The DTD of the server configuration file is shown below:
<!-- --> <!-- secsh-server.dtd --> <!-- --> <!-- Copyright (c) 2004-2006 SSH Communications Security, Finland --> <!-- All rights reserved. --> <!-- --> <!-- Document type definition for the SSH Tectia Server XML --> <!-- configuration files. --> <!-- --> <!-- --> <!-- Tunable parameters used in the policy. --> <!-- Default connection action. --> <!ENTITY default-connection-action "allow"> <!-- Default terminal action. --> <!ENTITY default-terminal-action "allow"> <!-- Default subsystem action. --> <!ENTITY default-subsystem-action "allow"> <!-- Default for allowing undefined blackboard entries by selectors. --> <!ENTITY default-allow-undefined-value "no"> <!-- Default user-privileged value. --> <!ENTITY default-user-privileged-value "yes"> <!-- Default user-password-change-needed value. --> <!ENTITY default-user-password-change-needed-value "yes"> <!-- Default tunnel action. --> <!ENTITY default-tunnel-action "allow"> <!-- Default command action. --> <!ENTITY default-command-action "allow"> <!-- Default rekey interval in seconds. --> <!ENTITY default-rekey-interval-seconds "3600"> <!-- Default rekey interval in bytes (1GB). --> <!ENTITY default-rekey-interval-bytes "1000000000"> <!-- Default login grace time in seconds. --> <!ENTITY default-login-grace-time-seconds "600"> <!-- Default authentication action. --> <!ENTITY default-authentication-action "allow"> <!-- Password authentication default failure delay in seconds. --> <!ENTITY default-auth-password-failure-delay "2"> <!-- Password authentication default maximum tries. --> <!ENTITY default-auth-password-max-tries "3"> <!-- DNS match not required by default in host-based authentication. --> <!ENTITY default-auth-hostbased-require-dns-match "no"> <!-- Keyboard-interactive authentication default failure delay in seconds. --> <!ENTITY default-auth-kbdint-failure-delay "2"> <!-- Keyboard-interactive authentication default maximum tries. --> <!ENTITY default-auth-kbdint-max-tries "3"> <!-- Keyboard-interactive RADIUS server default port. --> <!ENTITY default-radius-server-port "1812"> <!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. --> <!ENTITY default-radius-server-timeout "10"> <!-- GSSAPI default ticket forwarding policy. --> <!ENTITY default-gssapi-ticket-forwarding-policy "no"> <!-- Default time in seconds for using expired CRLs. --> <!ENTITY default-use-expired-crls "0"> <!-- CRLs are not disabled by default. --> <!ENTITY default-disable-crls "no"> <!-- DoD PKI compatibility is not required by default. --> <!ENTITY default-dod-pki "no"> <!-- LDAP server default port. --> <!ENTITY default-ldap-server-port "389"> <!-- Default CRL update minimum interval. --> <!ENTITY default-crl-update-min-interval "30"> <!-- Default interval for CRL prefetching. --> <!ENTITY default-crl-prefetch-interval "3600"> <!-- Default crypto library mode ("fips" or "standard"). --> <!ENTITY default-crypto-lib-mode "standard"> <!-- Default log event facility. --> <!ENTITY default-log-event-facility "normal"> <!-- Default log event severity. --> <!ENTITY default-log-event-severity "notice"> <!-- Default ignore AIX rlogin setting. --> <!ENTITY default-aix-ignore-rlogin "no"> <!-- Default record sessions without PTYs. --> <!ENTITY default-record-ptyless-sessions "yes"> <!-- TCP keepalives are disabled by default. --> <!ENTITY default-tcp-keepalive "no"> <!-- Missing Cipher/MAC is not allowed by default. --> <!ENTITY default-allow-missing "no"> <!-- Default connection idle timeout in seconds. The value zero --> <!-- disables idle timeout. --> <!ENTITY default-idle-timeout "0"> <!-- Message of the day (MOTD) is printed on login by default. --> <!ENTITY default-print-motd "yes"> <!-- Authentication file permissions are checked by default. --> <!ENTITY default-strict-modes "yes"> <!-- Default authentication file permission mask bits (octal). --> <!ENTITY default-file-mask-bits "022"> <!-- Should an authentication block be repeated if authentication --> <!-- succeeds but post-authentication selectors deny the authentication. --> <!ENTITY default-repeat-block "no"> <!-- Policy elements. --> <!-- The top-level element. --> <!ELEMENT secsh-server (params?,connections?,authentication-methods? ,services?)> <!-- Parameter element. --> <!ELEMENT params (crypto-lib?,settings?,hostkey*,listener*,logging?, limits?,cert-validation?)> <!-- Cryptographic library. --> <!ELEMENT crypto-lib EMPTY> <!ATTLIST crypto-lib mode (fips|standard) "&default-crypto-lib-mode;"> <!-- Settings - a block for stuff that is too minor to have its own element in the params block. --> <!ELEMENT settings EMPTY> <!ATTLIST settings proxy-scheme CDATA #IMPLIED xauth-path CDATA #IMPLIED ignore-aix-rlogin (yes|no) "&default-aix-ignore-rlogin;" record-ptyless-sessions (yes|no) "&default-record-ptyless-sessions;" user-config-dir CDATA #IMPLIED> <!-- Hostkey specification. --> <!ELEMENT hostkey ((private,(public|x509-certificate)?)|externalkey)> <!-- Private key specification. --> <!ELEMENT private (#PCDATA)> <!ATTLIST private file CDATA #IMPLIED> <!-- Public key. --> <!ELEMENT public (#PCDATA)> <!ATTLIST public file CDATA #IMPLIED> <!-- Certificate (host). --> <!ELEMENT x509-certificate (#PCDATA)> <!ATTLIST x509-certificate file CDATA #IMPLIED> <!-- External key. --> <!ELEMENT externalkey EMPTY> <!ATTLIST externalkey type CDATA #REQUIRED init-info CDATA #IMPLIED> <!-- CA certificate. --> <!ELEMENT ca-certificate (#PCDATA)> <!ATTLIST ca-certificate file CDATA #IMPLIED name CDATA #REQUIRED disable-crls (yes|no) "&default-disable-crls;" use-expired-crls CDATA "&default-use-expired-crls;"> <!-- Certificate caching. --> <!ELEMENT cert-cache-file EMPTY> <!ATTLIST cert-cache-file file CDATA #REQUIRED> <!-- CRL automatic updating. --> <!ELEMENT crl-auto-update EMPTY> <!ATTLIST crl-auto-update update-before CDATA #IMPLIED minimum-interval CDATA "&default-crl-update-min-interval;"> <!-- CRL prefetch. --> <!ELEMENT crl-prefetch EMPTY> <!ATTLIST crl-prefetch interval CDATA "&default-crl-prefetch-interval;" url CDATA #REQUIRED> <!-- LDAP server. --> <!ELEMENT ldap-server EMPTY> <!ATTLIST ldap-server address CDATA #REQUIRED port CDATA "&default-ldap-server-port;"> <!-- OCSP responder. --> <!ELEMENT ocsp-responder EMPTY> <!ATTLIST ocsp-responder validity-period CDATA #IMPLIED url CDATA #REQUIRED> <!-- Enable DoD PKI compliancy. --> <!ELEMENT dod-pki EMPTY> <!ATTLIST dod-pki enable (yes|no) "&default-dod-pki;"> <!-- Secure Shell server TCP listener address and port. --> <!ELEMENT listener EMPTY> <!ATTLIST listener id ID #REQUIRED port CDATA "22" address CDATA #IMPLIED> <!-- Logging. --> <!ELEMENT logging (log-events*)> <!-- Log events. --> <!ELEMENT log-events (#PCDATA)> <!ATTLIST log-events facility (normal|daemon|user|auth|local0|local1 |local2|local3|local4|local5|local6|local7|discard) "&default-log-event-facility;" severity (informational|notice|warning|error|critical |security-success|security-failure) "&default-log-event-severity;"> <!-- Certificate validation. --> <!ELEMENT cert-validation (ldap-server*,ocsp-responder*,cert-cache-file? ,crl-auto-update?,crl-prefetch*,dod-pki? ,ca-certificate*)> <!ATTLIST cert-validation http-proxy-url CDATA #IMPLIED socks-server-url CDATA #IMPLIED> <!-- Limits. --> <!ELEMENT limits EMPTY> <!ATTLIST limits max-connections CDATA #IMPLIED max-processes CDATA #IMPLIED> <!-- Connections. --> <!ELEMENT connections (connection+)> <!-- Connection. --> <!ELEMENT connection (selector*,rekey?,cipher*,mac*)> <!ATTLIST connection name ID #IMPLIED action (allow|deny) "&default-connection-action;" tcp-keepalive (yes|no) "&default-tcp-keepalive;"> <!-- Rekey intervals. --> <!ELEMENT rekey EMPTY> <!ATTLIST rekey seconds CDATA "&default-rekey-interval-seconds;" bytes CDATA "&default-rekey-interval-bytes;"> <!-- Cipher. --> <!ELEMENT cipher EMPTY> <!ATTLIST cipher name CDATA #REQUIRED allow-missing (yes|no) "&default-allow-missing;"> <!-- MAC. --> <!ELEMENT mac EMPTY> <!ATTLIST mac name CDATA #REQUIRED allow-missing (yes|no) "&default-allow-missing;"> <!-- Selector element. --> <!ELEMENT selector ((interface|certificate|host-certificate|ip |user|user-group|user-privileged|blackboard |publickey-passed|user-password-change-needed)*)> <!-- Interface selector. At least one parameter must be given. If id is --> <!-- set, the others MUST NOT be set. If id is not set, either or both --> <!-- of address and port may be defined. --> <!ELEMENT interface EMPTY> <!ATTLIST interface id IDREF #IMPLIED address CDATA #IMPLIED port CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Public key (plain) passed selector. --> <!ELEMENT publickey-passed EMPTY> <!ATTLIST publickey-passed length CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Certificate selector. --> <!ELEMENT certificate EMPTY> <!ATTLIST certificate field (ca-list|issuer-name|subject-name|serial-number |altname-email|altname-upn |altname-ip|altname-fqdn) #REQUIRED pattern CDATA #IMPLIED pattern-case-sensitive CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Host certificate selector. --> <!ELEMENT host-certificate EMPTY> <!ATTLIST host-certificate field (ca-list|issuer-name|subject-name|serial-number |altname-email|altname-upn |altname-ip|altname-fqdn) #REQUIRED pattern CDATA #IMPLIED pattern-case-sensitive CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- IP address selector. --> <!-- The address will be one of the following: --> <!-- - an IP range of the form x.x.x.x-y.y.y.y --> <!-- - an IP mask of the form x.x.x.x/y --> <!-- - a straight IP address x.x.x.x --> <!-- - an FQDN pattern (form not checked, either it matches or not) --> <!-- Exactly one of address or fqdn must be set. --> <!ELEMENT ip EMPTY> <!ATTLIST ip address CDATA #IMPLIED fqdn CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- User name selector. --> <!ELEMENT user EMPTY> <!ATTLIST user name CDATA #IMPLIED name-case-sensitive CDATA #IMPLIED id CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- User group selector. --> <!ELEMENT user-group EMPTY> <!ATTLIST user-group name CDATA #IMPLIED name-case-sensitive CDATA #IMPLIED id CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- User privileged (administrator) selector. --> <!ELEMENT user-privileged EMPTY> <!ATTLIST user-privileged value (yes|no) "&default-user-privileged-value;" allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Selector for the need of user password change. --> <!ELEMENT user-password-change-needed EMPTY> <!ATTLIST user-password-change-needed value (yes|no) "&default-user-password-change-needed-value;" allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Blackboard selector. --> <!ELEMENT blackboard EMPTY> <!ATTLIST blackboard field CDATA #REQUIRED pattern CDATA #IMPLIED pattern-case-sensitive CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Authentication methods element. --> <!ELEMENT authentication-methods (banner-message?,auth-file-modes? ,authentication*)> <!ATTLIST authentication-methods login-grace-time CDATA "&default-login-grace-time-seconds;"> <!-- Banner message element. --> <!ELEMENT banner-message (#PCDATA)> <!ATTLIST banner-message file CDATA #IMPLIED> <!-- Authentication file permission checks. --> <!ELEMENT auth-file-modes EMPTY> <!ATTLIST auth-file-modes strict (yes|no) "&default-strict-modes;" mask-bits CDATA "&default-file-mask-bits;"> <!-- Authentication element. In an authentication element, different --> <!-- authentication methods are in OR-relation. User must pass one of them --> <!ELEMENT authentication (selector* ,(auth-publickey|auth-hostbased|auth-password |auth-keyboard-interactive|auth-gssapi)* ,authentication*)> <!ATTLIST authentication name ID #IMPLIED action (allow|deny) "&default-authentication-action;" set-group CDATA #IMPLIED repeat-block (yes|no) "&default-repeat-block;"> <!-- Public-key authentication. --> <!ELEMENT auth-publickey EMPTY> <!ATTLIST auth-publickey authorization-file CDATA #IMPLIED authorized-keys-directory CDATA #IMPLIED openssh-authorized-keys-file CDATA #IMPLIED allow-missing (yes|no) "&default-allow-missing;"> <!-- Host-based authentication. --> <!ELEMENT auth-hostbased EMPTY> <!ATTLIST auth-hostbased require-dns-match (yes|no) "&default-auth-hostbased-require-dns-match;" allow-missing (yes|no) "&default-allow-missing;"> <!-- Password authentication. --> <!ELEMENT auth-password EMPTY> <!ATTLIST auth-password failure-delay CDATA "&default-auth-password-failure-delay;" max-tries CDATA "&default-auth-password-max-tries;" allow-missing (yes|no) "&default-allow-missing;"> <!-- Keyboard-interactive authentication. --> <!ELEMENT auth-keyboard-interactive ((submethod-pam |submethod-password |submethod-securid |submethod-radius |submethod-generic)*)> <!ATTLIST auth-keyboard-interactive failure-delay CDATA "&default-auth-kbdint-failure-delay;" max-tries CDATA "&default-auth-kbdint-max-tries;"> <!-- Keyboard-interactive submethods. --> <!-- PAM. --> <!ELEMENT submethod-pam EMPTY> <!ATTLIST submethod-pam dll-path CDATA #IMPLIED> <!-- Password. --> <!ELEMENT submethod-password EMPTY> <!-- SecurID. --> <!ELEMENT submethod-securid EMPTY> <!ATTLIST submethod-securid dll-path CDATA #IMPLIED> <!-- RADIUS. --> <!ELEMENT submethod-radius (radius-server+)> <!-- RADIUS server. --> <!ELEMENT radius-server (radius-shared-secret)> <!ATTLIST radius-server address CDATA #REQUIRED port CDATA "&default-radius-server-port;" timeout CDATA "&default-radius-server-timeout;" client-nas-identifier CDATA #IMPLIED> <!-- Secret. "file" has precedence over #PCDATA. --> <!ELEMENT radius-shared-secret (#PCDATA)> <!ATTLIST radius-shared-secret file CDATA #IMPLIED> <!-- Generic submethod. --> <!ELEMENT submethod-generic EMPTY> <!ATTLIST submethod-generic name CDATA #REQUIRED params CDATA #IMPLIED> <!-- GSSAPI authentication. --> <!ELEMENT auth-gssapi EMPTY> <!ATTLIST auth-gssapi dll-path CDATA #IMPLIED allow-ticket-forwarding (yes|no) "&default-gssapi-ticket-forwarding-policy;" allow-missing (yes|no) "&default-allow-missing;"> <!-- Services element. --> <!ELEMENT services (group*,rule+)> <!-- Group element. --> <!ELEMENT group (selector+)> <!ATTLIST group name ID #REQUIRED> <!-- Rule element. --> <!ELEMENT rule (environment*,terminal?,subsystem*,command* ,tunnel-agent?,tunnel-x11?,tunnel-local* ,tunnel-remote*)> <!-- "group", if defined, will be used to match the rule. --> <!ATTLIST rule group CDATA #IMPLIED idle-timeout CDATA "&default-idle-timeout;" print-motd (yes|no) "&default-print-motd;"> <!-- Environment. --> <!-- The default allowed environment variables are: --> <!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*" --> <!-- If neither allowed nor allowed-case-sensitive is set, --> <!-- the default is used. --> <!ELEMENT environment EMPTY> <!ATTLIST environment allowed CDATA #IMPLIED allowed-case-sensitive CDATA #IMPLIED> <!-- Terminal. --> <!ELEMENT terminal EMPTY> <!ATTLIST terminal action (allow|deny) "&default-terminal-action;" chroot CDATA #IMPLIED> <!-- Subsystem. --> <!ELEMENT subsystem (attribute*)> <!ATTLIST subsystem type CDATA #REQUIRED action (allow|deny) "&default-subsystem-action;" application CDATA #IMPLIED chroot CDATA #IMPLIED> <!ELEMENT attribute EMPTY> <!ATTLIST attribute name CDATA #REQUIRED value CDATA #IMPLIED> <!-- Tunnels. --> <!ELEMENT tunnel-x11 EMPTY> <!ATTLIST tunnel-x11 action (allow|deny) "&default-tunnel-action;"> <!ELEMENT tunnel-agent EMPTY> <!ATTLIST tunnel-agent action (allow|deny) "&default-tunnel-action;"> <!ELEMENT tunnel-local ((src|dst)*)> <!ATTLIST tunnel-local action (allow|deny) "&default-tunnel-action;"> <!ELEMENT tunnel-remote ((src|listen)*)> <!ATTLIST tunnel-remote action (allow|deny) "&default-tunnel-action;"> <!-- Tunnel selectors. These apply only to TCP local and remote tunnels.--> <!-- src and dst are for local-tcp --> <!-- src and listen are for remote-tcp --> <!-- address or fqdn are not mandatory. If set, exactly one must be set--> <!-- (not both). --> <!-- Source. --> <!ELEMENT src EMPTY> <!ATTLIST src address CDATA #IMPLIED fqdn CDATA #IMPLIED port CDATA #IMPLIED> <!-- Destination. --> <!ELEMENT dst EMPTY> <!ATTLIST dst address CDATA #IMPLIED fqdn CDATA #IMPLIED port CDATA #IMPLIED> <!-- Listener. --> <!ELEMENT listen EMPTY> <!ATTLIST listen address CDATA #IMPLIED port CDATA #IMPLIED> <!-- Command. --> <!ELEMENT command EMPTY> <!ATTLIST command action (allow|deny|forced) "&default-command-action;" application CDATA #IMPLIED application-case-sensitive CDATA #IMPLIED chroot CDATA #IMPLIED>