The DTD of the broker configuration file is shown below:
<!-- --> <!-- --> <!-- secsh-broker.dtd --> <!-- --> <!-- Author: Arttu Kuukankorpi <kuukanko@ssh.com> --> <!-- --> <!-- Copyright (c) 2004 SSH Communications Security, Finland --> <!-- All rights reserved. --> <!-- --> <!-- Document type definition for SecSh broker XML configuration --> <!-- files. --> <!-- --> <!-- --> <!-- The top-level element --> <!ELEMENT secsh-broker (general?,default-settings?,profiles?, static-tunnels?,gui?, filter-engine?,logging?)> <!ATTLIST secsh-broker version CDATA #IMPLIED> <!-- General element. --> <!ELEMENT general (crypto-lib?,cert-validation?,key-stores?, strict-host-key-checking?, host-key-always-ask?)> <!-- Crypto-lib. --> <!ELEMENT crypto-lib EMPTY> <!ATTLIST crypto-lib mode (fips|standard) "standard"> <!-- PKI. --> <!ELEMENT cert-validation (ldap-server*,ocsp-responder*,dod-pki?,ca-certificate*)> <!ATTLIST cert-validation end-point-identity-check (yes|no|YES|NO) "yes" default-domain CDATA #IMPLIED http-proxy-url CDATA #IMPLIED socks-server-url CDATA #IMPLIED> <!ELEMENT ldap-server EMPTY> <!ATTLIST ldap-server address CDATA #REQUIRED port CDATA "389"> <!ELEMENT ocsp-responder EMPTY> <!ATTLIST ocsp-responder url CDATA #REQUIRED validity-period CDATA "0"> <!-- CA CERTS --> <!ELEMENT ca-certificate (#PCDATA)> <!ATTLIST ca-certificate name CDATA #REQUIRED file CDATA #IMPLIED disable-crls (yes|no|YES|NO) "no" use-expired-crls CDATA "0" > <!-- Enable DOD PKI compliancy --> <!ELEMENT dod-pki EMPTY> <!ATTLIST dod-pki enable (yes|no|YES|NO) "no" > <!ELEMENT key-stores (key-store*)> <!ELEMENT key-store EMPTY> <!ATTLIST key-store type CDATA #REQUIRED init CDATA #IMPLIED> <!ELEMENT strict-host-key-checking EMPTY> <!ATTLIST strict-host-key-checking enable (yes|no|YES|NO) #REQUIRED> <!ELEMENT host-key-always-ask EMPTY> <!ATTLIST host-key-always-ask enable (yes|no|YES|NO) #REQUIRED> <!-- Default settings element. --> <!ELEMENT default-settings (ciphers?, macs?, transport-distribution?, rekey?, authentication-methods?, compression?, proxy?, idle-timeout?, server-banners?, forwards?)> <!-- Server banners. --> <!ELEMENT server-banners EMPTY> <!ATTLIST server-banners visible (yes|no|YES|NO) "yes"> <!-- Ciphers element. --> <!ELEMENT ciphers (cipher*)> <!-- Cipher. --> <!ELEMENT cipher EMPTY> <!ATTLIST cipher name CDATA #REQUIRED> <!-- Macs element. --> <!ELEMENT macs (mac*)> <!-- Mac. --> <!ELEMENT mac EMPTY> <!ATTLIST mac name CDATA #REQUIRED> <!ELEMENT rekey EMPTY> <!ATTLIST rekey bytes CDATA "0"> <!-- Auth methods ment. --> <!ELEMENT authentication-methods (authentication-method*)> <!-- Transport distributions. --> <!ELEMENT transport-distribution EMPTY> <!ATTLIST transport-distribution num-transports CDATA #REQUIRED> <!-- Auth-method. --> <!ELEMENT authentication-method EMPTY> <!ATTLIST authentication-method name CDATA #REQUIRED response CDATA #IMPLIED response-file CDATA #IMPLIED> <!-- Proxy. --> <!ELEMENT proxy EMPTY> <!ATTLIST proxy ruleset CDATA #REQUIRED> <!-- Idle timeout. --> <!ELEMENT idle-timeout EMPTY> <!ATTLIST idle-timeout type (connection) "connection" time CDATA #IMPLIED> <!-- Forwards element. --> <!ELEMENT forwards (forward*)> <!-- Forward. --> <!ELEMENT forward EMPTY> <!ATTLIST forward type (x11|agent) #REQUIRED state (on|off|denied) #REQUIRED> <!-- Compression. --> <!ELEMENT compression EMPTY> <!ATTLIST compression name CDATA #IMPLIED level CDATA #IMPLIED> <!-- Profiles element. --> <!ELEMENT profiles (profile*)> <!-- Profile element. --> <!ELEMENT profile (hostkey?, ciphers?, macs?, transport-distribution?, rekey?, authentication-methods?, compression?, proxy?, idle-timeout?, server-banners?, forwards?, tunnels?)> <!ATTLIST profile id ID #REQUIRED name CDATA #IMPLIED host CDATA #IMPLIED port CDATA "22" connect-on-startup (yes|no|YES|NO) "no" user CDATA #IMPLIED gateway-profile CDATA #IMPLIED> <!-- Hostkey. --> <!ELEMENT hostkey (#PCDATA)> <!ATTLIST hostkey file CDATA #IMPLIED> <!-- Tunnels element. --> <!ELEMENT tunnels (local-tunnel*,remote-tunnel*)> <!-- Local tunnel. --> <!ELEMENT local-tunnel EMPTY> <!ATTLIST local-tunnel type CDATA #IMPLIED listen-port CDATA #IMPLIED dst-host CDATA "127.0.0.1" dst-port CDATA #IMPLIED allow-relay (yes|no|YES|NO) "no"> <!-- Remote tunnel. --> <!ELEMENT remote-tunnel EMPTY> <!ATTLIST remote-tunnel type CDATA #IMPLIED listen-port CDATA #IMPLIED dst-host CDATA "127.0.0.1" dst-port CDATA #IMPLIED allow-relay (yes|no|YES|NO) "no"> <!-- Static tunnels element. --> <!ELEMENT static-tunnels (tunnel*)> <!-- Tunnel. --> <!ELEMENT tunnel EMPTY> <!ATTLIST tunnel type CDATA #IMPLIED listen-port CDATA #IMPLIED dst-host CDATA #IMPLIED dst-port CDATA #IMPLIED allow-relay (yes|no|YES|NO) "no" profile CDATA #IMPLIED> <!-- GUI. --> <!ELEMENT gui EMPTY> <!ATTLIST gui hide-tray-icon (yes|no|YES|NO) #IMPLIED show-exit-button (yes|no|YES|NO) #IMPLIED show-admin (yes|no|YES|NO) #IMPLIED enable-connector (yes|no|YES|NO) #IMPLIED show-security-notification (yes|no|YES|NO) #IMPLIED> <!ELEMENT filter-engine (network|dns|filter)*> <!ATTLIST filter-engine ip-generate-start CDATA #IMPLIED> <!ELEMENT network EMPTY> <!ATTLIST network id ID #REQUIRED address CDATA #IMPLIED domain CDATA #IMPLIED ip-generate-start CDATA #IMPLIED> <!ELEMENT dns EMPTY> <!ATTLIST dns id ID #REQUIRED network-id IDREF #IMPLIED application CDATA #IMPLIED host CDATA #REQUIRED ip-address CDATA #IMPLIED pseudo-ip (yes|no|YES|NO) "no"> <!ELEMENT filter EMPTY> <!ATTLIST filter dns-id IDREF #REQUIRED ports CDATA #REQUIRED action CDATA #REQUIRED fallback-to-plain (yes|no|YES|NO) "no"> <!ELEMENT logging (log-events*)> <!-- Log-events --> <!-- Log event facility. --> <!ENTITY % default-log-event-facility '"normal"'> <!-- Log event severity. --> <!ENTITY % default-log-event-severity '"notice"'> <!ELEMENT log-events (#PCDATA)> <!ATTLIST log-events facility (normal|daemon|user|auth|local0|local1| local2|local3|local4|local5|local6|local7|discard) %default-log-event-facility; severity (informational|notice|warning|error|critical| security-success|security-failure) %default-log-event-severity;>