|
The contents of the specified file are sent to the remote user
|
|
before authentication is allowed.
|
|
This option is only available for protocol version 2."
|
|
DEFVAL { "" }
|
|
::= { sshDaemonCfg 33 }
|
|
|
|
sshdCfgPrintLastLog OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
yes(1),
|
|
no(2)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"Specifies whether sshd should print the date and time
|
|
when the user last logged in.
|
|
The default is 'no'."
|
|
DEFVAL { no }
|
|
::= { sshDaemonCfg 34 }
|
|
|
|
sshdCfgLastLogin OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"In some jurisdictions, sending a warning message before
|
|
authentication may be relevant for getting legal protection.
|
|
The contents of the specified file are sent to the remote user
|
|
before authentication is allowed.
|
|
This option is only available for protocol version 2."
|
|
DEFVAL { "" }
|
|
::= { sshDaemonCfg 35 }
|
|
|
|
-- End Global SSH Daemon Settings
|
|
|
|
|
|
-- SSHD Active Session Table
|
|
|
|
sshdSessionTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF SshdSessionEntry
|
|
ACCESS not-accessible
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The sshdSessionTable contains informations about the
|
|
currently connected clients handled by the BinTec ssh Daemon."
|
|
::= { ssh 2 }
|
|
|
|
sshdSessionEntry OBJECT-TYPE
|
|
SYNTAX SshdSessionEntry
|
|
ACCESS not-accessible
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"A list of the currently active clients of sshd."
|
|
INDEX { sshdSessionIpAddr, sshdSessionIpPort }
|
|
::= { sshdSessionTable 1 }
|
|
|
|
SshdSessionEntry ::=
|
|
SEQUENCE {
|
|
sshdSessionTimeStamp Date,
|
|
sshdSessionState INTEGER,
|
|
sshdSessionIpAddr IpAddress,
|
|
sshdSessionIpPort INTEGER,
|
|
sshdSessionCipher DisplayString,
|
|
sshdSessionMac DisplayString,
|
|
sshdSessionBytesIn INTEGER,
|
|
sshdSessionBytesOut INTEGER,
|
|
sshdSessionUserName DisplayString,
|
|
sshdSessionCompression DisplayString
|
|
}
|
|
|
|
sshdSessionTimeStamp OBJECT-TYPE
|
|
SYNTAX Date
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The timestamp for the TCP connection establishment."
|
|
::= { sshdSessionEntry 1 }
|
|
|
|
sshdSessionState OBJECT-TYPE
|
|
SYNTAX INTEGER{
|
|
new(1),
|
|
authenticating(2),
|
|
connected(3),
|
|
disconnecting(4),
|
|
delete(15)
|
|
}
|
|
ACCESS read-write
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The connection state of this client."
|
|
DEFVAL { new }
|
|
::= { sshdSessionEntry 2 }
|
|
|
|
sshdSessionIpAddr OBJECT-TYPE
|
|
SYNTAX IpAddress
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The IP address of this client."
|
|
::= { sshdSessionEntry 3 }
|
|
|
|
sshdSessionIpPort OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The associated port # of this client."
|
|
::= { sshdSessionEntry 4 }
|
|
|
|
sshdSessionCipher OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The cipher negotiated with this client."
|
|
::= { sshdSessionEntry 5 }
|
|
|
|
sshdSessionMac OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The MAC (message authentication code)
|
|
negotiated with this client."
|
|
::= { sshdSessionEntry 6 }
|
|
|
|
sshdSessionBytesIn OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The # of bytes received from this client."
|
|
::= { sshdSessionEntry 7 }
|
|
|
|
sshdSessionBytesOut OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The # of bytes send to this client."
|
|
::= { sshdSessionEntry 8 }
|
|
|
|
sshdSessionUserName OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The account used for the client's successful login."
|
|
::= { sshdSessionEntry 9 }
|
|
|
|
sshdSessionCompression OBJECT-TYPE
|
|
SYNTAX DisplayString
|
|
ACCESS read-only
|
|
STATUS mandatory
|
|
DESCRIPTION
|
|
"The compression algorithm negotiated with this client."
|
|
::= { sshdSessionEntry 10 }
|
|
|
|
|
|
-- End SSHD Active Session Table
|
|
|
|
|
|
END
|