SSH

Broker Configuration File Syntax

The DTD of the Connection Broker configuration file is shown below:

<!-- secsh-broker.dtd                                              -->
<!--                                                               -->
<!-- Copyright (c) 2024 SSH Communications Security Corporation.   -->
<!-- This software is protected by international copyright laws.   -->
<!-- All rights reserved.                                          -->
<!--                                                               -->
<!-- Document type definition for the Connection Broker XML        -->
<!-- configuration files.                                          -->
<!--                                                               -->

<!-- Tunable parameters used in the policy. -->

<!-- Both ipv4 and ipv6 are enabled by default -->
<!ENTITY default-address-family-type        "any">


<!-- The top-level element -->
<!ELEMENT secsh-broker          (general?,default-settings?,profiles?,
                                static-tunnels?,gui?,
                                filter-engine?,logging?)>
<!ATTLIST secsh-broker
      version                   CDATA           #IMPLIED>

<!-- General element. Only "known-hosts" can appear multiple times. -->
<!ELEMENT general               (crypto-lib|cert-validation|key-stores|
                                strict-host-key-checking|host-key-always-ask|
                                accept-unknown-host-keys|known-hosts|
                                user-config-directory|file-access-control|
                                protocol-parameters)*>

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib            EMPTY>
<!ATTLIST crypto-lib
      mode                      (fips|standard) "standard">

<!-- PKI settings. "dod-pki" element may appear only once, other elements -->
<!-- may be specified multiple times.                                     -->

<!ELEMENT cert-validation       (ldap-server|
                                ocsp-responder|
                                crl-prefetch|
                                dod-pki|
                                ca-certificate|
                                openssh-ca-key|
                                key-store)*>

<!ATTLIST cert-validation
      end-point-identity-check  (yes|no|YES|NO|ask|ASK) "yes"
      default-domain            CDATA           #IMPLIED
      http-proxy-url            CDATA           #IMPLIED
      socks-server-url          CDATA           #IMPLIED
      max-path-length           CDATA           "10"
      cache-size                CDATA           "300"
      max-crl-size              CDATA           "50"
      external-search-timeout   CDATA           "600"
      max-ldap-response-length  CDATA           "50"
      ldap-idle-timeout         CDATA           "30">

<!ELEMENT ldap-server           EMPTY>
<!ATTLIST ldap-server
      address                   CDATA           #REQUIRED
      port                      CDATA           "389">

<!ELEMENT ocsp-responder        (#PCDATA)>
<!ATTLIST ocsp-responder
      url                       CDATA           #REQUIRED
      validity-period           CDATA           "0"
      responder-certificate     CDATA           #IMPLIED>

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch          EMPTY>
<!ATTLIST crl-prefetch
      interval                  CDATA           "3600"
      url                       CDATA           #REQUIRED>

<!-- CA certificates. -->
<!ELEMENT ca-certificate        (#PCDATA)>
<!ATTLIST ca-certificate
      name                      CDATA           #REQUIRED
      file                      CDATA           #IMPLIED
      disable-crls              (yes|no|YES|NO) "no"
      use-expired-crls          CDATA           "0" >

<!-- OpenSSH certificates. -->
<!ELEMENT openssh-ca-key (#PCDATA)>
<!ATTLIST openssh-ca-key
      name                      CDATA #REQUIRED
      file                      CDATA #IMPLIED>

<!-- Enforce digital signature in key usage. -->
<!ELEMENT dod-pki               EMPTY>
<!ATTLIST dod-pki
      enable                    (yes|no|YES|NO) "no" >

<!ELEMENT key-stores            ((key-store|user-keys|identification)*)>

<!ELEMENT key-store             EMPTY>
<!ATTLIST key-store
      type                      CDATA           #REQUIRED
      init                      CDATA           #IMPLIED
      disable-crls              (yes|no|YES|NO) "no"
      use-expired-crls          CDATA           "0" >

<!ELEMENT user-keys             EMPTY>
<!ATTLIST user-keys
      directory                 CDATA           #IMPLIED
      poll-interval             CDATA           "10"
      passphrase-timeout        CDATA           "0"
      passphrase-idle-timeout   CDATA           "0"
      rotation-period           CDATA           "0">

<!ELEMENT identification        EMPTY>
<!ATTLIST identification
      file                      CDATA           #REQUIRED
      base-path                 CDATA           #IMPLIED
      passphrase-timeout        CDATA           "0"
      passphrase-idle-timeout   CDATA           "0">

<!-- This element is deprecated and included for backwards compatibility only -->
<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
      enable                    (yes|no|YES|NO) #REQUIRED>

<!-- This element is deprecated and included for backwards compatibility only -->
<!ELEMENT host-key-always-ask   EMPTY>
<!ATTLIST host-key-always-ask
      enable                    (yes|no|YES|NO) #REQUIRED>

<!-- This element is deprecated and included for backwards compatibility only -->
<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
      enable                    (yes|no|YES|NO) #REQUIRED>

<!ELEMENT exclusive-connection  EMPTY>
<!ATTLIST exclusive-connection
      enable                    (yes|no|YES|NO) #REQUIRED>

<!ELEMENT known-hosts           (key-store*)>
<!ATTLIST known-hosts
      path                      CDATA           #IMPLIED
      file                      CDATA           #IMPLIED
      directory                 CDATA           #IMPLIED
      filename-format           (hash|plain|default) "default" >

<!-- Extended plugin configuration -->
<!ELEMENT extended              (ext)*>

<!ELEMENT ext                   (#PCDATA | EMPTY | ext)*>
<!ATTLIST ext
      name                      CDATA           #REQUIRED>

<!-- Default settings element.  No element may appear multiple times. -->
<!ELEMENT default-settings      (ciphers|macs|kexs|hostkey-algorithms|
                                transport-distribution|rekey|
                                authentication-methods|
                                hostbased-default-domain|
                                compression|proxy|idle-timeout|
                                tcp-connect-timeout|keepalive-interval|
                                exclusive-connection|server-banners|
                                forwards|extended|remote-environment|
                                server-authentication-methods|
                                authentication-success-message|
                                sftpg3-mode|terminal-selection|terminal-bell|
                                close-window-on-disconnect|quiet-mode|
                                checksum|address-family|fingerprint-types|
                                character-set|automatic-auth-continue)*>

<!ATTLIST default-settings
      user                      CDATA           #IMPLIED>

<!-- Server banners. -->
<!ELEMENT server-banners        EMPTY>
<!ATTLIST server-banners
      visible                   (yes|no|YES|NO) "yes">

<!-- Ciphers element. -->
<!ELEMENT ciphers               (cipher*)>

<!-- Cipher. -->
<!ELEMENT cipher                EMPTY>
<!ATTLIST cipher
      name                      CDATA           #REQUIRED>

<!-- Macs element. -->
<!ELEMENT macs                  (mac*)>

<!-- Mac. -->
<!ELEMENT mac                   EMPTY>
<!ATTLIST mac
      name                      CDATA           #REQUIRED>

<!-- Kexs element. -->
<!ELEMENT kexs                  (kex*)>

<!-- Kex. -->
<!ELEMENT kex                   EMPTY>
<!ATTLIST kex
      name                      CDATA           #REQUIRED>

<!-- Hostkey algorithms element. -->
<!ELEMENT hostkey-algorithms    (hostkey-algorithm*)>

<!-- Hostkey algorithm. -->
<!ELEMENT hostkey-algorithm     EMPTY>
<!ATTLIST hostkey-algorithm
      name                      CDATA           #REQUIRED>

<!ELEMENT rekey                 EMPTY>
<!ATTLIST rekey
      bytes                     CDATA           "0">

<!-- Hostbased default domain. -->
<!ELEMENT hostbased-default-domain EMPTY>
<!ATTLIST hostbased-default-domain
      name                      CDATA           #REQUIRED>

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods (authentication-method|auth-hostbased
                                |auth-password|auth-publickey|auth-gssapi
                                |auth-keyboard-interactive)*>
<!ELEMENT server-authentication-methods (authentication-method
                                |auth-server-publickey
                                |auth-server-certificate)*>

<!ELEMENT auth-server-publickey EMPTY>
<!ATTLIST auth-server-publickey
      policy                    CDATA #IMPLIED><!-- "strict", "ask", "tofu", "advisory"-->
      rotation                  CDATA #IMPLIED>

<!ELEMENT auth-server-certificate   EMPTY>

<!ELEMENT remote-environment    (environment*)>

<!ELEMENT environment           EMPTY>
<!ATTLIST environment
      name                      CDATA           #REQUIRED
      value                     CDATA           #REQUIRED
      format                    (yes|no|YES|NO) "no">

<!-- This element is deprecated and included for backwards compatibility only -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
      num-transports            CDATA           #REQUIRED>

<!-- This element is deprecated and included for backwards compatibility only -->
<!ELEMENT authentication-method EMPTY>
<!ATTLIST authentication-method
      name                      CDATA           #REQUIRED>

<!ELEMENT auth-hostbased        (local-hostname?)>
<!ELEMENT local-hostname        EMPTY>
<!ATTLIST local-hostname 
      name                      CDATA           #REQUIRED>

<!ELEMENT auth-password         EMPTY>

<!ELEMENT auth-publickey        (key-selection?)>
<!ATTLIST auth-publickey
      signature-algorithms      CDATA           #IMPLIED>

<!ELEMENT key-selection         (public-key|issuer-name|subject-name|
                                extended-key-usage|key-usage|policy-info|
                                altname-email|altname-upn)*>
<!ATTLIST key-selection
      policy                    CDATA           #IMPLIED
      exclude                   (yes|no|YES|NO) "no"
      require-all               (yes|no|YES|NO) "no">
      
<!ELEMENT public-key EMPTY>
<!ATTLIST public-key
      type                      CDATA           #REQUIRED>
<!ELEMENT issuer-name           EMPTY>
<!ATTLIST issuer-name
      name                      CDATA           #IMPLIED
      pattern                   CDATA           #IMPLIED
      match-server-certificate  (yes|no|YES|NO) "no">
<!ELEMENT subject-name          EMPTY>
<!ATTLIST subject-name
      name                      CDATA           #IMPLIED
      pattern                   CDATA           #IMPLIED>
<!ELEMENT extended-key-usage    (#PCDATA)>
<!ATTLIST extended-key-usage
      oid                       CDATA           #IMPLIED
      explicit                  (yes|no|YES|NO) "no">
<!ELEMENT key-usage             (#PCDATA)>
<!ATTLIST key-usage 
      bit                       CDATA           #IMPLIED>
<!ELEMENT auth-keyboard-interactive EMPTY>
<!ELEMENT auth-gssapi           EMPTY>

<!-- Actually, the default for allow-ticket-forwarding is "no", but we
     don't want to override value if it is left undefined. -->
<!ATTLIST auth-gssapi
      dll-path                  CDATA           "/usr/lib/libgssapi_krb5.so,
                                                /usr/lib64/libgssapi_krb5.so,
                                                /usr/lib/libkrb5.so,
                                                /usr/lib/libgss.so,
                                                /usr/local/gss/gl/mech_krb5.so,
                                                /usr/local/lib/libgssapi_krb5.so,
                                                /usr/local/lib/libkrb5.so,
                                                /usr/kerberos/lib/libgssapi_krb5.so,
                                                /usr/kerberos/lib/libkrb5.so,
                                                /usr/lib/gss/libgssapi_krb5.so,
                                                /usr/kerberos/lib/libgssapi_krb5.so.2,
                                                /usr/lib/libgssapi_krb5.so.2,
                                                /usr/lib/amd64/gss/mech_krb5.so,
                                                /usr/lib/amd64/libgss.so"
      allow-ticket-forwarding   (yes|no)        #IMPLIED>

<!-- User identities. -->
<!ELEMENT user-identities       (identity*)>
<!ELEMENT identity              EMPTY>
<!ATTLIST identity
      identity-file             CDATA           #IMPLIED
      file                      CDATA           #IMPLIED
      hash                      CDATA           #IMPLIED
      id                        CDATA           #IMPLIED
      data                      CDATA           #IMPLIED>

<!-- Password. -->
<!ELEMENT password              (#PCDATA)>
<!ATTLIST password
      string                    CDATA           #IMPLIED
      string-base64             CDATA           #IMPLIED
      file                      CDATA           #IMPLIED
      command                   CDATA           #IMPLIED>

<!-- Proxy rules. -->
<!ELEMENT proxy                 EMPTY>
<!ATTLIST proxy
      ruleset                   CDATA           #REQUIRED>

<!-- Idle timeout. -->
<!ELEMENT idle-timeout          EMPTY>
<!ATTLIST idle-timeout
      type                      (connection)    "connection"
      time                      CDATA           #IMPLIED>

<!-- Connect timeout. -->
<!ELEMENT tcp-connect-timeout   EMPTY>
<!ATTLIST tcp-connect-timeout
      time                      CDATA           #REQUIRED>

<!-- Keepalive interval. -->
<!ELEMENT keepalive-interval    EMPTY>
<!ATTLIST keepalive-interval
      time                      CDATA           #REQUIRED>

<!-- Forwards element. -->
<!ELEMENT forwards              (forward*)>

<!-- Forward. -->
<!ELEMENT forward               EMPTY>
<!ATTLIST forward
      type                      (x11|agent)     #REQUIRED
      state                     (on|off|denied) #REQUIRED>


<!-- Compression. -->
<!ELEMENT compression           EMPTY>
<!ATTLIST compression
      name                      CDATA           #IMPLIED
      level                     CDATA           #IMPLIED>

<!ELEMENT authentication-success-message EMPTY>
<!ATTLIST authentication-success-message
      enable                    (yes|no|YES|NO) "yes">

<!ELEMENT disconnect-message EMPTY>
<!ATTLIST disconnect-message
      message               CDATA #IMPLIED>

<!ELEMENT keyboard-interactive EMPTY>
<!ATTLIST keyboard-interactive
      prefix                CDATA #IMPLIED>

<!ELEMENT character-set EMPTY>
<!ATTLIST character-set
      local                 CDATA #IMPLIED
      remote                CDATA #IMPLIED
      request               CDATA #IMPLIED>

<!ELEMENT quiet-mode            EMPTY>
<!ATTLIST quiet-mode
      enable                    (yes|no|YES|NO) "no">

<!ELEMENT sftpg3-mode           EMPTY>
<!ATTLIST sftpg3-mode
      compatibility-mode        CDATA           "tectia">

<!ELEMENT terminal-selection    EMPTY>
<!ATTLIST terminal-selection
      selection-type            (select-words|select-paths) 
                                                "select-words">

<!ELEMENT terminal-bell         EMPTY>
<!ATTLIST terminal-bell
      bell-style                (none|pc-speaker|system-default) 
                                                "system-default">

<!ELEMENT close-window-on-disconnect EMPTY>
<!ATTLIST close-window-on-disconnect
      enable                    (yes|no)        "no">

<!ELEMENT checksum EMPTY>
<!ATTLIST checksum
      type   (yes|no|md5|sha1|sha256|sha512|md5-force|sha1-force|sha256-force|sha512-force|checkpoint|
              YES|NO|MD5|SHA1|SHA256|SHA512|MD5-FORCE|SHA1-FORCE|SHA256-FORCE|SHA512-FORCE|CHECKPOINT) "yes">

<!ELEMENT user-config-directory EMPTY>
<!ATTLIST user-config-directory
      path                      CDATA           "%USER_CONFIG_DIRECTORY%">

<!ELEMENT file-access-control   EMPTY>
<!ATTLIST file-access-control
      enable                    (yes|no|YES|NO) "no">

<!-- address-family mode setting ipv4 & ipv6-->
<!ELEMENT address-family        EMPTY>
<!ATTLIST address-family
      type                      (any|inet|inet6) 
                                                "&default-address-family-type;">

<!ELEMENT fingerprint-types (fingerprint*)>

<!ELEMENT fingerprint EMPTY>
<!ATTLIST fingerprint
          type (babble|rfc4716|base64) #REQUIRED>

<!ELEMENT protocol-parameters   EMPTY>
<!ATTLIST protocol-parameters
      threads                   CDATA           #IMPLIED>

<!-- Profiles element. -->
<!ELEMENT profiles              (profile*)>

<!-- Connection profile.  No element may appear multiple times. -->
<!ELEMENT profile               (hostkey|ciphers|macs|kexs|hostkey-algorithms|
                                transport-distribution|rekey|
                                authentication-methods|
                                user-identities|
                                compression|proxy|idle-timeout|
                                tcp-connect-timeout|keepalive-interval|
                                exclusive-connection|server-banners|
                                forwards|tunnels|extended|remote-environment|
                                server-authentication-methods|password|
                                authentication-success-message|
                                disconnect-message|keyboard-interactive|
                                character-set|automatic-auth-continue|
                                profile-group)*>
<!ATTLIST profile
      id                        CDATA           #IMPLIED
      name                      CDATA           #IMPLIED
      host                      CDATA           #REQUIRED
      port                      CDATA           "22"
      protocol                  CDATA           "secsh2"
      host-type                 (unix|windows|default) "default"
      connect-on-startup        (yes|no|YES|NO) "no"
      user                      CDATA           #IMPLIED
      gateway-profile           CDATA           #IMPLIED>

<!ELEMENT profile-group EMPTY>
<!ATTLIST profile-group
      name                      CDATA           #REQUIRED>

<!-- Hostkey. -->
<!ELEMENT hostkey               (#PCDATA)>
<!ATTLIST hostkey
      file                      CDATA           #IMPLIED>

<!-- Tunnels element. -->
<!ELEMENT tunnels               (local-tunnel*,remote-tunnel*)>

<!-- Local tunnel. -->
<!ELEMENT local-tunnel          EMPTY>
<!ATTLIST local-tunnel
      type                      CDATA           "tcp"
      listen-address            CDATA           "127.0.0.1"
      listen-port               CDATA           #REQUIRED
      dst-host                  CDATA           "127.0.0.1"
      dst-port                  CDATA           #REQUIRED
      allow-relay               (yes|no|YES|NO) "no">

<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel         EMPTY>
<!ATTLIST remote-tunnel
      type                      CDATA           "tcp"
      listen-address            CDATA           "127.0.0.1"
      listen-port               CDATA           #REQUIRED
      dst-host                  CDATA           "127.0.0.1"
      dst-port                  CDATA           #REQUIRED
      allow-relay               (yes|no|YES|NO) "no">

<!-- Static tunnels element. -->
<!ELEMENT static-tunnels        (tunnel*)>

<!-- Static tunnel. -->
<!ELEMENT tunnel                EMPTY>
<!ATTLIST tunnel
      type                      CDATA           "tcp"
      listen-address            CDATA           "127.0.0.1"
      listen-port               CDATA           #REQUIRED
      dst-host                  CDATA           "127.0.0.1"
      dst-port                  CDATA           #REQUIRED
      allow-relay               (yes|no|YES|NO) "no"
      profile                   CDATA           #REQUIRED>

<!-- GUI. -->
<!ELEMENT gui                   EMPTY>
<!ATTLIST gui
      hide-tray-icon            (yes|no|YES|NO) "no"
      show-exit-button          (yes|no|YES|NO) "yes"
      show-admin                (yes|no|YES|NO) "yes"
      enable-connector          (yes|no|YES|NO) "yes"
      show-security-notification (yes|no|YES|NO) "yes">

<!ELEMENT filter-engine         (network|dns|filter|rule)*>
<!ATTLIST filter-engine
      ip-generate-start         CDATA           "198.18.0.1"
      ip6-generate-start        CDATA           "2001:db8::ff00:42:8329"
      ftp-filter-at-signs       (yes|no|YES|NO) "no">

<!ELEMENT network               EMPTY>
<!ATTLIST network
      id                        ID              #REQUIRED
      address                   CDATA           #IMPLIED
      domain                    CDATA           #IMPLIED
      ip-generate-start         CDATA           #IMPLIED
      ip6-generate-start        CDATA           #IMPLIED>

<!ELEMENT dns                   EMPTY>
<!ATTLIST dns
      id                        ID              #REQUIRED
      network-id                IDREF           #IMPLIED
      application               CDATA           #IMPLIED
      host                      CDATA           #IMPLIED
      ip-address                CDATA           #IMPLIED
      pseudo-ip                 (yes|no|YES|NO) "no">

<!ELEMENT filter                EMPTY>
<!ATTLIST filter
      dns-id                    IDREF           #REQUIRED
      ports                     CDATA           #REQUIRED
      action                    (block|direct|tunnel|ftp-tunnel|ftp-proxy|
                                BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)  
                                                #REQUIRED
      profile-id                CDATA           #IMPLIED
      destination               CDATA           #IMPLIED
      destination-port          CDATA           #IMPLIED
      fallback-to-plain         (yes|no|YES|NO) "no">

<!ELEMENT rule                  EMPTY>
<!ATTLIST rule
      application               CDATA           #IMPLIED
      host                      CDATA           #IMPLIED
      ip-address                CDATA           #IMPLIED
      pseudo-ip                 (yes|no|YES|NO) "no"
      ports                     CDATA           #REQUIRED
      action                    (block|direct|tunnel|ftp-tunnel|ftp-proxy|
                                BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)  
                                                #REQUIRED
      profile-id                CDATA           #IMPLIED
      destination               CDATA           #IMPLIED
      destination-port          CDATA           #IMPLIED
      username                  CDATA           #IMPLIED
      hostname-from-app         (yes|no|YES|NO) "no"
      username-from-app         (yes|no|YES|NO) "no"
      fallback-to-plain         (yes|no|YES|NO) "no"
      show-sftp-server-banner   (yes|no|YES|NO) "no">


<!ELEMENT logging               (log-target*,log-events*)>

<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility       "normal">

<!-- Log event severity. -->
<!ENTITY default-log-event-severity       "notice">

<!ELEMENT log-target            EMPTY>
<!ATTLIST log-target
      file                      CDATA                           #IMPLIED
      type                      (file|syslog|socket|discard)    "file"
      format                    (syslog|csv|xml)                "syslog" >

<!ELEMENT log-events            (log-target|#PCDATA)*>
<!ATTLIST log-events
      facility      (normal|daemon|user|auth|local0|local1|
                    local2|local3|local4|local5|local6|local7|discard)
                                                "&default-log-event-facility;"
      severity      (informational|notice|warning|error|critical|
                    security-success|security-failure)
                                                "&default-log-event-severity;">