Broker Configuration File Syntax
The DTD of the broker configuration file is shown below:
<!-- secsh-broker.dtd -->
<!-- -->
<!-- Copyright (c) Tectia Corporation -->
<!-- This software is protected by international copyright laws -->
<!-- All rights reserved. -->
<!-- -->
<!-- Document type definition for the Connection Broker XML -->
<!-- configuration files. -->
<!-- -->
<!-- The top-level element -->
<!ELEMENT secsh-broker (general?,default-settings?,profiles?,
static-tunnels?,gui?,
filter-engine?,logging?)>
<!ATTLIST secsh-broker version CDATA #IMPLIED>
<!-- General element. Only "known-hosts" can appear multiple times. -->
<!ELEMENT general
(crypto-lib|cert-validation|key-stores|
strict-host-key-checking|host-key-always-ask|
accept-unknown-host-keys|known-hosts|
user-config-directory|file-access-control|
protocol-parameters)*>
<!-- Cryptographic library. -->
<!ELEMENT crypto-lib EMPTY>
<!ATTLIST crypto-lib
mode (fips|standard) "standard">
<!-- PKI settings. -->
<!ELEMENT cert-validation
(ldap-server*,ocsp-responder*,
crl-prefetch*,dod-pki?,
ca-certificate*,key-store*)>
<!ATTLIST cert-validation
end-point-identity-check (yes|no|YES|NO) "yes"
default-domain CDATA #IMPLIED
http-proxy-url CDATA #IMPLIED
socks-server-url CDATA #IMPLIED
max-path-length CDATA "10">
<!ELEMENT ldap-server EMPTY>
<!ATTLIST ldap-server
address CDATA #REQUIRED
port CDATA "389">
<!ELEMENT ocsp-responder EMPTY>
<!ATTLIST ocsp-responder
url CDATA #REQUIRED
validity-period CDATA "0">
<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch EMPTY>
<!ATTLIST crl-prefetch
interval CDATA "3600"
url CDATA #REQUIRED>
<!-- CA certificates. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
name CDATA #REQUIRED
file CDATA #IMPLIED
disable-crls (yes|no|YES|NO) "no"
use-expired-crls CDATA "0" >
<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki EMPTY>
<!ATTLIST dod-pki
enable (yes|no|YES|NO) "no" >
<!ELEMENT key-stores ((key-store|user-keys|identification)*)>
<!ELEMENT key-store EMPTY>
<!ATTLIST key-store
type CDATA #REQUIRED
init CDATA #IMPLIED
disable-crls (yes|no|YES|NO) "no"
use-expired-crls CDATA "0" >
<!ELEMENT user-keys EMPTY>
<!ATTLIST user-keys
directory CDATA #IMPLIED
poll-interval CDATA "10"
passphrase-timeout CDATA "0"
passphrase-idle-timeout CDATA "0">
<!ELEMENT identification EMPTY>
<!ATTLIST identification
file CDATA #REQUIRED
base-path CDATA #IMPLIED
passphrase-timeout CDATA "0"
passphrase-idle-timeout CDATA "0">
<!-- Available for backward compatibility reasons -->
<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
enable (yes|no|YES|NO) #REQUIRED>
<!-- Available for backward compatibility reasons -->
<!ELEMENT host-key-always-ask EMPTY>
<!ATTLIST host-key-always-ask
enable (yes|no|YES|NO) #REQUIRED>
<!-- Available for backward compatibility reasons -->
<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT exclusive-connection EMPTY>
<!ATTLIST exclusive-connection
enable (yes|no|YES|NO) #REQUIRED>
<!ELEMENT known-hosts (key-store*)>
<!ATTLIST known-hosts
path CDATA #IMPLIED
file CDATA #IMPLIED
directory CDATA #IMPLIED
filename-format (hash|plain|default) "default" >
<!ELEMENT user-config-directory EMPTY>
<!ATTLIST user-config-directory
path CDATA "%USER_CONFIG_DIRECTORY%">
<!-- Extended plugin configuration -->
<!ELEMENT extended (ext)*>
<!ELEMENT ext (#PCDATA | EMPTY | ext)*>
<!ATTLIST ext
name CDATA #REQUIRED>
<!-- Default settings element. No element may appear multiple times.-->
<!ELEMENT default-settings (ciphers|macs|kexs|hostkey-algorithms|
transport-distribution|rekey|
authentication-methods|
hostbased-default-domain|
compression|proxy|idle-timeout|
tcp-connect-timeout|keepalive-interval|
exclusive-connection|server-banners|
forwards|extended|remote-environment|
server-authentication-methods|
authentication-success-message|
sftpg3-mode|terminal-selection|
terminal-bell|close-window-on-disconnect|
quiet-mode|checksum)*>
<!ATTLIST default-settings
user CDATA #IMPLIED>
<!-- Server banners. -->
<!ELEMENT server-banners EMPTY>
<!ATTLIST server-banners
visible (yes|no|YES|NO) "yes">
<!-- Ciphers element. -->
<!ELEMENT ciphers (cipher*)>
<!ELEMENT cipher EMPTY>
<!ATTLIST cipher
name CDATA #REQUIRED>
<!-- Macs element. -->
<!ELEMENT macs (mac*)>
<!ELEMENT mac EMPTY>
<!ATTLIST mac
name CDATA #REQUIRED>
<!-- Kexs element. -->
<!ELEMENT kexs (kex*)>
<!-- Kex. -->
<!ELEMENT kex EMPTY>
<!ATTLIST kex
name CDATA #REQUIRED>
<!-- Hostkey algorithms element. -->
<!ELEMENT hostkey-algorithms (hostkey-algorithm*)>
<!-- Hostkey algorithm. -->
<!ELEMENT hostkey-algorithm EMPTY>
<!ATTLIST hostkey-algorithm
name CDATA #REQUIRED>
<!ELEMENT rekey EMPTY>
<!ATTLIST rekey
bytes CDATA "0">
<!-- Hostbased default domain. -->
<!ELEMENT hostbased-default-domain EMPTY>
<!ATTLIST hostbased-default-domain
name CDATA #REQUIRED>
<!-- Authentication methods element. -->
<!ELEMENT authentication-methods (authentication-method|auth-hostbased
|auth-password|auth-publickey|auth-gssapi
|auth-keyboard-interactive)*>
<!ELEMENT server-authentication-methods (authentication-method
|auth-server-publickey
|auth-server-certificate)*>
<!ELEMENT auth-server-publickey EMPTY>
<!ATTLIST auth-server-publickey
policy CDATA #IMPLIED>
<!-- "strict", "ask", "tofu", -->
<!-- "advisory" -->
<!ELEMENT auth-server-certificate EMPTY>
<!ELEMENT remote-environment (environment*)>
<!ELEMENT environment EMPTY>
<!ATTLIST environment
name CDATA #REQUIRED
value CDATA #REQUIRED
format (yes|no|YES|NO) "no">
<!-- Transport distribution. -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
num-transports CDATA #REQUIRED>
<!-- Authentication method. -->
<!ELEMENT authentication-method EMPTY>
<!ATTLIST authentication-method
name CDATA #REQUIRED>
<!ELEMENT auth-hostbased (local-hostname?)>
<!ELEMENT local-hostname EMPTY>
<!ATTLIST local-hostname
name CDATA #REQUIRED>
<!ELEMENT auth-password EMPTY>
<!ELEMENT auth-publickey (key-selection?)>
<!ATTLIST auth-publickey
signature-algorithms CDATA #IMPLIED>
<!ELEMENT key-selection (public-key|issuer-name)*>
<!ELEMENT public-key EMPTY>
<!ATTLIST public-key
type CDATA #REQUIRED>
<!ELEMENT issuer-name EMPTY>
<!ATTLIST issuer-name
match-server-certificate (yes|no|YES|NO) "no">
<!ELEMENT auth-keyboard-interactive EMPTY>
<!ELEMENT auth-gssapi EMPTY>
<!ATTLIST auth-gssapi
dll-path CDATA #IMPLIED
allow-ticket-forwarding (yes|no) #IMPLIED>
<!-- User identities. -->
<!ELEMENT user-identities (identity*)>
<!ELEMENT identity EMPTY>
<!ATTLIST identity
identity-file CDATA #IMPLIED
file CDATA #IMPLIED
hash CDATA #IMPLIED
id CDATA #IMPLIED
data CDATA #IMPLIED>
<!-- Password. -->
<!ELEMENT password (#PCDATA)>
<!ATTLIST password
string CDATA #IMPLIED
file CDATA #IMPLIED
command CDATA #IMPLIED>
<!-- Proxy rules. -->
<!ELEMENT proxy EMPTY>
<!ATTLIST proxy
ruleset CDATA #REQUIRED>
<!-- Idle timeout. -->
<!ELEMENT idle-timeout EMPTY>
<!ATTLIST idle-timeout
type (connection) "connection"
time CDATA #IMPLIED>
<!-- Connect timeout. -->
<!ELEMENT tcp-connect-timeout EMPTY>
<!ATTLIST tcp-connect-timeout
time CDATA #IMPLIED>
<!-- Keepalive interval. -->
<!ELEMENT keepalive-interval EMPTY>
<!ATTLIST keepalive-interval
time CDATA #IMPLIED>
<!-- Forwards element. -->
<!ELEMENT forwards (forward*)>
<!ELEMENT forward EMPTY>
<!ATTLIST forward
type (x11|agent) #REQUIRED
state (on|off|denied) #REQUIRED>
<!-- Compression. -->
<!ELEMENT compression EMPTY>
<!ATTLIST compression
name CDATA #IMPLIED
level CDATA #IMPLIED>
<!ELEMENT authentication-success-message EMPTY>
<!ATTLIST authentication-success-message
enable (yes|no|YES|NO) "yes">
<!ELEMENT quiet-mode EMPTY>
<!ATTLIST quiet-mode
enable (yes|no|YES|NO) "no">
<!ELEMENT sftpg3-mode EMPTY>
<!ATTLIST sftpg3-mode
compatibility-mode CDATA "tectia">
<!ELEMENT terminal-selection EMPTY>
<!ATTLIST terminal-selection
selection-type (select-words|select-paths) "select-words">
<!ELEMENT terminal-bell EMPTY>
<!ATTLIST terminal-bell
bell-style (none|pc-speaker|system-default) "system-default">
<!ELEMENT close-window-on-disconnect EMPTY>
<!ATTLIST close-window-on-disconnect
enable (yes|no) "no">
<!ELEMENT checksum EMPTY>
<!ATTLIST checksum
type (yes|no|md5|sha1|md5-force|sha1-force|checkpoint|
YES|NO|MD5|SHA1|MD5-FORCE|SHA1-FORCE|CHECKPOINT) "yes">
<!ELEMENT file-access-control EMPTY>
<!ATTLIST file-access-control
enable (yes|no|YES|NO) "no">
<!ELEMENT protocol-parameters EMPTY>
<!ATTLIST protocol-parameters
threads CDATA #IMPLIED>
<!-- Profiles element. -->
<!ELEMENT profiles (profile*)>
<!-- Connection profile. No element may appear multiple times. -->
<!ELEMENT profile (hostkey|ciphers|macs|kexs|hostkey-algorithms|
transport-distribution|rekey|
authentication-methods|
user-identities|
compression|proxy|idle-timeout|
tcp-connect-timeout|keepalive-interval|
exclusive-connection|server-banners|
forwards|tunnels|extended|remote-environment|
server-authentication-methods|password|
profile-group)*>
<!ATTLIST profile
id ID #REQUIRED
name CDATA #IMPLIED
host CDATA #REQUIRED
port CDATA "22"
protocol CDATA "secsh2"
connect-on-startup (yes|no|YES|NO) "no"
user CDATA #IMPLIED
gateway-profile CDATA #IMPLIED>
<!-- Hostkey. -->
<!ELEMENT hostkey (#PCDATA)>
<!ATTLIST hostkey
file CDATA #IMPLIED>
<!-- Tunnels element. -->
<!ELEMENT tunnels (local-tunnel*,remote-tunnel*)>
<!-- Local tunnel. -->
<!ELEMENT local-tunnel EMPTY>
<!ATTLIST local-tunnel
type CDATA "tcp"
listen-address CDATA "127.0.0.1"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no">
<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel EMPTY>
<!ATTLIST remote-tunnel
type CDATA "tcp"
listen-address CDATA "127.0.0.1"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no">
<!-- Static tunnels element. -->
<!ELEMENT static-tunnels (tunnel*)>
<!-- Static tunnel. -->
<!ELEMENT tunnel EMPTY>
<!ATTLIST tunnel
type CDATA "tcp"
listen-address CDATA "127.0.0.1"
listen-port CDATA #REQUIRED
dst-host CDATA "127.0.0.1"
dst-port CDATA #REQUIRED
allow-relay (yes|no|YES|NO) "no"
profile CDATA #REQUIRED>
<!-- GUI. -->
<!ELEMENT gui EMPTY>
<!ATTLIST gui
hide-tray-icon (yes|no|YES|NO) #IMPLIED
show-exit-button (yes|no|YES|NO) #IMPLIED
show-admin (yes|no|YES|NO) #IMPLIED
enable-connector (yes|no|YES|NO) #IMPLIED
show-security-notification (yes|no|YES|NO) #IMPLIED>
<!ELEMENT filter-engine (network|dns|filter|rule)*>
<!ATTLIST filter-engine
ip-generate-start CDATA #IMPLIED
ftp-filter-at-signs (yes|no|YES|NO) "no">
<!ELEMENT network EMPTY>
<!ATTLIST network
id ID #REQUIRED
address CDATA #IMPLIED
domain CDATA #IMPLIED
ip-generate-start CDATA #IMPLIED>
<!ELEMENT dns EMPTY>
<!ATTLIST dns
id ID #REQUIRED
network-id IDREF #IMPLIED
application CDATA #IMPLIED
host CDATA #IMPLIED
ip-address CDATA #IMPLIED
pseudo-ip (yes|no|YES|NO) "no">
<!ELEMENT filter EMPTY>
<!ATTLIST filter
dns-id IDREF #REQUIRED
ports CDATA #REQUIRED
action (block|direct|tunnel|ftp-tunnel|ftp-proxy|
BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)
#REQUIRED
profile-id CDATA #IMPLIED
destination CDATA #IMPLIED
destination-port CDATA #IMPLIED
fallback-to-plain (yes|no|YES|NO) "no">
<!ELEMENT rule EMPTY>
<!ATTLIST rule
application CDATA #IMPLIED
host CDATA #IMPLIED
ip-address CDATA #IMPLIED
pseudo-ip (yes|no|YES|NO) "no"
ports CDATA #REQUIRED
action (block|direct|tunnel|ftp-tunnel|ftp-proxy|
BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)
#REQUIRED
profile-id CDATA #IMPLIED
destination CDATA #IMPLIED
destination-port CDATA #IMPLIED
username CDATA #IMPLIED
hostname-from-app (yes|no|YES|NO) "no"
username-from-app (yes|no|YES|NO) "no"
fallback-to-plain (yes|no|YES|NO) "no">
<!ELEMENT logging (log-target*,log-events*)>
<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility "normal">
<!-- Log event severity. -->
<!ENTITY default-log-event-severity "notice">
<!ELEMENT log-target EMPTY>
<!ATTLIST log-target
file CDATA #IMPLIED
type (file|syslog|socket|discard) "file"
format (syslog|csv|xml) "syslog" >
<!ELEMENT log-events (log-target|#PCDATA)>
<!ATTLIST log-events
facility (normal|daemon|user|auth|local0|local1|local2
|local3|local4|local5|local6|local7|discard)
"&default-log-event-facility;"
severity (informational|notice|warning|error|critical
|security-success|security-failure)
"&default-log-event-severity;">
2012 Tectia Corporation