SSH

Connection Broker Configuration File Quick Reference

This Appendix contains a quick reference to the elements of the Connection Broker configuration file, ssh-broker-config.xml. The quick reference is divided into four tables:

The tables list the available configuration file elements with their attributes, attribute values (with the default value, if available, marked in bold) and descriptions. The element names in the tables are links that take you to detailed descriptions of the elements in ssh-broker-config(5).

The element hierarchy is expressed with slashes ('/') between parent and child elements.

Table A.3.  ssh-broker-config.xml Quick Reference - the general element

ElementAttributes and their valuesDescription
crypto-lib mode = "standard|fips" Cryptographic library mode: standard or FIPS 140-2 certified.
cert-validation end-point-identity-check = "yes|no|ask" Client will verify server's host name or IP address against the server host certificate
default-domain = domain_name Default domain part of the remote system name
http-proxy-url = HTTP_proxy HTTP proxy for making queries for certificate validity
socks-server-url = SOCKS_server SOCKS server for making queries for certificate validity
cache-size = [1 to 512] (default: "35")Maximum size (MB) of in-memory cache for certificates and CRLs
max-crl-size = [1 to 512] (default: "11")Maximum size (MB) of CRLs accepted
external-search-timeout = [1 to 3600] (default: "60")Time limit (seconds) for external HTTP and LDAP searches for CRLs and certificates
max-ldap-response-length = [1 to 512] (default: "11")Maximum size (MB) of LDAP responses accepted
ldap-idle-timeout = [1 to 3600] (default: "30")Idle timeout (seconds) for LDAP connections
max-path-length = number (default: "10") Maximum length of certification paths when validating certificates
cert-validation / ldap-server address = LDAP_server_address LDAP server address for fetching CRLs and/or subordinate CA certificates
port = port_number (default: "389") LDAP server port for fetching CRLs and/or subordinate CA certificates
cert-validation / ocsp-responder url = URL_address OCSP (Online Certificate Status Protocol) responder service address
validity-period = seconds (default: "0") Time period during which new OCSP queries for the same certificate are not made (the old result is used)
cert-validation / crl-prefetch url = LDAP_URL|HTTP_URL|file_URL Tectia ConnectSecure periodically downloads a CRL from this URL
interval = seconds (default: "3600") How often the CRL is downloaded
cert-validation / dod-pki enable = "yes|no" Enforce digital signature in key usage
cert-validation / ca-certificate name = CA_name Name of the certification authority (CA) used in server authentication
file = path Path to the X.509 CA certificate file
disable-crls = "yes|no" Disable CRL checking
use-expired-crls = seconds (default: "0") Time period for using expired CRLs
key-stores / key-store type = "mscapi|pkcs11|software|zos-saf" Key store type
init = init_info Key-store-provider-specific initialization info
key-stores / user-keys directory = path Directory where the user private keys are stored
passphrase-timeout = seconds (default: "0") Time after which the passphrase-protected private key will time out
passphrase-idle-timeout = seconds (default: "0") Time after which the passphrase-protected private key will time out unless the user accesses or uses the key
key-stores / identification file = path Location of the identification file that defines the user keys
base-path = path Directory where the identification file expects the user private keys to be stored
passphrase-timeout = seconds (default: "0") Time after which the user must enter the passphrase again
passphrase-idle-timeout = seconds (default: "0") Time after which the passphrase times out if there are no user actions
user-config-directory path = path (default: "%USER_CONFIG_DIRECTORY%") Non-default location of user-specific configuration files
file-access-control
(Unix only)
enable = "yes|no" Enable checking of file access permissions defined for global and user-specific configuration files and private keys files
protocol-parameters threads = number (if set to 0, default value is used) The number of threads the protocol library uses (fast path dispatcher threads)
known-hosts path = path Non-default location of known hosts file or directory
file = path Location of OpenSSH-style known_hosts file
directory = path Non-default directory for storing known host keys
filename-format = "hash|plain|default"
("default" = "hash")
The format in which new host key files will be stored

Table A.4.  ssh-broker-config.xml Quick Reference - the default-settings element

ElementAttributes and their valuesDescription
user = user_name Default user name to be used when connecting to remote servers
ciphers / cipher name = cipher_name A cipher that the client requests for data encryption
macs / mac name = MAC_name A MAC that the client requests for data integrity verification
kexs /kex name = KEX_name A KEX that the client requests for the key exchange method
hostkey-algorithms /
hostkey-algorithm
name = hostkey-algorithm_name A host key signature algorithm to be used in server authentication with host keys or certificates
rekey bytes = number (default: "1000000000" (1 GB)) Number of transferred bytes after which key exchange is done again
authentication-methods / auth-hostbased - Host-based authentication will be used
authentication-methods / auth-hostbased /
local-hostname
name = host_name Local host name that is advertised to the remote server during host-based authentication
authentication-methods / auth-password - Password authentication will be used
authentication-methods / auth-publickey - Public-key authentication will be used
signature-algorithms = comma-separated_list Public-key signature algorithms used for client authentication
authentication-methods / auth-publickey /
key-selection
policy = "automatic|interactive-shy" Key selection policy used by the client when proposing user public keys to the server
authentication-methods / auth-publickey /
key-selection / public-key
type = "plain|certificate"
(by default, both are tried)
Only plain public keys or only certificates are tried during public-key authentication
authentication-methods / auth-publickey /
key-selection / issuer-name
name = certificate_issuer_name Client-side user certificates can be filtered by comparing this name to the certificate issuers requested or accepted by the server
match-server-certificate = "yes|no" The Connection Broker tries matching the user certificate issuer name to the server certificate issuer name
authentication-methods / auth-gssapi - GSSAPI will be used in authentication
dll-path = path
(ignored on Windows)
Location of the necessary GSSAPI libraries
allow-ticket-forwarding = "yes|no" Allow forwarding the Kerberos ticket over several connections
authentication-methods / auth-keyboard-interactive - Keyboard-interactive methods will be used in authentication
hostbased-default-domain name = domain_name Host's default domain name that is appended to the short host name before transmitting it to the server
compression name = "none|zlib" Compress the data that the client sends
level = [0 to 9] (default: "0" ( = level 6)) For zlib, compression level.
proxy ruleset = rule_sequence Rules for HTTP proxy or SOCKS servers the client will use for connections
idle-timeout type = "connection" Idle timeout is always defined for connections
time = seconds (default: "5") Idle time (after all connection channels are closed) allowed for a connection before automatically closing the connection
tcp-connect-timeout time = seconds (default: "5") Timeout for TCP connections (after which connection attempts to a Secure Shell server are stopped if the remote host is down or unreachable)
keepalive-interval time = seconds (default: "0") Time interval for sending keepalive messages to the Secure Shell server
exclusive-connection enable = "yes|no" A new connection is opened for each new channel
server-banners visible = "yes|no" Show server banner message file (if it exists) to the user before login
forwards / forward type = "x11|agent" Forwarding type
state = "on|off|denied" Set forwarding on or off, or deny it
remote-environment / environment name = env_var_name Name of an environment variable that is to be passed to the server from the client side
value = string Value of the environment variable
format = "yes|no" The Connection Broker processes Tectia-specific special variables in value (e.g. %U%)
server-authentication-methods /
auth-server-certificate
- Use certificates for server authentication
server-authentication-methods /
auth-server-publickey
- Use public host keys for server authentication
policy = "strict|ask|tofu|advisory" Policy for handling unknown server host keys
authentication-success-message enable = "yes|no" Output and log the AuthenticationSuccessMsg messages
sftpg3-mode compatibility-mode = "tectia|ftp|openssh" Behavior of sftpg3 when transferring files
terminal-selection selection-type = "select-words|select-paths" Behavior of the Tectia terminal when the user selects text with double-clicks
terminal-bell bell-style = "none|pc-speaker|system-default" Tectia terminal repeats audible notifications from destination (Unix) server
close-window-on-disconnect enable = "yes|no" Tectia terminal window is to be closed while disconnecting from a server session by pressing CTRL+D
quiet-mode enable = "yes|no" Make scpg3, sshg3, and sftpg3 suppress warnings, error messages and authentication success messages
checksum type = "yes|no|md5|sha1|md5-force|sha1-force|checkpoint" Default setting for comparing checksums
address-family type = "any|inet|inet6" IP address family: both, IPv4, or IPv6

Table A.5.  ssh-broker-config.xml Quick Reference - the profiles element

ElementAttributes and their valuesDescription
profile id = ID Unique identifier that does not change during the lifetime of the profile
name = string Unique name (free-form text string) that can be used for connecting with the profile on the command line
host = IP_address|FQDN|short_hostname Secure Shell server host address
port = port_number (default: "22") Secure Shell server listener port number
protocol = "secsh2" The communications protocol used by the profile
host-type = "default|windows|unix" Server type for ASCII (text) file transfer
connect-on-startup = "yes|no" Connect automatically with the profile when the Connection Broker is started
user = user_name User name for opening the connection
gateway-profile = profile_name Create nested tunnels
profile / hostkey file = path Path to the remote server host public key file
profile / ciphers / cipher name = cipher_name A cipher used with this profile
profile / macs / mac name = MAC_name A MAC used with this profile
profile / kexs / kex name = KEX_name A KEX used with this profile
profile / hostkey-algorithms /
hostkey-algorithm
name = hostkey-algorithm_name Host key signature algorithm used with this profile
profile / rekey bytes = number (default: "1000000000" (1 GB)) Number of transferred bytes after which key exchange is done again when using this profile
profile / authentication-methods Define the authentication methods for this profile using the same child elements as with default-settings / authentication-methods (see Table A.4)
profile / user-identities /
identity
identity-file = path The user identity is read in the identification file used with public-key authentication
file = path Path to the public-key file (primarily) or to a certificate
hash = hash Hash of the public key that will be used to identify the related private key
profile / compression name = "none|zlib" Compression settings (for the data that the client sends) used with this profile
level = [0 to 9] (default: "0" ( = level 6)) For zlib, compression level.
profile / proxy ruleset = rule_sequence Rules for HTTP proxy or SOCKS servers the client will use for connections with this profile
profile / idle-timeout type = "connection" Idle timeout is always defined for connections
time = seconds (default: "5") Idle time (after all connection channels are closed) allowed for a connection before automatically closing the connection opened with this profile
profile / tcp-connect-timeout time = seconds (default: "5") Timeout for TCP connections with this profile: Connection attempts to a Secure Shell server are stopped after the defined time if the remote host is down or unreachable
profile / keepalive-interval time = seconds (default: "0") Time interval for sending keepalive messages to the Secure Shell server with this profile
profile / exclusive-connection enable = "yes|no" A new connection is opened for each new channel with this profile
profile / server-banners visible = "yes|no" Show server banner message file (if it exists) to the user before login with this profile
profile / forwards / forward type = "x11|agent" Forwarding type for this profile
state = "on|off|denied" Set forwarding on, off, or deny it (i.e. the user cannot enable it on the command-line) with this profile
profile / tunnels /
local-tunnel
type = "tcp|ftp|socks" Type of the local tunnel that is opened automatically when a connection is made with this profile
listen-address = IP_address (default: 127.0.0.1) The network interfaces that should be listened on the client
listen-port = port_number Listener port number on the local client
dst-host = IP_address|domain_name (default: 127.0.0.1) Destination host address
dst-port = port_number Destination port
allow-relay = "yes|no" Allow connections to the listened port from outside the client host
profile / tunnels /
remote-tunnel
type = "tcp|ftp" Type of the remote tunnel that is opened automatically when a connection is made with this profile
listen-address = IP_address (default: 127.0.0.1) The network interfaces that should be listened on the server
listen-port = port_number Listener port number on the remote server
dst-host = IP_address|domain_name (default: 127.0.0.1) Destination host address
dst-port = port_number Destination port
allow-relay = "yes|no" Allow connections to the listener port from outside the server host
profile / remote-environment /
environment
name = env_var_name Name of an environment variable that is to be passed to the server from the client side
value = string Value of the environment variable
format = "yes|no" The Connection Broker processes Tectia-specific special variables in value (e.g. %U%)
profile / server-authentication-methods Define the server authentication methods allowed with this profile using the same child elements as with default-settings / server-authentication-methods (see Table A.4)
profile / password string = password User password that the client will send as a response to password authentication
file = password_file File containing the password
command = path Path to a program or script that outputs the password

Table A.6.  ssh-broker-config.xml Quick Reference - the static-tunnels, gui, filter-engine, and logging elements

ElementAttributes and their valuesDescription
static-tunnels / tunnel type = "tcp|ftp" Type of the static tunnel
listen-address = IP_address (default: 127.0.0.1) The network interfaces that should be listened on the client
listen-port = port_number Listener port number on the local client
dst-host = IP_address|domain_name (default: 127.0.0.1) Destination host address
dst-port = port_number Destination port
allow-relay = "yes|no" Allow connections to the listened port from outside the client host
profile = ID Connection profile ID that is used for the tunnel
gui hide-tray-icon = "yes|no" Hide the Tectia icon in the Windows taskbar notification area
show-exit-button = "yes|no" Show the Exit command in the Tectia icon's shortcut menu
show-admin = "yes|no" Show the Configuration command in the Tectia icon's shortcut menu
enable-connector = "yes|no"Transparent TCP tunneling is active and capturing application connections for tunneling
show-security-notification = "yes|no"Tectia security notifications are shown upon establishing or closing transparent TCP or FTP tunnels
filter-engine ip-generate-start = IPv4_addressStart address of the pseudo IPv4 address space
ip6-generate-start = IPv6_addressStart address of the pseudo IPv6 address space
ftp-filter-at-signs = "yes|no"Can be used with FTP-SFTP conversion when scripts are used to open a connection directly from the FTP/SFTP client to the SFTP server, bypassing any proxies. This attribute defines that Tectia ConnectSecure uses the FTP user name, FTP server name, and FTP server password specified in the FTP script.
filter-engine / network id = IDUnique identifier for the element
address = network_address(Optional) network address
domain = domain_nameDomain name of the computer
ip-generate-start = IPv4_addressStart address of the pseudo IPv4 address space
ip6-generate-start = IPv6_addressStart address of the pseudo IPv6 address space
filter-engine / ruleapplication = applicationOne or more applications to which the rule is applied. Regular expressions (egrep) can be used.
host = host_nameFiltered connection's target host name. Regular expressions (egrep) can be used.
ip-address = IP_addressFiltered connection's target host IP address. Regular expressions (egrep) can be used.
pseudo-ip = "yes|no"The Connection Broker assigns a pseudo IP address for the target host and Tectia Server resolves the real IP address.
ports = port_number|port_rangeFiltered connection's target ports
action = "direct|block |tunnel|ftp-tunnel|ftp-proxy"The action to be done when a filter matches
profile-id = IDThe connection profile that defines the connection settings
destination = addressStatic destination address that will be used as the end point of the connection
destination-port = port_numberStatic destination port that will be used as the end point of the connection
username = user_name|pathUser name used for connecting to the Secure Shell server, or the path from where the user name should be retrieved
hostname-from-app = "yes|no"The Connection Broker should either extract the Secure Shell server's host name from data sent by the application, or use a Secure Shell server defined by the connection profile in profile-id.
username-from-app = "yes|no"FTP tunneling or FTP-SFTP conversion extracts the user name from data sent by the FTP application
fallback-to-plain = "yes|no"Direct (unsecured) connection is used if creating the tunnel fails or the connection to the Secure Shell server fails
show-sftp-server-banner = yes|noIn FTP-SFTP conversion, make the Connection Broker forward the SFTP server banner to the FTP client
logging / log-target file = path File where the audit data is written to
type = "file|syslog|discard" Logging facility to which audit data is output
logging / log-events facility = "normal|daemon|user|auth|local0|local1|local2
|local3|local4|local5|local6|local7|discard"

(On Windows: facility = "normal|discard")
Facility of logging event
severity = "informational|notice|warning|error|
critical|security-success|security-failure"
Severity of logging event
logging / log-events / log-targetThe same as logging / log-target