Appendix B Broker Configuration File Syntax
The DTD of the broker configuration file is shown below:
<!-- secsh-broker.dtd -->
<!-- -->
<!-- Copyright (c) 2004-2008 SSH Communications Security, Finland -->
<!-- All rights reserved. -->
<!-- -->
<!-- Document type definition for the Connection Broker XML -->
<!-- configuration files. -->
<!-- -->
<!-- The top-level element -->
<!ELEMENT secsh-broker (general?,default-settings?,profiles?,
static-tunnels?,gui?,
filter-engine?,logging?)>
<!ATTLIST secsh-broker
version CDATA #IMPLIED>
<!-- General element. -->
<!ELEMENT general (crypto-lib?,cert-validation?,key-stores?,
strict-host-key-checking?,host-key-always-ask?,
accept-unknown-host-keys?,known-hosts?)>
<!-- Cryptographic library. -->
<!ELEMENT crypto-lib EMPTY>
<!ATTLIST crypto-lib
mode (fips|standard) "standard">
<!-- PKI settings. -->
<!ELEMENT cert-validation
(ldap-server*,ocsp-responder*,
crl-prefetch*,dod-pki?,
ca-certificate*,key-store*)>
<!ATTLIST cert-validation
end-point-identity-check (yes|no|YES|NO) "yes"
default-domain CDATA #IMPLIED
http-proxy-url CDATA #IMPLIED
socks-server-url CDATA #IMPLIED>
<!ELEMENT ldap-server EMPTY>
<!ATTLIST ldap-server
address CDATA #REQUIRED
port CDATA "389">
<!ELEMENT ocsp-responder EMPTY>
<!ATTLIST ocsp-responder
url CDATA #REQUIRED
validity-period CDATA "0">
<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch EMPTY>
<!ATTLIST crl-prefetch
interval CDATA "3600"
url CDATA #REQUIRED>
<!-- CA certificates. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
name CDATA #REQUIRED
file CDATA #IMPLIED
disable-crls (yes|no|YES|NO) "no"
use-expired-crls CDATA "0" >
<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki EMPTY>
<!ATTLIST dod-pki
enable (yes|no|YES|NO) "no" >
<!ELEMENT key-stores ((key-store|user-keys|identification)*)>
<!ELEMENT key-store EMPTY>
<!ATTLIST key-store
type CDATA #REQUIRED
init CDATA #IMPLIED
disable-crls (yes|no|YES|NO) "no"
use-expired-crls CDATA "0" >
<!ELEMENT user-keys EMPTY>
<!ATTLIST user-keys
directory CDATA #IMPLIED
passphrase-timeout CDATA "0"
passphrase-idle-timeout CDATA "0">
<!ELEMENT identification EMPTY>
<!ATTLIST identification
file CDATA #REQUIRED
base-path CDATA #IMPLIED
passphrase-timeout CDATA "0"
passphrase-idle-timeout CDATA "0">
<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT host-key-always-ask EMPTY>
<!ATTLIST host-key-always-ask
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT exclusive-connection EMPTY>
<!ATTLIST exclusive-connection
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT known-hosts (key-store*)>
<!ATTLIST known-hosts
path CDATA #IMPLIED
filename-format (hash|plain) "hash" >
<!-- Extended plugin configuration -->
<!ELEMENT extended (ext)*>
<!ELEMENT ext (#PCDATA | EMPTY | ext)*>
<!ATTLIST ext
name CDATA #REQUIRED>
<!-- Default settings element. -->
<!ELEMENT default-settings (ciphers?, macs?,
transport-distribution?, rekey?,
authentication-methods?,
hostbased-default-domain?,
compression?, proxy?, idle-timeout?,
tcp-connect-timeout?, keepalive-interval?,
exclusive-connection?, server-banners?,
forwards?, extended?, remote-environment?,
server-authentication-methods?,
authentication-success-message?,
sftpg3-mode?)>
<!-- Server banners. -->
<!ELEMENT server-banners EMPTY>
<!ATTLIST server-banners
visible (yes|no|YES|NO) "yes">
<!-- Ciphers element. -->
<!ELEMENT ciphers (cipher*)>
<!ELEMENT cipher EMPTY>
<!ATTLIST cipher
name CDATA #REQUIRED>
<!-- Macs element. -->
<!ELEMENT macs (mac*)>
<!ELEMENT mac EMPTY>
<!ATTLIST mac
name CDATA #REQUIRED>
<!ELEMENT rekey EMPTY>
<!ATTLIST rekey
bytes CDATA "0">
<!-- Hostbased default domain. -->
<!ELEMENT hostbased-default-domain EMPTY>
<!ATTLIST hostbased-default-domain
name CDATA #REQUIRED>
<!-- Authentication methods element. -->
<!ELEMENT authentication-methods (authentication-method|auth-hostbased
|auth-password|auth-publickey|auth-gssapi
|auth-keyboard-interactive)*>
<!ELEMENT server-authentication-methods (authentication-method*)>
<!ELEMENT remote-environment (environment*)>
<!ELEMENT environment EMPTY>
<!ATTLIST environment
name CDATA #REQUIRED
value CDATA #REQUIRED
format (yes|no|YES|NO) "no">
<!-- Transport distribution. -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
num-transports CDATA #REQUIRED>
<!-- Authentication method. -->
<!ELEMENT authentication-method EMPTY>
<!ATTLIST authentication-method
name CDATA #REQUIRED>
<!ELEMENT auth-hostbased (local-hostname?)>
<!ELEMENT local-hostname EMPTY>
<!ATTLIST local-hostname
name CDATA #REQUIRED>
<!ELEMENT auth-password EMPTY>
<!ELEMENT auth-publickey EMPTY>
<!ELEMENT auth-keyboard-interactive EMPTY>
<!ELEMENT auth-gssapi EMPTY>
<!-- User identities. -->
<!ELEMENT user-identities (identity*)>
<!ELEMENT identity EMPTY>
<!ATTLIST identity
identity-file CDATA #IMPLIED
file CDATA #IMPLIED
hash CDATA #IMPLIED
id CDATA #IMPLIED
data CDATA #IMPLIED>
<!-- Proxy rules. -->
<!ELEMENT proxy EMPTY>
<!ATTLIST proxy
ruleset CDATA #REQUIRED>
<!-- Idle timeout. -->
<!ELEMENT idle-timeout EMPTY>
<!ATTLIST idle-timeout
type (connection) "connection"
time CDATA #IMPLIED>
<!-- Connect timeout. -->
<!ELEMENT tcp-connect-timeout EMPTY>
<!ATTLIST tcp-connect-timeout
time CDATA #IMPLIED>
<!-- Keepalive interval. -->
<!ELEMENT keepalive-interval EMPTY>
<!ATTLIST keepalive-interval
time CDATA #IMPLIED>
<!-- Forwards element. -->
<!ELEMENT forwards (forward*)>
<!ELEMENT forward EMPTY>
<!ATTLIST forward
type (x11|agent) #REQUIRED
state (on|off|denied) #REQUIRED>
<!-- Compression. -->
<!ELEMENT compression EMPTY>
<!ATTLIST compression
name CDATA #IMPLIED
level CDATA #IMPLIED>
<!ELEMENT authentication-success-message EMPTY>
<!ATTLIST authentication-success-message
enable (yes|no|YES|NO) "yes">
<!ELEMENT sftpg3-mode EMPTY>
<!ATTLIST sftpg3-mode
compatibility-mode CDATA "tectia">
<!-- Profiles element. -->
<!ELEMENT profiles (profile*)>
<!-- Connection profile. -->
<!ELEMENT profile (hostkey?, ciphers?, macs?,
transport-distribution?, rekey?,
authentication-methods?,
user-identities?,
compression?, proxy?, idle-timeout?,
tcp-connect-timeout?, keepalive-interval?,
exclusive-connection?, server-banners?,
forwards?, tunnels?, extended?,
remote-environment?,
server-authentication-methods?)>
<!ATTLIST profile
id ID #REQUIRED
name CDATA #IMPLIED
host CDATA #REQUIRED
port CDATA "22"
protocol CDATA "secsh2"
connect-on-startup (yes|no|YES|NO) "no"
user CDATA #IMPLIED
gateway-profile CDATA #IMPLIED>
<!-- Hostkey. -->
<!ELEMENT hostkey (#PCDATA)>
<!ATTLIST hostkey
file CDATA #IMPLIED>
<!-- Tunnels element. -->
<!ELEMENT tunnels (local-tunnel*,remote-tunnel*)>
<!-- Local tunnel. -->
<!ELEMENT local-tunnel EMPTY>
<!ATTLIST local-tunnel
type CDATA "tcp"
listen-address CDATA "127.0.0.1"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no">
<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel EMPTY>
<!ATTLIST remote-tunnel
type CDATA "tcp"
listen-address CDATA "127.0.0.1"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no">
<!-- Static tunnels element. -->
<!ELEMENT static-tunnels (tunnel*)>
<!-- Static tunnel. -->
<!ELEMENT tunnel EMPTY>
<!ATTLIST tunnel
type CDATA "tcp"
listen-address CDATA "127.0.0.1"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no"
profile CDATA #REQUIRED>
<!-- GUI. -->
<!ELEMENT gui EMPTY>
<!ATTLIST gui
hide-tray-icon (yes|no|YES|NO) #IMPLIED
show-exit-button (yes|no|YES|NO) #IMPLIED
show-admin (yes|no|YES|NO) #IMPLIED
enable-connector (yes|no|YES|NO) #IMPLIED
show-security-notification (yes|no|YES|NO) #IMPLIED>
<!ELEMENT filter-engine (network|dns|filter|rule)*>
<!ATTLIST filter-engine
ip-generate-start CDATA #IMPLIED
ftp-filter-at-signs (yes|no|YES|NO) "no">
<!ELEMENT network EMPTY>
<!ATTLIST network
id ID #REQUIRED
address CDATA #IMPLIED
domain CDATA #IMPLIED
ip-generate-start CDATA #IMPLIED>
<!ELEMENT dns EMPTY>
<!ATTLIST dns
id ID #REQUIRED
network-id IDREF #IMPLIED
application CDATA #IMPLIED
host CDATA #IMPLIED
ip-address CDATA #IMPLIED
pseudo-ip (yes|no|YES|NO) "no">
<!ELEMENT filter EMPTY>
<!ATTLIST filter
dns-id IDREF #REQUIRED
ports CDATA #REQUIRED
action (block|direct|tunnel|ftp-tunnel|ftp-proxy|
BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)
#REQUIRED
profile-id CDATA #IMPLIED
destination CDATA #IMPLIED
destination-port CDATA #IMPLIED
fallback-to-plain (yes|no|YES|NO) "no">
<!ELEMENT rule EMPTY>
<!ATTLIST rule
application CDATA #IMPLIED
host CDATA #IMPLIED
ip-address CDATA #IMPLIED
pseudo-ip (yes|no|YES|NO) "no"
ports CDATA #REQUIRED
action (block|direct|tunnel|ftp-tunnel|ftp-proxy|
BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)
#REQUIRED
profile-id CDATA #IMPLIED
destination CDATA #IMPLIED
destination-port CDATA #IMPLIED
username CDATA #IMPLIED
hostname-from-app (yes|no|YES|NO) "no"
username-from-app (yes|no|YES|NO) "no"
fallback-to-plain (yes|no|YES|NO) "no">
<!ELEMENT logging (log-events*)>
<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility "normal">
<!-- Log event severity. -->
<!ENTITY default-log-event-severity "notice">
<!ELEMENT log-events (#PCDATA)>
<!ATTLIST log-events
facility (normal|daemon|user|auth|local0|local1|local2
|local3|local4|local5|local6|local7|discard)
"&default-log-event-facility;"
severity (informational|notice|warning|error|critical
|security-success|security-failure)
"&default-log-event-severity;">
2009 SSH Communications Security Corp.