Appendix D Broker Configuration File Syntax
The DTD of the broker configuration file is shown below:
<!-- secsh-broker.dtd -->
<!-- -->
<!-- Copyright (c) 2004-2007 SSH Communications Security, Finland -->
<!-- All rights reserved. -->
<!-- -->
<!-- Document type definition for the Connection Broker XML -->
<!-- configuration files. -->
<!-- -->
<!-- The top-level element -->
<!ELEMENT secsh-broker (general?,default-settings?,profiles?,
static-tunnels?,gui?,
filter-engine?,logging?)>
<!ATTLIST secsh-broker
version CDATA #IMPLIED>
<!-- General element. -->
<!ELEMENT general (crypto-lib?,cert-validation?,key-stores?,
strict-host-key-checking?,host-key-always-ask?,
accept-unknown-host-keys?,known-hosts?)>
<!-- Cryptographic library. -->
<!ELEMENT crypto-lib EMPTY>
<!ATTLIST crypto-lib
mode (fips|standard) "standard">
<!-- PKI settings. -->
<!ELEMENT cert-validation (ldap-server*,ocsp-responder*,crl-prefetch*,
dod-pki?, ca-certificate*)>
<!ATTLIST cert-validation
end-point-identity-check (yes|no|YES|NO) "yes"
default-domain CDATA #IMPLIED
http-proxy-url CDATA #IMPLIED
socks-server-url CDATA #IMPLIED>
<!ELEMENT ldap-server EMPTY>
<!ATTLIST ldap-server
address CDATA #REQUIRED
port CDATA "389">
<!ELEMENT ocsp-responder EMPTY>
<!ATTLIST ocsp-responder
url CDATA #REQUIRED
validity-period CDATA "0">
<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch EMPTY>
<!ATTLIST crl-prefetch
interval CDATA "3600"
url CDATA #REQUIRED>
<!-- CA certificates. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
name CDATA #REQUIRED
file CDATA #IMPLIED
disable-crls (yes|no|YES|NO) "no"
use-expired-crls CDATA "0" >
<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki EMPTY>
<!ATTLIST dod-pki
enable (yes|no|YES|NO) "no" >
<!ELEMENT key-stores (key-store*)>
<!ELEMENT key-store EMPTY>
<!ATTLIST key-store
type CDATA #REQUIRED
init CDATA #IMPLIED>
<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT host-key-always-ask EMPTY>
<!ATTLIST host-key-always-ask
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT known-hosts EMPTY>
<!ATTLIST known-hosts
path CDATA #REQUIRED>
<!-- Default settings element. -->
<!ELEMENT default-settings (ciphers?, macs?,
transport-distribution?, rekey?,
authentication-methods?,
hostbased-default-domain?,
compression?, proxy?, idle-timeout?,
server-banners?, forwards?,
remote-environment?)>
<!-- Server banners. -->
<!ELEMENT server-banners EMPTY>
<!ATTLIST server-banners
visible (yes|no|YES|NO) "yes">
<!-- Ciphers element. -->
<!ELEMENT ciphers (cipher*)>
<!-- Cipher. -->
<!ELEMENT cipher EMPTY>
<!ATTLIST cipher
name CDATA #REQUIRED>
<!-- Macs element. -->
<!ELEMENT macs (mac*)>
<!-- Mac. -->
<!ELEMENT mac EMPTY>
<!ATTLIST mac
name CDATA #REQUIRED>
<!ELEMENT rekey EMPTY>
<!ATTLIST rekey
bytes CDATA "0">
<!-- Hostbased default domain. -->
<!ELEMENT hostbased-default-domain EMPTY>
<!ATTLIST hostbased-default-domain
name CDATA #REQUIRED>
<!-- Authentication methods element. -->
<!ELEMENT authentication-methods (authentication-method*)>
<!-- Remote environment element. -->
<!ELEMENT remote-environment (environment*)>
<!ELEMENT environment EMPTY>
<!ATTLIST environment
name CDATA #REQUIRED
value CDATA #REQUIRED
format (yes|no|YES|NO) "no">
<!-- Transport distribution. -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
num-transports CDATA #REQUIRED>
<!-- Authentication method. -->
<!ELEMENT authentication-method EMPTY>
<!ATTLIST authentication-method
name CDATA #REQUIRED
<!-- Proxy rules. -->
<!ELEMENT proxy EMPTY>
<!ATTLIST proxy
ruleset CDATA #REQUIRED>
<!-- Idle timeout. -->
<!ELEMENT idle-timeout EMPTY>
<!ATTLIST idle-timeout
type (connection) "connection"
time CDATA #IMPLIED>
<!-- Forwards element. -->
<!ELEMENT forwards (forward*)>
<!-- Forward. -->
<!ELEMENT forward EMPTY>
<!ATTLIST forward
type (x11|agent) #REQUIRED
state (on|off|denied) #REQUIRED>
<!-- Compression. -->
<!ELEMENT compression EMPTY>
<!ATTLIST compression
name CDATA #IMPLIED
level CDATA #IMPLIED>
<!-- Profiles element. -->
<!ELEMENT profiles (profile*)>
<!-- Connection profile. -->
<!ELEMENT profile (hostkey?, ciphers?, macs?,
transport-distribution?, rekey?,
authentication-methods?,
compression?, proxy?, idle-timeout?,
server-banners?, forwards?, tunnels?,
remote-environment?)>
<!ATTLIST profile
id ID #REQUIRED
name CDATA #IMPLIED
host CDATA #REQUIRED
port CDATA "22"
connect-on-startup (yes|no|YES|NO) "no"
user CDATA #IMPLIED
gateway-profile CDATA #IMPLIED>
<!-- Hostkey. -->
<!ELEMENT hostkey (#PCDATA)>
<!ATTLIST hostkey
file CDATA #IMPLIED>
<!-- Tunnels element. -->
<!ELEMENT tunnels (local-tunnel*,remote-tunnel*)>
<!-- Local tunnel. -->
<!ELEMENT local-tunnel EMPTY>
<!ATTLIST local-tunnel
type CDATA "tcp"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no">
<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel EMPTY>
<!ATTLIST remote-tunnel
type CDATA "tcp"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no">
<!-- Static tunnels element. -->
<!ELEMENT static-tunnels (tunnel*)>
<!-- Static tunnel. -->
<!ELEMENT tunnel EMPTY>
<!ATTLIST tunnel
type CDATA "tcp"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no"
profile CDATA #REQUIRED>
<!-- GUI. -->
<!ELEMENT gui EMPTY>
<!ATTLIST gui
hide-tray-icon (yes|no|YES|NO) #IMPLIED
show-exit-button (yes|no|YES|NO) #IMPLIED
show-admin (yes|no|YES|NO) #IMPLIED
enable-connector (yes|no|YES|NO) #IMPLIED
show-security-notification (yes|no|YES|NO) #IMPLIED>
<!ELEMENT filter-engine (network|dns|filter)*>
<!ATTLIST filter-engine
ip-generate-start CDATA #IMPLIED>
ftp-filter-at-signs (yes|no|YES|NO) "no">
<!ELEMENT network EMPTY>
<!ATTLIST network
id ID #REQUIRED
address CDATA #IMPLIED
domain CDATA #IMPLIED
ip-generate-start CDATA #IMPLIED>
<!ELEMENT dns EMPTY>
<!ATTLIST dns
id ID #REQUIRED
network-id IDREF #IMPLIED
application CDATA #IMPLIED
host CDATA #IMPLIED
ip-address CDATA #IMPLIED
pseudo-ip (yes|no|YES|NO) "no">
<!ELEMENT filter EMPTY>
<!ATTLIST filter
dns-id IDREF #REQUIRED
ports CDATA #REQUIRED
action CDATA #REQUIRED
profile-id CDATA #IMPLIED
fallback-to-plain (yes|no|YES|NO) "no">
<!ELEMENT logging (log-events*)>
<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility "normal">
<!-- Log event severity. -->
<!ENTITY default-log-event-severity "notice">
<!ELEMENT log-events (#PCDATA)>
<!ATTLIST log-events
facility (normal|daemon|user|auth|local0|local1|
local2|local3|local4|local5|local6|local7|discard)
"&default-log-event-facility;"
severity (informational|notice|warning|error|critical|
security-success|security-failure)
"&default-log-event-severity;">
2008 SSH Communications Security Corp.