SSH Tectia

Appendix B Server Configuration File Syntax

The DTD of the server configuration file is shown below:

<!--                                                                     -->
<!-- secsh-server.dtd                                                    -->
<!--                                                                     -->
<!-- Copyright (c) 2004-2007 SSH Communications Security, Finland        -->
<!--               All rights reserved.                                  -->
<!--                                                                     -->
<!-- Document type definition for the SSH Tectia Server XML              -->
<!-- configuration files.                                                -->
<!--                                                                     -->
<!--                                                                     -->

<!-- Tunable parameters used in the policy. -->

<!-- Default connection action. -->
<!ENTITY default-connection-action                      "allow">

<!-- Default terminal action. -->
<!ENTITY default-terminal-action                        "allow">

<!-- Default subsystem action. -->
<!ENTITY default-subsystem-action                       "allow">

<!-- Default subsystem audit value. -->
<!ENTITY default-subsystem-audit                        "yes">

<!-- Default subsystem direct execute value. -->
<!ENTITY default-subsystem-exec-directly                "no">

<!-- Default for allowing undefined blackboard entries by selectors. -->
<!ENTITY default-allow-undefined-value                  "no">

<!-- Default user-privileged value. -->
<!ENTITY default-user-privileged-value                  "yes">

<!-- Default user-password-change-needed value. -->
<!ENTITY default-user-password-change-needed-value      "yes">

<!-- Default tunnel action. -->
<!ENTITY default-tunnel-action                          "allow">

<!-- Default command action. -->
<!ENTITY default-command-action                         "allow">

<!-- Default rekey interval in seconds. -->
<!ENTITY default-rekey-interval-seconds                 "3600">

<!-- Default rekey interval in bytes (1GB). -->
<!ENTITY default-rekey-interval-bytes                   "1000000000">

<!-- Default login grace time in seconds. -->
<!ENTITY default-login-grace-time-seconds               "600">

<!-- Default authentication action. -->
<!ENTITY default-authentication-action                  "allow">

<!-- Password authentication default failure delay in seconds. -->
<!ENTITY default-auth-password-failure-delay            "2">

<!-- Password authentication default maximum tries. -->
<!ENTITY default-auth-password-max-tries                "3">

<!-- DNS match not required by default in host-based authentication. -->
<!ENTITY default-auth-hostbased-require-dns-match       "no">

<!--Keyboard-interactive authentication default failure delay in seconds.-->
<!ENTITY default-auth-kbdint-failure-delay              "2">

<!-- Keyboard-interactive authentication default maximum tries. -->
<!ENTITY default-auth-kbdint-max-tries                  "3">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-radius-server-port                     "1812">

<!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. -->
<!ENTITY default-radius-server-timeout                  "10">

<!-- GSSAPI default ticket forwarding policy. -->
<!ENTITY default-gssapi-ticket-forwarding-policy        "no">

<!-- Default time in seconds for using expired CRLs. -->
<!ENTITY default-use-expired-crls                       "0">

<!-- CRLs are not disabled by default. -->
<!ENTITY default-disable-crls                           "no">

<!-- DoD PKI compatibility is not required by default. -->
<!ENTITY default-dod-pki                                "no">

<!-- LDAP server default port. -->
<!ENTITY default-ldap-server-port                       "389">

<!-- Default CRL update minimum interval. -->
<!ENTITY default-crl-update-min-interval                "30">

<!-- Default interval for CRL prefetching. -->
<!ENTITY default-crl-prefetch-interval                  "3600">

<!-- Default crypto library mode ("fips" or "standard"). -->
<!ENTITY default-crypto-lib-mode                        "standard">

<!-- Default log event facility. -->
<!ENTITY default-log-event-facility                     "normal">

<!-- Default log event severity. -->
<!ENTITY default-log-event-severity                     "notice">

<!-- Default ignore AIX rlogin setting. -->
<!ENTITY default-aix-ignore-rlogin                      "no">

<!-- Default record sessions without PTYs. -->
<!ENTITY default-record-ptyless-sessions                "yes">

<!-- TCP keepalives are disabled by default. -->
<!ENTITY default-tcp-keepalive                          "no">

<!-- Missing Cipher/MAC is not allowed by default. -->
<!ENTITY default-allow-missing                          "no">

<!-- Default connection idle timeout in seconds.  The value zero -->
<!-- disables idle timeout. -->
<!ENTITY default-idle-timeout                           "0">

<!-- Message of the day (MOTD) is printed on login by default. -->
<!ENTITY default-print-motd                             "yes">

<!-- Authentication file permissions are checked by default. -->
<!ENTITY default-strict-modes                           "yes">

<!-- Default authentication file permission mask bits (octal). -->
<!ENTITY default-file-mask-bits                         "022">

<!-- Should an authentication block be repeated if authentication -->
<!-- succeeds but post-authentication selectors deny the authentication. -->
<!ENTITY default-repeat-block                           "no"> 


<!-- Policy elements. -->

<!-- The top-level element. -->
<!ELEMENT secsh-server  (params?,connections?,authentication-methods?
                         ,services?)>

<!-- Parameter element. -->
<!ELEMENT params   (crypto-lib?,settings?,hostkey*,listener*,logging?,
                    limits?,cert-validation?)>

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib             EMPTY>
<!ATTLIST crypto-lib
          mode          (fips|standard) "&default-crypto-lib-mode;">

<!-- Settings - a block for stuff that is too minor to have its
     own element in the params block. -->
<!ELEMENT settings               EMPTY>
<!ATTLIST settings
         proxy-scheme            CDATA    #IMPLIED
         xauth-path              CDATA    #IMPLIED
         ignore-aix-rlogin       (yes|no) "&default-aix-ignore-rlogin;"
         record-ptyless-sessions (yes|no) "&default-record-ptyless-sessions;"
         user-config-dir         CDATA    #IMPLIED>

<!-- Hostkey specification. -->
<!ELEMENT hostkey       ((private,(public|x509-certificate)?)|externalkey)>

<!-- Private key specification. -->
<!ELEMENT private                (#PCDATA)>
<!ATTLIST private
          file                   CDATA     #IMPLIED>

<!-- Public key. -->
<!ELEMENT public                 (#PCDATA)>
<!ATTLIST public
          file                   CDATA     #IMPLIED>

<!-- Certificate (host). -->
<!ELEMENT x509-certificate       (#PCDATA)>
<!ATTLIST x509-certificate
          file                   CDATA     #IMPLIED>

<!-- External key. -->
<!ELEMENT externalkey            EMPTY>
<!ATTLIST externalkey
          type                   CDATA     #REQUIRED
          init-info              CDATA     #IMPLIED>

<!-- CA certificate. -->
<!ELEMENT ca-certificate         (#PCDATA)>
<!ATTLIST ca-certificate
          file                   CDATA     #IMPLIED
          name                   CDATA     #REQUIRED
          disable-crls           (yes|no)  "&default-disable-crls;"
          use-expired-crls       CDATA     "&default-use-expired-crls;">

<!-- Certificate caching. -->
<!ELEMENT cert-cache-file        EMPTY>
<!ATTLIST cert-cache-file
          file                   CDATA  #REQUIRED>

<!-- CRL automatic updating. -->
<!ELEMENT crl-auto-update        EMPTY>
<!ATTLIST crl-auto-update
          update-before          CDATA  #IMPLIED
          minimum-interval       CDATA  "&default-crl-update-min-interval;">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch           EMPTY>
<!ATTLIST crl-prefetch
          interval               CDATA  "&default-crl-prefetch-interval;"
          url                    CDATA  #REQUIRED>

<!-- LDAP server. -->
<!ELEMENT ldap-server            EMPTY>
<!ATTLIST ldap-server
          address                CDATA  #REQUIRED
          port                   CDATA  "&default-ldap-server-port;">

<!-- OCSP responder. -->
<!ELEMENT ocsp-responder         EMPTY>
<!ATTLIST ocsp-responder
          validity-period        CDATA  #IMPLIED
          url                    CDATA  #REQUIRED>

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki                EMPTY>
<!ATTLIST dod-pki
          enable                 (yes|no) "&default-dod-pki;">


<!-- Secure Shell server TCP listener address and port. -->
<!ELEMENT listener      EMPTY>
<!ATTLIST listener
          id            ID       #REQUIRED
          port          CDATA    "22"
          address       CDATA    #IMPLIED>

<!-- Logging. -->
<!ELEMENT logging       (log-events*)>

<!-- Log events. -->
<!ELEMENT log-events    (#PCDATA)>
<!ATTLIST log-events
          facility      (normal|daemon|user|auth|local0|local1
                         |local2|local3|local4|local5|local6|local7|discard)
                        "&default-log-event-facility;"
          severity      (informational|notice|warning|error|critical
                         |security-success|security-failure)
                        "&default-log-event-severity;">

<!-- Certificate validation. -->
<!ELEMENT cert-validation (ldap-server*,ocsp-responder*,cert-cache-file?
                           ,crl-auto-update?,crl-prefetch*,dod-pki?
                           ,ca-certificate*)>

<!ATTLIST cert-validation
          http-proxy-url         CDATA   #IMPLIED
          socks-server-url       CDATA   #IMPLIED>

<!-- Limits. -->
<!ELEMENT limits                 EMPTY>
<!ATTLIST limits
          max-connections        CDATA   #IMPLIED
          max-processes          CDATA   #IMPLIED>

<!-- Connections. -->
<!ELEMENT connections   (connection+)>

<!-- Connection. -->
<!ELEMENT connection    (selector*,rekey?,cipher*,mac*)>
<!ATTLIST connection
          name          ID              #IMPLIED
          action        (allow|deny)    "&default-connection-action;"
          tcp-keepalive (yes|no)        "&default-tcp-keepalive;">

<!-- Rekey intervals. -->
<!ELEMENT rekey         EMPTY>
<!ATTLIST rekey
          seconds       CDATA    "&default-rekey-interval-seconds;"
          bytes         CDATA    "&default-rekey-interval-bytes;">

<!-- Cipher. -->
<!ELEMENT cipher        EMPTY>
<!ATTLIST cipher
          name          CDATA           #REQUIRED
          allow-missing (yes|no)        "&default-allow-missing;">

<!-- MAC. -->
<!ELEMENT mac           EMPTY>
<!ATTLIST mac
          name          CDATA           #REQUIRED
          allow-missing (yes|no)        "&default-allow-missing;">

<!-- Selector element. -->
<!ELEMENT selector      ((interface|certificate|host-certificate|ip
                          |user|user-group|user-privileged|blackboard
                          |publickey-passed|user-password-change-needed)*)>

<!-- Interface selector. At least one parameter must be given. If id is -->
<!-- set, the others MUST NOT be set. If id is not set, either or both  -->
<!-- of address and port may be defined.                                -->
<!ELEMENT interface       EMPTY>
<!ATTLIST interface
          id              IDREF    #IMPLIED
          address         CDATA    #IMPLIED
          port            CDATA    #IMPLIED
          allow-undefined (yes|no) "&default-allow-undefined-value;">


<!-- Public key (plain) passed selector. -->
<!ELEMENT publickey-passed         EMPTY>
<!ATTLIST publickey-passed
          length                   CDATA        #IMPLIED
          allow-undefined         (yes|no)
                                  "&default-allow-undefined-value;">

<!-- Certificate selector. -->
<!ELEMENT certificate     EMPTY>
<!ATTLIST certificate
          field           (ca-list|issuer-name|subject-name|serial-number
                           |altname-email|altname-upn
                           |altname-ip|altname-fqdn)    #REQUIRED
          pattern                  CDATA        #IMPLIED
          pattern-case-sensitive   CDATA        #IMPLIED
          ignore-prefix            (yes|no)     "no"
          ignore-suffix            (yes|no)     "no"
          allow-undefined          (yes|no)
                                   "&default-allow-undefined-value;">

<!-- Host certificate selector. -->
<!ELEMENT host-certificate         EMPTY>
<!ATTLIST host-certificate
          field           (ca-list|issuer-name|subject-name|serial-number
                           |altname-email|altname-upn
                           |altname-ip|altname-fqdn)    #REQUIRED
          pattern                  CDATA        #IMPLIED
          pattern-case-sensitive   CDATA        #IMPLIED
          ignore-prefix            (yes|no)     "no"
          ignore-suffix            (yes|no)     "no"
          allow-undefined          (yes|no)
                                   "&default-allow-undefined-value;">


<!-- IP address selector.  -->
<!-- The address will be one of the following:                          -->
<!--   - an IP range of the form x.x.x.x-y.y.y.y                        -->
<!--   - an IP mask of the form x.x.x.x/y                               -->
<!--   - a straight IP address x.x.x.x                                  -->
<!--   - an FQDN pattern (form not checked, either it matches or not)   -->
<!-- Exactly one of address or fqdn must be set.                        -->


<!ELEMENT ip              EMPTY>
<!ATTLIST ip
          address               CDATA   #IMPLIED
          fqdn                  CDATA   #IMPLIED
          allow-undefined       (yes|no)
                                "&default-allow-undefined-value;">

<!-- User name selector. -->
<!ELEMENT user                  EMPTY>
<!ATTLIST user
          name                  CDATA   #IMPLIED
          name-case-sensitive   CDATA   #IMPLIED
          id                    CDATA   #IMPLIED
          allow-undefined       (yes|no)
                                "&default-allow-undefined-value;">

<!-- User group selector. -->
<!ELEMENT user-group            EMPTY>
<!ATTLIST user-group
          name                  CDATA   #IMPLIED
          name-case-sensitive   CDATA   #IMPLIED
          id                    CDATA   #IMPLIED
          allow-undefined       (yes|no)
                                "&default-allow-undefined-value;">

<!-- User privileged (administrator) selector. -->
<!ELEMENT user-privileged       EMPTY>
<!ATTLIST user-privileged
          value                 (yes|no)
                                "&default-user-privileged-value;"
          allow-undefined       (yes|no)
                                "&default-allow-undefined-value;">


<!-- Selector for the need of user password change. -->
<!ELEMENT user-password-change-needed   EMPTY>
<!ATTLIST user-password-change-needed
          value                (yes|no)
                               "&default-user-password-change-needed-value;"
          allow-undefined      (yes|no)
                               "&default-allow-undefined-value;">

<!-- Blackboard selector. -->
<!ELEMENT blackboard              EMPTY>
<!ATTLIST blackboard
          field                   CDATA   #REQUIRED
          pattern                 CDATA   #IMPLIED
          pattern-case-sensitive  CDATA   #IMPLIED
          allow-undefined         (yes|no)
                                  "&default-allow-undefined-value;">

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods        (banner-message?,auth-file-modes?
                                         ,authentication*)>

<!ATTLIST authentication-methods
          login-grace-time      CDATA  "&default-login-grace-time-seconds;">

<!-- Banner message element. -->
<!ELEMENT banner-message        (#PCDATA)>
<!ATTLIST banner-message
          file                  CDATA   #IMPLIED>


<!-- Authentication file permission checks. -->
<!ELEMENT auth-file-modes       EMPTY>
<!ATTLIST auth-file-modes
          strict                (yes|no)        "&default-strict-modes;"
          mask-bits             CDATA           "&default-file-mask-bits;">


<!-- Authentication element. In an authentication element, different       -->
<!-- authentication methods are in OR-relation. User must pass one of them -->
<!ELEMENT authentication    (selector*
                             ,(auth-publickey|auth-hostbased|auth-password
                              |auth-keyboard-interactive|auth-gssapi)*
                             ,authentication*)>

<!ATTLIST authentication
          name           ID             #IMPLIED
          action        (allow|deny)    "&default-authentication-action;"
          set-group      CDATA          #IMPLIED
          repeat-block  (yes|no)        "&default-repeat-block;">


<!-- Public-key authentication. -->
<!ELEMENT auth-publickey        EMPTY>
<!ATTLIST auth-publickey
          authorization-file            CDATA   #IMPLIED
          authorized-keys-directory     CDATA   #IMPLIED
          openssh-authorized-keys-file  CDATA   #IMPLIED
          allow-missing                 (yes|no)
                                        "&default-allow-missing;">

<!-- Host-based authentication. -->
<!ELEMENT auth-hostbased        EMPTY>
<!ATTLIST auth-hostbased
          require-dns-match     (yes|no)
                                "&default-auth-hostbased-require-dns-match;"
          allow-missing         (yes|no)
                                "&default-allow-missing;">

<!-- Password authentication. -->
<!ELEMENT auth-password         EMPTY>
<!ATTLIST auth-password
          failure-delay         CDATA "&default-auth-password-failure-delay;"
          max-tries             CDATA "&default-auth-password-max-tries;"
          allow-missing         (yes|no)
                                "&default-allow-missing;">

<!-- Keyboard-interactive authentication. -->
<!ELEMENT auth-keyboard-interactive     ((submethod-pam
                                          |submethod-password
                                          |submethod-securid
                                          |submethod-radius
                                          |submethod-generic)*)>

<!ATTLIST auth-keyboard-interactive
          failure-delay         CDATA "&default-auth-kbdint-failure-delay;"
          max-tries             CDATA "&default-auth-kbdint-max-tries;">


<!-- Keyboard-interactive submethods. -->
<!-- PAM. -->
<!ELEMENT submethod-pam         EMPTY>
<!ATTLIST submethod-pam
          dll-path              CDATA   #IMPLIED>

<!-- Password. -->
<!ELEMENT submethod-password    EMPTY>

<!-- SecurID. -->
<!ELEMENT submethod-securid     EMPTY>
<!ATTLIST submethod-securid
          dll-path              CDATA   #IMPLIED>

<!-- RADIUS. -->
<!ELEMENT submethod-radius      (radius-server+)>

<!-- RADIUS server. -->
<!ELEMENT radius-server         (radius-shared-secret)>
<!ATTLIST radius-server
          address               CDATA   #REQUIRED
          port                  CDATA   "&default-radius-server-port;"
          timeout               CDATA   "&default-radius-server-timeout;"
          client-nas-identifier CDATA   #IMPLIED>


<!-- Secret. "file" has precedence over #PCDATA. -->
<!ELEMENT radius-shared-secret  (#PCDATA)>
<!ATTLIST radius-shared-secret
          file                  CDATA   #IMPLIED>

<!-- Generic submethod. -->
<!ELEMENT submethod-generic     EMPTY>
<!ATTLIST submethod-generic
          name                  CDATA   #REQUIRED
          params                CDATA   #IMPLIED>

<!-- GSSAPI authentication. -->
<!ELEMENT auth-gssapi              EMPTY>
<!ATTLIST auth-gssapi
          dll-path                 CDATA   #IMPLIED
          allow-ticket-forwarding (yes|no)
                                 "&default-gssapi-ticket-forwarding-policy;"
          allow-missing           (yes|no)
                                 "&default-allow-missing;">

<!-- Services element. -->
<!ELEMENT services       (group*,rule+)>

<!-- Group element. -->
<!ELEMENT group          (selector+)>
<!ATTLIST group
          name  ID       #REQUIRED>

<!-- Rule element. -->
<!ELEMENT rule           (environment*,terminal?,subsystem*,command*
                          ,tunnel-agent?,tunnel-x11?,tunnel-local*
                          ,tunnel-remote*)>

<!-- "group", if defined, will be used to match the rule. -->
<!ATTLIST rule
          group           CDATA        #IMPLIED
          idle-timeout    CDATA        "&default-idle-timeout;"
          print-motd      (yes|no)     "&default-print-motd;">

<!-- Environment. -->
<!-- The default allowed environment variables are:               -->
<!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*"              -->
<!-- If neither allowed nor allowed-case-sensitive is set,        -->
<!-- the default is used.                                         -->

<!ELEMENT environment   EMPTY>
<!ATTLIST environment
          allowed                      CDATA   #IMPLIED
          allowed-case-sensitive       CDATA   #IMPLIED>

<!-- Terminal. -->
<!ELEMENT terminal      EMPTY>
<!ATTLIST terminal
          action        (allow|deny)   "&default-terminal-action;"
          chroot        CDATA          #IMPLIED>

<!-- Subsystem. -->
<!ELEMENT subsystem     (attribute*)>
<!ATTLIST subsystem
          type          CDATA           #REQUIRED
          action        (allow|deny)    "&default-subsystem-action;"
          audit         (yes|no)        "&default-subsystem-audit;"
          exec-directly	(yes|no)	      "&default-subsystem-exec-directly;"
          application   CDATA           #IMPLIED
          chroot        CDATA           #IMPLIED>

<!ELEMENT attribute     EMPTY>
<!ATTLIST attribute
          name          CDATA   #REQUIRED
          value         CDATA   #IMPLIED>

<!-- Tunnels. -->
<!ELEMENT tunnel-x11    EMPTY>
<!ATTLIST tunnel-x11
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-agent  EMPTY>
<!ATTLIST tunnel-agent
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-local  ((src|dst)*)>
<!ATTLIST tunnel-local
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-remote ((src|listen)*)>
<!ATTLIST tunnel-remote
          action        (allow|deny)            "&default-tunnel-action;">


<!-- Tunnel selectors. These apply only to TCP local and remote tunnels.-->
<!--  src and dst are for local-tcp                                     -->
<!--  src and listen are for remote-tcp                                 -->
<!--  address or fqdn are not mandatory. If set, exactly one must be set-->
<!--  (not both).                                                       -->

<!-- Source. -->
<!ELEMENT src           EMPTY>
<!ATTLIST src
          address       CDATA   #IMPLIED
          fqdn          CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Destination. -->
<!ELEMENT dst           EMPTY>
<!ATTLIST dst
          address       CDATA   #IMPLIED
          fqdn          CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Listener. -->
<!ELEMENT listen        EMPTY>
<!ATTLIST listen
          address       CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Command. -->
<!ELEMENT command                       EMPTY>
<!ATTLIST command
          action                        (allow|deny|forced)
                                        "&default-command-action;"
          application                   CDATA        #IMPLIED
          application-case-sensitive    CDATA        #IMPLIED
          chroot                        CDATA        #IMPLIED>