sshmngr: update docs to reflect updated options

* new options added: Ciphers, HostKeyAlgorithms, HostKeyFiles, KexAlgorithms * info about migrating from dropbear added

sshmngr: update docs to reflect updated options
e8c1d600 · Husaam Mehdi · d3734864 · e8c1d600
Commit e8c1d600 authored May 5, 2024 by Husaam Mehdi
--- a/docs/guide/sshd_as_backend.md
+++ b/docs/guide/sshd_as_backend.md
@@ -3,6 +3,19 @@
 The ssh daemon provided by OpenSSH is called sshd. This document provides an outline of its behaviour,
 to aid understand the behaviour and configuration when using sshd as backend for sshmngr.

+## Migration from dropbear
+
+If a system is upgraded with an image with sshd as backend, then:
+
+- sshd will check for dropbear config file on first start up, for example if an upgrade was done without defaultreset (i.e., keep settings) and dropbear was present in the previous image.
+
+If a dropbear config is found, sshd will:
+
+- try to generate an sshd config as similar as possible to the dropbear config, and then remove the dropbear config file
+- copy the /etc/dropbear/authorized_keys file to the place where sshd expects them, and then remove the dropbear authorized_keys
+
+Otherwise system will come up with the default sshd config, given further in this document.
+
 ## Configuration

 - The UCI file for sshd is called "sshd".
@@ -16,20 +29,30 @@ to aid understand the behaviour and configuration when using sshd as backend for

 | Name              | Type          | Default     | Description |
 | :---              | :----:        | :---:       | :---        |
-| AllowUsers       | string   | empty       | username allowed to log in, no value means all users |
+| AllowUsers        | list (string) | empty       | usernames allowed to log in, no value means all users |
 | BannerFile        | string        | empty       | the path to the file containing the banner used in ssh |
+| Ciphers           | list (string) | empty       | the Ciphers that can be used, no value means all |
 | enable            | bool          | true        | whether this server is enabled or not |
 | GatewayPorts      | bool          | false       | whether remote hosts are allowed to connect to forwarded ports |
+| HostKeyAlgorithms | list (string) | empty       | the HostKeyAlgorithms that can be used, no value means all |
+| HostKeyFiles      | list (string) | empty       | the file(s) pointing to HostKey(s), no value means sshd default |
+| IdleTimeout       | number        | 0           | how many seconds before unresponsive SSH clients will be disconnected |
 | Interface         | string        | empty       | interface whose address to bind to, no value means all interfaces |
-| MacAlgorithms    | string   | empty       | the available MAC (message authentication code) algorithm, no value means all |
+| KexAlgorithms     | list (string) | empty       | the KexAlgorithms that can be used |
+| MacAlgorithms     | list (string) | empty       | the available MAC (message authentication code) algorithm, no value means all |
 | MaxAuthTries      | number        | 6           | number of authentication attempts allowed |
+| mdns              | bool          | true        | whether to announce an ssh service over mdns |
 | PasswordAuth      | bool          | true        | whether to allow password based authentication |
 | Port              | number        | 22          | port to listen on |
-| PublishOverMdns  | bool     | true        | whether to announce an ssh service over mdns |
 | RootLogin         | bool          | true        | whether to allow authentication for root |
 | RootPasswordAuth  | bool          | true        | whether to allow password based authentication for root |

- There is a iowrt default config with which the device comes up, which is different and as follows:
+- For more details about these options please follow *sshd_config* manual page.
+
+### IOWRT default sshd config
+
+- There is an iowrt default config with which the device comes up, which is different and as follows:
+
 ```
 config sshd
        option enable '1'
@@ -41,8 +64,33 @@ config sshd
        list MacAlgorithms 'hmac-sha1'
        list MacAlgorithms 'hmac-sha2-256'
        list MacAlgorithms 'hmac-sha2-512'
+        list Ciphers 'aes128-ctr'
+        list Ciphers 'aes192-ctr'
+        list Ciphers 'aes256-ctr'
+        list HostKeyAlgorithms 'ecdsa-sha2-nistp256'
+        list HostKeyAlgorithms 'ecdsa-sha2-nistp384'
+        list HostKeyAlgorithms 'ecdsa-sha2-nistp521'
+        list HostKeyAlgorithms 'ssh-rsa'
+        list HostKeyAlgorithms 'ssh-dss'
+        list KexAlgorithms 'ecdh-sha2-nistp256'
+        list KexAlgorithms 'ecdh-sha2-nistp384'
+        list KexAlgorithms 'ecdh-sha2-nistp521'
+        list KexAlgorithms 'diffie-hellman-group14-sha1'
+        list KexAlgorithms 'diffie-hellman-group-exchange-sha256'
+```
+
+- Please note that the following options are not configurable via TR181 and hence must be properly set in the customer default UCI config or represented by vendor extensions:
+
+```
+1. AllowUsers
+2. BannerFile
+3. MacAlgorithms
+4. Ciphers
+5. GatewayPorts
+6. HostKeyAlgorithms
+7. HostKeyFiles
+8. KexAlgorithms
 ```
- Please note that the options AllowUsers and MacAlgorithms are not configurable via TR181 and hence must be properly set in the customer default UCI config or represented by vendor extensions.

 ### AuthorizedKeys