Appendix B Server Configuration File Syntax
The DTD of the server configuration file is shown below:
<!-- -->
<!-- secsh-server.dtd -->
<!-- -->
<!-- Copyright (c) 2004-2006 SSH Communications Security, Finland -->
<!-- All rights reserved. -->
<!-- -->
<!-- Document type definition for the SSH Tectia Server XML -->
<!-- configuration files. -->
<!-- -->
<!-- -->
<!-- Tunable parameters used in the policy. -->
<!-- Default connection action. -->
<!ENTITY default-connection-action "allow">
<!-- Default terminal action. -->
<!ENTITY default-terminal-action "allow">
<!-- Default subsystem action. -->
<!ENTITY default-subsystem-action "allow">
<!-- Default for allowing undefined blackboard entries by selectors. -->
<!ENTITY default-allow-undefined-value "no">
<!-- Default user-privileged value. -->
<!ENTITY default-user-privileged-value "yes">
<!-- Default user-password-change-needed value. -->
<!ENTITY default-user-password-change-needed-value "yes">
<!-- Default tunnel action. -->
<!ENTITY default-tunnel-action "allow">
<!-- Default command action. -->
<!ENTITY default-command-action "allow">
<!-- Default rekey interval in seconds. -->
<!ENTITY default-rekey-interval-seconds "3600">
<!-- Default rekey interval in bytes (1GB). -->
<!ENTITY default-rekey-interval-bytes "1000000000">
<!-- Default login grace time in seconds. -->
<!ENTITY default-login-grace-time-seconds "600">
<!-- Default authentication action. -->
<!ENTITY default-authentication-action "allow">
<!-- Password authentication default failure delay in seconds. -->
<!ENTITY default-auth-password-failure-delay "2">
<!-- Password authentication default maximum tries. -->
<!ENTITY default-auth-password-max-tries "3">
<!-- DNS match not required by default in host-based authentication. -->
<!ENTITY default-auth-hostbased-require-dns-match "no">
<!-- Keyboard-interactive authentication default failure delay in seconds. -->
<!ENTITY default-auth-kbdint-failure-delay "2">
<!-- Keyboard-interactive authentication default maximum tries. -->
<!ENTITY default-auth-kbdint-max-tries "3">
<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-radius-server-port "1812">
<!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. -->
<!ENTITY default-radius-server-timeout "10">
<!-- GSSAPI default ticket forwarding policy. -->
<!ENTITY default-gssapi-ticket-forwarding-policy "no">
<!-- Default time in seconds for using expired CRLs. -->
<!ENTITY default-use-expired-crls "0">
<!-- CRLs are not disabled by default. -->
<!ENTITY default-disable-crls "no">
<!-- DoD PKI compatibility is not required by default. -->
<!ENTITY default-dod-pki "no">
<!-- LDAP server default port. -->
<!ENTITY default-ldap-server-port "389">
<!-- Default CRL update minimum interval. -->
<!ENTITY default-crl-update-min-interval "30">
<!-- Default interval for CRL prefetching. -->
<!ENTITY default-crl-prefetch-interval "3600">
<!-- Default crypto library mode ("fips" or "standard"). -->
<!ENTITY default-crypto-lib-mode "standard">
<!-- Default log event facility. -->
<!ENTITY default-log-event-facility "normal">
<!-- Default log event severity. -->
<!ENTITY default-log-event-severity "notice">
<!-- Default ignore AIX rlogin setting. -->
<!ENTITY default-aix-ignore-rlogin "no">
<!-- Default record sessions without PTYs. -->
<!ENTITY default-record-ptyless-sessions "yes">
<!-- TCP keepalives are disabled by default. -->
<!ENTITY default-tcp-keepalive "no">
<!-- Missing Cipher/MAC is not allowed by default. -->
<!ENTITY default-allow-missing "no">
<!-- Default connection idle timeout in seconds. The value zero -->
<!-- disables idle timeout. -->
<!ENTITY default-idle-timeout "0">
<!-- Message of the day (MOTD) is printed on login by default. -->
<!ENTITY default-print-motd "yes">
<!-- Authentication file permissions are checked by default. -->
<!ENTITY default-strict-modes "yes">
<!-- Default authentication file permission mask bits (octal). -->
<!ENTITY default-file-mask-bits "022">
<!-- Should an authentication block be repeated if authentication -->
<!-- succeeds but post-authentication selectors deny the authentication. -->
<!ENTITY default-repeat-block "no">
<!-- Policy elements. -->
<!-- The top-level element. -->
<!ELEMENT secsh-server (params?,connections?,authentication-methods?
,services?)>
<!-- Parameter element. -->
<!ELEMENT params (crypto-lib?,settings?,hostkey*,listener*,logging?,
limits?,cert-validation?)>
<!-- Cryptographic library. -->
<!ELEMENT crypto-lib EMPTY>
<!ATTLIST crypto-lib
mode (fips|standard) "&default-crypto-lib-mode;">
<!-- Settings - a block for stuff that is too minor to have its
own element in the params block. -->
<!ELEMENT settings EMPTY>
<!ATTLIST settings
proxy-scheme CDATA #IMPLIED
xauth-path CDATA #IMPLIED
ignore-aix-rlogin (yes|no) "&default-aix-ignore-rlogin;"
record-ptyless-sessions (yes|no) "&default-record-ptyless-sessions;"
user-config-dir CDATA #IMPLIED>
<!-- Hostkey specification. -->
<!ELEMENT hostkey ((private,(public|x509-certificate)?)|externalkey)>
<!-- Private key specification. -->
<!ELEMENT private (#PCDATA)>
<!ATTLIST private
file CDATA #IMPLIED>
<!-- Public key. -->
<!ELEMENT public (#PCDATA)>
<!ATTLIST public
file CDATA #IMPLIED>
<!-- Certificate (host). -->
<!ELEMENT x509-certificate (#PCDATA)>
<!ATTLIST x509-certificate
file CDATA #IMPLIED>
<!-- External key. -->
<!ELEMENT externalkey EMPTY>
<!ATTLIST externalkey
type CDATA #REQUIRED
init-info CDATA #IMPLIED>
<!-- CA certificate. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
file CDATA #IMPLIED
name CDATA #REQUIRED
disable-crls (yes|no) "&default-disable-crls;"
use-expired-crls CDATA "&default-use-expired-crls;">
<!-- Certificate caching. -->
<!ELEMENT cert-cache-file EMPTY>
<!ATTLIST cert-cache-file
file CDATA #REQUIRED>
<!-- CRL automatic updating. -->
<!ELEMENT crl-auto-update EMPTY>
<!ATTLIST crl-auto-update
update-before CDATA #IMPLIED
minimum-interval CDATA "&default-crl-update-min-interval;">
<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch EMPTY>
<!ATTLIST crl-prefetch
interval CDATA "&default-crl-prefetch-interval;"
url CDATA #REQUIRED>
<!-- LDAP server. -->
<!ELEMENT ldap-server EMPTY>
<!ATTLIST ldap-server
address CDATA #REQUIRED
port CDATA "&default-ldap-server-port;">
<!-- OCSP responder. -->
<!ELEMENT ocsp-responder EMPTY>
<!ATTLIST ocsp-responder
validity-period CDATA #IMPLIED
url CDATA #REQUIRED>
<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki EMPTY>
<!ATTLIST dod-pki
enable (yes|no) "&default-dod-pki;">
<!-- Secure Shell server TCP listener address and port. -->
<!ELEMENT listener EMPTY>
<!ATTLIST listener
id ID #REQUIRED
port CDATA "22"
address CDATA #IMPLIED>
<!-- Logging. -->
<!ELEMENT logging (log-events*)>
<!-- Log events. -->
<!ELEMENT log-events (#PCDATA)>
<!ATTLIST log-events
facility (normal|daemon|user|auth|local0|local1
|local2|local3|local4|local5|local6|local7|discard)
"&default-log-event-facility;"
severity (informational|notice|warning|error|critical
|security-success|security-failure)
"&default-log-event-severity;">
<!-- Certificate validation. -->
<!ELEMENT cert-validation (ldap-server*,ocsp-responder*,cert-cache-file?
,crl-auto-update?,crl-prefetch*,dod-pki?
,ca-certificate*)>
<!ATTLIST cert-validation
http-proxy-url CDATA #IMPLIED
socks-server-url CDATA #IMPLIED>
<!-- Limits. -->
<!ELEMENT limits EMPTY>
<!ATTLIST limits
max-connections CDATA #IMPLIED
max-processes CDATA #IMPLIED>
<!-- Connections. -->
<!ELEMENT connections (connection+)>
<!-- Connection. -->
<!ELEMENT connection (selector*,rekey?,cipher*,mac*)>
<!ATTLIST connection
name ID #IMPLIED
action (allow|deny) "&default-connection-action;"
tcp-keepalive (yes|no) "&default-tcp-keepalive;">
<!-- Rekey intervals. -->
<!ELEMENT rekey EMPTY>
<!ATTLIST rekey
seconds CDATA "&default-rekey-interval-seconds;"
bytes CDATA "&default-rekey-interval-bytes;">
<!-- Cipher. -->
<!ELEMENT cipher EMPTY>
<!ATTLIST cipher
name CDATA #REQUIRED
allow-missing (yes|no) "&default-allow-missing;">
<!-- MAC. -->
<!ELEMENT mac EMPTY>
<!ATTLIST mac
name CDATA #REQUIRED
allow-missing (yes|no) "&default-allow-missing;">
<!-- Selector element. -->
<!ELEMENT selector ((interface|certificate|host-certificate|ip
|user|user-group|user-privileged|blackboard
|publickey-passed|user-password-change-needed)*)>
<!-- Interface selector. At least one parameter must be given. If id is -->
<!-- set, the others MUST NOT be set. If id is not set, either or both -->
<!-- of address and port may be defined. -->
<!ELEMENT interface EMPTY>
<!ATTLIST interface
id IDREF #IMPLIED
address CDATA #IMPLIED
port CDATA #IMPLIED
allow-undefined (yes|no) "&default-allow-undefined-value;">
<!-- Public key (plain) passed selector. -->
<!ELEMENT publickey-passed EMPTY>
<!ATTLIST publickey-passed
length CDATA #IMPLIED
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- Certificate selector. -->
<!ELEMENT certificate EMPTY>
<!ATTLIST certificate
field (ca-list|issuer-name|subject-name|serial-number
|altname-email|altname-upn
|altname-ip|altname-fqdn) #REQUIRED
pattern CDATA #IMPLIED
pattern-case-sensitive CDATA #IMPLIED
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- Host certificate selector. -->
<!ELEMENT host-certificate EMPTY>
<!ATTLIST host-certificate
field (ca-list|issuer-name|subject-name|serial-number
|altname-email|altname-upn
|altname-ip|altname-fqdn) #REQUIRED
pattern CDATA #IMPLIED
pattern-case-sensitive CDATA #IMPLIED
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- IP address selector. -->
<!-- The address will be one of the following: -->
<!-- - an IP range of the form x.x.x.x-y.y.y.y -->
<!-- - an IP mask of the form x.x.x.x/y -->
<!-- - a straight IP address x.x.x.x -->
<!-- - an FQDN pattern (form not checked, either it matches or not) -->
<!-- Exactly one of address or fqdn must be set. -->
<!ELEMENT ip EMPTY>
<!ATTLIST ip
address CDATA #IMPLIED
fqdn CDATA #IMPLIED
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- User name selector. -->
<!ELEMENT user EMPTY>
<!ATTLIST user
name CDATA #IMPLIED
name-case-sensitive CDATA #IMPLIED
id CDATA #IMPLIED
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- User group selector. -->
<!ELEMENT user-group EMPTY>
<!ATTLIST user-group
name CDATA #IMPLIED
name-case-sensitive CDATA #IMPLIED
id CDATA #IMPLIED
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- User privileged (administrator) selector. -->
<!ELEMENT user-privileged EMPTY>
<!ATTLIST user-privileged
value (yes|no)
"&default-user-privileged-value;"
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- Selector for the need of user password change. -->
<!ELEMENT user-password-change-needed EMPTY>
<!ATTLIST user-password-change-needed
value (yes|no)
"&default-user-password-change-needed-value;"
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- Blackboard selector. -->
<!ELEMENT blackboard EMPTY>
<!ATTLIST blackboard
field CDATA #REQUIRED
pattern CDATA #IMPLIED
pattern-case-sensitive CDATA #IMPLIED
allow-undefined (yes|no)
"&default-allow-undefined-value;">
<!-- Authentication methods element. -->
<!ELEMENT authentication-methods (banner-message?,auth-file-modes?
,authentication*)>
<!ATTLIST authentication-methods
login-grace-time CDATA "&default-login-grace-time-seconds;">
<!-- Banner message element. -->
<!ELEMENT banner-message (#PCDATA)>
<!ATTLIST banner-message
file CDATA #IMPLIED>
<!-- Authentication file permission checks. -->
<!ELEMENT auth-file-modes EMPTY>
<!ATTLIST auth-file-modes
strict (yes|no) "&default-strict-modes;"
mask-bits CDATA "&default-file-mask-bits;">
<!-- Authentication element. In an authentication element, different -->
<!-- authentication methods are in OR-relation. User must pass one of them -->
<!ELEMENT authentication (selector*
,(auth-publickey|auth-hostbased|auth-password
|auth-keyboard-interactive|auth-gssapi)*
,authentication*)>
<!ATTLIST authentication
name ID #IMPLIED
action (allow|deny) "&default-authentication-action;"
set-group CDATA #IMPLIED
repeat-block (yes|no) "&default-repeat-block;">
<!-- Public-key authentication. -->
<!ELEMENT auth-publickey EMPTY>
<!ATTLIST auth-publickey
authorization-file CDATA #IMPLIED
authorized-keys-directory CDATA #IMPLIED
openssh-authorized-keys-file CDATA #IMPLIED
allow-missing (yes|no)
"&default-allow-missing;">
<!-- Host-based authentication. -->
<!ELEMENT auth-hostbased EMPTY>
<!ATTLIST auth-hostbased
require-dns-match (yes|no)
"&default-auth-hostbased-require-dns-match;"
allow-missing (yes|no)
"&default-allow-missing;">
<!-- Password authentication. -->
<!ELEMENT auth-password EMPTY>
<!ATTLIST auth-password
failure-delay CDATA "&default-auth-password-failure-delay;"
max-tries CDATA "&default-auth-password-max-tries;"
allow-missing (yes|no)
"&default-allow-missing;">
<!-- Keyboard-interactive authentication. -->
<!ELEMENT auth-keyboard-interactive ((submethod-pam
|submethod-password
|submethod-securid
|submethod-radius
|submethod-generic)*)>
<!ATTLIST auth-keyboard-interactive
failure-delay CDATA "&default-auth-kbdint-failure-delay;"
max-tries CDATA "&default-auth-kbdint-max-tries;">
<!-- Keyboard-interactive submethods. -->
<!-- PAM. -->
<!ELEMENT submethod-pam EMPTY>
<!ATTLIST submethod-pam
dll-path CDATA #IMPLIED>
<!-- Password. -->
<!ELEMENT submethod-password EMPTY>
<!-- SecurID. -->
<!ELEMENT submethod-securid EMPTY>
<!ATTLIST submethod-securid
dll-path CDATA #IMPLIED>
<!-- RADIUS. -->
<!ELEMENT submethod-radius (radius-server+)>
<!-- RADIUS server. -->
<!ELEMENT radius-server (radius-shared-secret)>
<!ATTLIST radius-server
address CDATA #REQUIRED
port CDATA "&default-radius-server-port;"
timeout CDATA "&default-radius-server-timeout;"
client-nas-identifier CDATA #IMPLIED>
<!-- Secret. "file" has precedence over #PCDATA. -->
<!ELEMENT radius-shared-secret (#PCDATA)>
<!ATTLIST radius-shared-secret
file CDATA #IMPLIED>
<!-- Generic submethod. -->
<!ELEMENT submethod-generic EMPTY>
<!ATTLIST submethod-generic
name CDATA #REQUIRED
params CDATA #IMPLIED>
<!-- GSSAPI authentication. -->
<!ELEMENT auth-gssapi EMPTY>
<!ATTLIST auth-gssapi
dll-path CDATA #IMPLIED
allow-ticket-forwarding (yes|no)
"&default-gssapi-ticket-forwarding-policy;"
allow-missing (yes|no)
"&default-allow-missing;">
<!-- Services element. -->
<!ELEMENT services (group*,rule+)>
<!-- Group element. -->
<!ELEMENT group (selector+)>
<!ATTLIST group
name ID #REQUIRED>
<!-- Rule element. -->
<!ELEMENT rule (environment*,terminal?,subsystem*,command*
,tunnel-agent?,tunnel-x11?,tunnel-local*
,tunnel-remote*)>
<!-- "group", if defined, will be used to match the rule. -->
<!ATTLIST rule
group CDATA #IMPLIED
idle-timeout CDATA "&default-idle-timeout;"
print-motd (yes|no) "&default-print-motd;">
<!-- Environment. -->
<!-- The default allowed environment variables are: -->
<!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*" -->
<!-- If neither allowed nor allowed-case-sensitive is set, -->
<!-- the default is used. -->
<!ELEMENT environment EMPTY>
<!ATTLIST environment
allowed CDATA #IMPLIED
allowed-case-sensitive CDATA #IMPLIED>
<!-- Terminal. -->
<!ELEMENT terminal EMPTY>
<!ATTLIST terminal
action (allow|deny) "&default-terminal-action;"
chroot CDATA #IMPLIED>
<!-- Subsystem. -->
<!ELEMENT subsystem (attribute*)>
<!ATTLIST subsystem
type CDATA #REQUIRED
action (allow|deny) "&default-subsystem-action;"
application CDATA #IMPLIED
chroot CDATA #IMPLIED>
<!ELEMENT attribute EMPTY>
<!ATTLIST attribute
name CDATA #REQUIRED
value CDATA #IMPLIED>
<!-- Tunnels. -->
<!ELEMENT tunnel-x11 EMPTY>
<!ATTLIST tunnel-x11
action (allow|deny) "&default-tunnel-action;">
<!ELEMENT tunnel-agent EMPTY>
<!ATTLIST tunnel-agent
action (allow|deny) "&default-tunnel-action;">
<!ELEMENT tunnel-local ((src|dst)*)>
<!ATTLIST tunnel-local
action (allow|deny) "&default-tunnel-action;">
<!ELEMENT tunnel-remote ((src|listen)*)>
<!ATTLIST tunnel-remote
action (allow|deny) "&default-tunnel-action;">
<!-- Tunnel selectors. These apply only to TCP local and remote tunnels.-->
<!-- src and dst are for local-tcp -->
<!-- src and listen are for remote-tcp -->
<!-- address or fqdn are not mandatory. If set, exactly one must be set-->
<!-- (not both). -->
<!-- Source. -->
<!ELEMENT src EMPTY>
<!ATTLIST src
address CDATA #IMPLIED
fqdn CDATA #IMPLIED
port CDATA #IMPLIED>
<!-- Destination. -->
<!ELEMENT dst EMPTY>
<!ATTLIST dst
address CDATA #IMPLIED
fqdn CDATA #IMPLIED
port CDATA #IMPLIED>
<!-- Listener. -->
<!ELEMENT listen EMPTY>
<!ATTLIST listen
address CDATA #IMPLIED
port CDATA #IMPLIED>
<!-- Command. -->
<!ELEMENT command EMPTY>
<!ATTLIST command
action (allow|deny|forced)
"&default-command-action;"
application CDATA #IMPLIED
application-case-sensitive CDATA #IMPLIED
chroot CDATA #IMPLIED>
2007 SSH Communications Security Corp.