The DTD of the server configuration file is shown below:
<!-- --> <!-- secsh-server.dtd --> <!-- --> <!-- Copyright (c) 2004-2008 SSH Communications Security, Finland --> <!-- All rights reserved. --> <!-- --> <!-- Document type definition for the SSH Tectia Server XML --> <!-- configuration files. --> <!-- --> <!-- Tunable parameters used in the policy. --> <!-- Default connection action. --> <!ENTITY default-connection-action "allow"> <!-- Default terminal action. --> <!ENTITY default-terminal-action "allow"> <!-- Default subsystem action. --> <!ENTITY default-subsystem-action "allow"> <!-- Default subsystem audit value. --> <!ENTITY default-subsystem-audit "yes"> <!-- Default subsystem direct execute value. --> <!ENTITY default-subsystem-exec-directly "no"> <!-- Default for allowing undefined blackboard entries by selectors. --> <!ENTITY default-allow-undefined-value "no"> <!-- Default user-privileged value. --> <!ENTITY default-user-privileged-value "yes"> <!-- Default user-password-change-needed value. --> <!ENTITY default-user-password-change-needed-value "yes"> <!-- Default tunnel action. --> <!ENTITY default-tunnel-action "allow"> <!-- Default command action. --> <!ENTITY default-command-action "allow"> <!-- Default rekey interval in seconds. --> <!ENTITY default-rekey-interval-seconds "3600"> <!-- Default rekey interval in bytes (1GB). --> <!ENTITY default-rekey-interval-bytes "1000000000"> <!-- Default login grace time in seconds. --> <!ENTITY default-login-grace-time-seconds "600"> <!-- Default authentication action. --> <!ENTITY default-authentication-action "allow"> <!-- Password authentication default failure delay in seconds. --> <!ENTITY default-auth-password-failure-delay "2"> <!-- Password authentication default maximum tries. --> <!ENTITY default-auth-password-max-tries "3"> <!-- DNS match not required by default in host-based authentication. --> <!ENTITY default-auth-hostbased-require-dns-match "no"> <!-- Keyboard-interactive authentication default failure delay in seconds. --> <!ENTITY default-auth-kbdint-failure-delay "2"> <!-- Keyboard-interactive authentication default maximum tries. --> <!ENTITY default-auth-kbdint-max-tries "3"> <!-- Keyboard-interactive RADIUS server default port. --> <!ENTITY default-radius-server-port "1812"> <!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. --> <!ENTITY default-radius-server-timeout "10"> <!-- GSSAPI default ticket forwarding policy. --> <!ENTITY default-gssapi-ticket-forwarding-policy "no"> <!-- Default time in seconds for using expired CRLs. --> <!ENTITY default-use-expired-crls "0"> <!-- CRLs are not disabled by default. --> <!ENTITY default-disable-crls "no"> <!-- DoD PKI compatibility is not required by default. --> <!ENTITY default-dod-pki "no"> <!-- LDAP server default port. --> <!ENTITY default-ldap-server-port "389"> <!-- Default CRL update minimum interval. --> <!ENTITY default-crl-update-min-interval "30"> <!-- Default interval for CRL prefetching. --> <!ENTITY default-crl-prefetch-interval "3600"> <!-- Default crypto library mode ("fips" or "standard"). --> <!ENTITY default-crypto-lib-mode "standard"> <!-- Default log event facility. --> <!ENTITY default-log-event-facility "normal"> <!-- Default log event severity. --> <!ENTITY default-log-event-severity "notice"> <!-- Default values for password caching. --> <!ENTITY default-password-cache-max-passwords "2000"> <!ENTITY default-password-cache-expiration-time "0"> <!ENTITY default-password-cache-by-default "no"> <!ENTITY default-access-action "allow"> <!-- Default ignore AIX rlogin setting. --> <!ENTITY default-ignore-aix-rlogin "no"> <!-- Default ignore AIX login setting. --> <!ENTITY default-ignore-aix-login "no"> <!-- Default record sessions without PTYs. --> <!ENTITY default-record-ptyless-sessions "yes"> <!-- Default Windows logon type. --> <!ENTITY default-windows-logon-type "interactive"> <!-- Default Ignore nisplus no permission error. --> <!ENTITY default-ignore-nisplus-no-permission "no"> <!-- TCP keepalives are disabled by default. --> <!ENTITY default-tcp-keepalive "no"> <!-- Whether a plugin is allowed to not initialize (due to e.g. --> <!-- system configuration, missing shared libraries). --> <!ENTITY default-allow-missing "no"> <!-- Default connection idle timeout in seconds. The value zero --> <!-- disables idle timeout. --> <!ENTITY default-idle-timeout "0"> <!-- Message of the day (MOTD) is printed on login by default. --> <!ENTITY default-print-motd "yes"> <!-- Authentication file permissions are checked by default. --> <!ENTITY default-strict-modes "yes"> <!-- Default authentication file permission mask bits (octal). --> <!ENTITY default-file-mask-bits "022"> <!-- Should an authentication block be repeated if authentication --> <!-- succeeds but post-authentication selectors deny the authentication. --> <!ENTITY default-repeat-block "no"> <!-- Service name used with PAM. --> <!ENTITY default-pam-service-name "ssh-server-g3"> <!-- Whether to perform PAM Account and Session management when --> <!-- executing commands, i.e. shells, subsystems and remote commands. --> <!ENTITY default-pam-command-action "no"> <!-- Whether to bind x11 listeners to the localhost interface or to the --> <!-- 'any' interface. If the x11 listener is bound to the 'any' interface --> <!-- the SO_REUSEADDR socket option will not be set. --> <!ENTITY default-x11-listen-address "localhost"> <!-- Whether to only use PAM to check if the user is allowed to login. --> <!-- PAM can be used during authentication or via the --> <!-- pam-calls-with-commands setting. If PAM is not used in either --> <!-- authentication or with pam-calls-with-commands the normal system --> <!-- checks will be used to determine whether the user is allowed to --> <!-- login i.e. account is not locked etc. --> <!ENTITY default-pam-account-checking-only "no"> <!-- Whether the server tries to resolve the client hostname during --> <!-- connection setup --> <!ENTITY default-resolve-client-hostname "yes"> <!-- Whether to suppress last login, password expiry, motd etc. messages --> <!-- during login. --> <!ENTITY default-quiet-login "no"> <!-- Default certificate cache size in MBs. --> <!ENTITY default-cert-cache-size "35"> <!-- Default CRL size limit (in MB). --> <!ENTITY default-max-crl-size "11"> <!-- Default timeout for external searches (LDAP, HTTP, OCSP) (seconds). --> <!ENTITY default-external-search-timeout "60"> <!-- Default limit of LDAP responses (MBs). --> <!ENTITY default-max-ldap-response-length "11"> <!-- Default LDAP connection idle timeout in seconds. --> <!ENTITY default-ldap-idle-timeout "30"> <!-- Policy elements. --> <!-- The top-level element. --> <!ELEMENT secsh-server (params?,connections?,authentication-methods? ,services?)> <!-- Parameter element. --> <!ELEMENT params (crypto-lib?,settings?,hostkey*,listener*,domain-policy? ,logging?,limits?,cert-validation? ,pluggable-authentication-modules?)> <!-- Cryptographic library. --> <!ELEMENT crypto-lib EMPTY> <!ATTLIST crypto-lib mode (fips|standard) "&default-crypto-lib-mode;"> <!-- Settings - a block for stuff that is too minor to have its own element in the params block. --> <!ELEMENT settings EMPTY> <!ATTLIST settings proxy-scheme CDATA #IMPLIED xauth-path CDATA #IMPLIED x11-listen-address (localhost|any) "&default-x11-listen-address;" pam-account-checking-only(yes|no) "&pam-account-checking-only;" ignore-aix-rlogin (yes|no) "&default-ignore-aix-rlogin;" ignore-aix-login (yes|no) "&default-ignore-aix-login;" record-ptyless-sessions (yes|no) "&default-record-ptyless-sessions;" user-config-dir CDATA #IMPLIED> default-path CDATA #IMPLIED windows-logon-type (batch|interactive|network|network-cleartext) "&default-windows-logon-type;" ignore-nisplus-no-permission (yes|no) "&default-ignore-nisplus-no-permission;" resolve-client-hostname (yes|no) "&default-resolve-client-hostname;"> quiet-login (yes|no) "&default-quiet-login;"> <!ELEMENT pluggable-authentication-modules EMPTY> <!ATTLIST pluggable-authentication-modules service-name CDATA "&default-pam-service-name;" dll-path CDATA #IMPLIED pam-calls-with-commands (yes|no) "&default-pam-command-action;"> <!-- Hostkey specification. --> <!ELEMENT hostkey ((private,(public|x509-certificate)?)|externalkey)> <!-- Private key specification. --> <!ELEMENT private (#PCDATA)> <!ATTLIST private file CDATA #IMPLIED> <!-- Public key. --> <!ELEMENT public (#PCDATA)> <!ATTLIST public file CDATA #IMPLIED> <!-- Certificate (host). --> <!ELEMENT x509-certificate (#PCDATA)> <!ATTLIST x509-certificate file CDATA #IMPLIED> <!-- External key. --> <!ELEMENT externalkey EMPTY> <!ATTLIST externalkey type CDATA #REQUIRED init-info CDATA #IMPLIED> <!-- CA certificate. --> <!ELEMENT ca-certificate (#PCDATA)> <!ATTLIST ca-certificate file CDATA #IMPLIED name CDATA #REQUIRED disable-crls (yes|no) "&default-disable-crls;" use-expired-crls CDATA "&default-use-expired-crls;"> <!-- Certificate caching. --> <!ELEMENT cert-cache-file EMPTY> <!ATTLIST cert-cache-file file CDATA #REQUIRED> <!-- CRL automatic updating. --> <!ELEMENT crl-auto-update EMPTY> <!ATTLIST crl-auto-update update-before CDATA #IMPLIED minimum-interval CDATA "&default-crl-update-min-interval;"> <!-- CRL prefetch. --> <!ELEMENT crl-prefetch EMPTY> <!ATTLIST crl-prefetch interval CDATA "&default-crl-prefetch-interval;" url CDATA #REQUIRED> <!-- LDAP server. --> <!ELEMENT ldap-server EMPTY> <!ATTLIST ldap-server address CDATA #REQUIRED port CDATA "&default-ldap-server-port;"> <!-- OCSP responder. --> <!ELEMENT ocsp-responder EMPTY> <!ATTLIST ocsp-responder validity-period CDATA #IMPLIED url CDATA #REQUIRED> <!-- Enable DoD PKI compliancy. --> <!ELEMENT dod-pki EMPTY> <!ATTLIST dod-pki enable (yes|no) "&default-dod-pki;"> <!-- Secure Shell server TCP listener address and port. --> <!ELEMENT listener EMPTY> <!ATTLIST listener id ID #REQUIRED port CDATA "22" address CDATA #IMPLIED> <!-- Server domain policy type --> <!ELEMENT domain-policy EMPTY> <!ATTLIST domain-policy windows-domain-precedence CDATA #IMPLIED> <!-- Logging. --> <!ELEMENT logging (log-events*)> <!-- Log events. --> <!ELEMENT log-events (#PCDATA)> <!ATTLIST log-events facility (normal|daemon|user|auth|local0|local1|local2 |local3|local4|local5|local6|local7|discard) "&default-log-event-facility;" severity (informational|notice|warning|error|critical |security-success|security-failure) "&default-log-event-severity;"> <!-- Certificate validation. --> <!ELEMENT cert-validation (ldap-server*,ocsp-responder*,cert-cache-file? ,crl-auto-update?,crl-prefetch*,dod-pki? ,ca-certificate*)> <!ATTLIST cert-validation http-proxy-url CDATA #IMPLIED socks-server-url CDATA #IMPLIED> cache-size CDATA "&default-cert-cache-size;" max-crl-size CDATA "&default-max-crl-size;" external-search-timeout CDATA "&default-external-search-timeout;" max-ldap-response-length CDATA "&default-max-ldap-response-length;" ldap-idle-timeout CDATA "&default-ldap-idle-timeout;"> <!-- Password caching. --> <!ELEMENT password-cache (access*)> <!ATTLIST password-cache file CDATA #IMPLIED max-passwords CDATA "&default-password-cache-max-passwords;" expiration-time CDATA "&default-password-cache-expiration-time;" cache-by-default (yes|no) "&default-password-cache-by-default;"> <!ELEMENT access EMPTY> <!ATTLIST access user CDATA #REQUIRED action (allow|deny) "&default-access-action;"> <!-- Limits. --> <!ELEMENT limits EMPTY> <!ATTLIST limits max-connections CDATA #IMPLIED max-processes CDATA #IMPLIED> <!-- Connections. --> <!ELEMENT connections (connection+)> <!-- Connection. --> <!ELEMENT connection (selector*,rekey?,cipher*,mac*)> <!ATTLIST connection name ID #IMPLIED action (allow|deny) "&default-connection-action;" tcp-keepalive (yes|no) "&default-tcp-keepalive;"> <!-- Rekey intervals. --> <!ELEMENT rekey EMPTY> <!ATTLIST rekey seconds CDATA "&default-rekey-interval-seconds;" bytes CDATA "&default-rekey-interval-bytes;"> <!-- Cipher. --> <!ELEMENT cipher EMPTY> <!ATTLIST cipher name CDATA #REQUIRED allow-missing (yes|no) "&default-allow-missing;"> <!-- MAC. --> <!ELEMENT mac EMPTY> <!ATTLIST mac name CDATA #REQUIRED allow-missing (yes|no) "&default-allow-missing;"> <!-- Selector element. --> <!ELEMENT selector ((interface|certificate|host-certificate|ip |user|user-group|user-privileged|blackboard |publickey-passed|user-password-change-needed)*)> <!-- Interface selector. At least one parameter must be given. If id is --> <!-- set, the others MUST NOT be set. If id is not set, either or both --> <!-- of address and port may be defined. --> <!ELEMENT interface EMPTY> <!ATTLIST interface id IDREF #IMPLIED address CDATA #IMPLIED port CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Public key (plain) passed selector. --> <!ELEMENT publickey-passed EMPTY> <!ATTLIST publickey-passed length CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Certificate selector. --> <!ELEMENT certificate EMPTY> <!ATTLIST certificate field (ca-list|issuer-name|subject-name|serial-number |altname-email|altname-upn |altname-ip|altname-fqdn) |extended-key-usage) #REQUIRED pattern CDATA #IMPLIED pattern-case-sensitive CDATA #IMPLIED regexp CDATA #IMPLIED ignore-prefix (yes|no) #IMPLIED ignore-suffix (yes|no) #IMPLIED explicit (yes|no) #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Host certificate selector. --> <!ELEMENT host-certificate EMPTY> <!ATTLIST host-certificate field (ca-list|issuer-name|subject-name|serial-number |altname-email|altname-upn |altname-ip|altname-fqdn) |extended-key-usage) #REQUIRED pattern CDATA #IMPLIED pattern-case-sensitive CDATA #IMPLIED regexp CDATA #IMPLIED ignore-prefix (yes|no) #IMPLIED ignore-suffix (yes|no) #IMPLIED explicit (yes|no) #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- IP address selector. --> <!-- The address will be one of the following: --> <!-- - an IP range of the form x.x.x.x-y.y.y.y --> <!-- - an IP mask of the form x.x.x.x/y --> <!-- - a straight IP address x.x.x.x --> <!-- - an FQDN pattern (form not checked, either it matches or not) --> <!-- Exactly one of address or fqdn must be set. --> <!ELEMENT ip EMPTY> <!ATTLIST ip address CDATA #IMPLIED fqdn CDATA #IMPLIED fqdn-regexp CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- User name selector. --> <!ELEMENT user EMPTY> <!ATTLIST user name CDATA #IMPLIED name-case-sensitive CDATA #IMPLIED name-regexp CDATA #IMPLIED id CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- User group selector. --> <!ELEMENT user-group EMPTY> <!ATTLIST user-group name CDATA #IMPLIED name-case-sensitive CDATA #IMPLIED name-regexp CDATA #IMPLIED id CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- User privileged (administrator) selector. --> <!ELEMENT user-privileged EMPTY> <!ATTLIST user-privileged value (yes|no) "&default-user-privileged-value;" allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Selector for the need of user password change. --> <!ELEMENT user-password-change-needed EMPTY> <!ATTLIST user-password-change-needed value (yes|no) "&default-user-password-change-needed-value;" allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Blackboard selector. --> <!ELEMENT blackboard EMPTY> <!ATTLIST blackboard field CDATA #REQUIRED pattern CDATA #IMPLIED pattern-case-sensitive CDATA #IMPLIED regexp CDATA #IMPLIED allow-undefined (yes|no) "&default-allow-undefined-value;"> <!-- Authentication methods element. --> <!ELEMENT authentication-methods (banner-message?,auth-file-modes? ,authentication*)> <!ATTLIST authentication-methods login-grace-time CDATA "&default-login-grace-time-seconds;"> <!-- Banner message element. --> <!ELEMENT banner-message (#PCDATA)> <!ATTLIST banner-message file CDATA #IMPLIED> <!-- Authentication file permission checks. --> <!ELEMENT auth-file-modes EMPTY> <!ATTLIST auth-file-modes strict (yes|no) "&default-strict-modes;" mask-bits CDATA "&default-file-mask-bits;"> <!-- Authentication element. In an authentication element, different --> <!-- authentication methods are in OR-relation. User must pass one of --> <!-- them. --> <!ELEMENT authentication (selector* ,(auth-publickey|auth-hostbased|auth-password |auth-keyboard-interactive|auth-gssapi)* ,authentication*)> <!ATTLIST authentication name ID #IMPLIED action (allow|deny) "&default-authentication-action;" set-group CDATA #IMPLIED repeat-block (yes|no) "&default-repeat-block;"> <!-- Public-key authentication. --> <!ELEMENT auth-publickey EMPTY> <!ATTLIST auth-publickey authorization-file CDATA #IMPLIED authorized-keys-directory CDATA #IMPLIED openssh-authorized-keys-file CDATA #IMPLIED allow-missing (yes|no) "&default-allow-missing;"> <!-- Host-based authentication. --> <!ELEMENT auth-hostbased EMPTY> <!ATTLIST auth-hostbased require-dns-match (yes|no) "&default-auth-hostbased-require-dns-match;" allow-missing (yes|no) "&default-allow-missing;"> <!-- Password authentication. --> <!ELEMENT auth-password EMPTY> <!ATTLIST auth-password failure-delay CDATA "&default-auth-password-failure-delay;" max-tries CDATA "&default-auth-password-max-tries;" allow-missing (yes|no) "&default-allow-missing;"> <!-- Keyboard-interactive authentication. --> <!ELEMENT auth-keyboard-interactive ((submethod-pam |submethod-password |submethod-securid |submethod-radius |submethod-generic)*)> <!ATTLIST auth-keyboard-interactive failure-delay CDATA "&default-auth-kbdint-failure-delay;" max-tries CDATA "&default-auth-kbdint-max-tries;"> <!-- Keyboard-interactive submethods. --> <!-- PAM service-name is #IMPLIED, as it will be by default --> <!--whatever is set in "params" block --> <!ELEMENT submethod-pam EMPTY> <!ATTLIST submethod-pam service-name CDATA #IMPLIED dll-path CDATA #IMPLIED> <!-- Password. --> <!ELEMENT submethod-password EMPTY> <!-- SecurID. --> <!ELEMENT submethod-securid EMPTY> <!ATTLIST submethod-securid dll-path CDATA #IMPLIED> <!-- RADIUS. --> <!ELEMENT submethod-radius (radius-server+)> <!-- RADIUS server. --> <!ELEMENT radius-server (radius-shared-secret)> <!ATTLIST radius-server address CDATA #REQUIRED port CDATA "&default-radius-server-port;" timeout CDATA "&default-radius-server-timeout;" client-nas-identifier CDATA #IMPLIED> <!-- Secret. "file" has precedence over #PCDATA. --> <!ELEMENT radius-shared-secret (#PCDATA)> <!ATTLIST radius-shared-secret file CDATA #IMPLIED> <!-- Generic submethod. --> <!ELEMENT submethod-generic EMPTY> <!ATTLIST submethod-generic name CDATA #REQUIRED params CDATA #IMPLIED> <!-- GSSAPI authentication. --> <!ELEMENT auth-gssapi EMPTY> <!ATTLIST auth-gssapi dll-path CDATA #IMPLIED allow-ticket-forwarding (yes|no) "&default-gssapi-ticket-forwarding-policy;" allow-missing (yes|no) "&default-allow-missing;"> <!-- Services element. --> <!ELEMENT services (group*,rule+)> <!-- Group element. --> <!ELEMENT group (selector+)> <!ATTLIST group name ID #REQUIRED> <!-- Rule element. --> <!ELEMENT rule (environment*,terminal?,subsystem*,command* ,tunnel-agent?,tunnel-x11?,tunnel-local* ,tunnel-remote*)> <!-- "group", if defined, will be used to match the rule. --> <!ATTLIST rule group CDATA #IMPLIED idle-timeout CDATA "&default-idle-timeout;" print-motd (yes|no) "&default-print-motd;"> <!-- Environment. --> <!-- The default allowed environment variables are: --> <!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*" --> <!-- If neither allowed nor allowed-case-sensitive is set, --> <!-- the default is used. --> <!ELEMENT environment EMPTY> <!ATTLIST environment allowed CDATA #IMPLIED allowed-case-sensitive CDATA #IMPLIED> <!-- Terminal. --> <!ELEMENT terminal EMPTY> <!ATTLIST terminal action (allow|deny) "&default-terminal-action;" chroot CDATA #IMPLIED> <!-- Subsystem. --> <!ELEMENT subsystem (attribute*)> <!ATTLIST subsystem type CDATA #REQUIRED action (allow|deny) "&default-subsystem-action;" audit (yes|no) "&default-subsystem-audit;" exec-directly (yes|no) "&default-subsystem-exec-directly;" application CDATA #IMPLIED chroot CDATA #IMPLIED> <!ELEMENT attribute EMPTY> <!ATTLIST attribute name CDATA #REQUIRED value CDATA #IMPLIED> <!-- Tunnels. --> <!ELEMENT tunnel-x11 EMPTY> <!ATTLIST tunnel-x11 action (allow|deny) "&default-tunnel-action;"> <!ELEMENT tunnel-agent EMPTY> <!ATTLIST tunnel-agent action (allow|deny) "&default-tunnel-action;"> <!ELEMENT tunnel-local ((src|dst)*)> <!ATTLIST tunnel-local action (allow|deny) "&default-tunnel-action;"> <!ELEMENT tunnel-remote ((src|listen)*)> <!ATTLIST tunnel-remote action (allow|deny) "&default-tunnel-action;"> <!-- Tunnel selectors. These apply only to TCP local and remote tunnels.--> <!-- src and dst are for local-tcp --> <!-- src and listen are for remote-tcp --> <!-- address or fqdn are not mandatory. If set, exactly one must be set --> <!-- (not both). --> <!-- Source. --> <!ELEMENT src EMPTY> <!ATTLIST src address CDATA #IMPLIED fqdn CDATA #IMPLIED fqdn-regexp CDATA #IMPLIED port CDATA #IMPLIED> <!-- Destination. --> <!ELEMENT dst EMPTY> <!ATTLIST dst address CDATA #IMPLIED fqdn CDATA #IMPLIED fqdn-regexp CDATA #IMPLIED port CDATA #IMPLIED> <!-- Listener. --> <!ELEMENT listen EMPTY> <!ATTLIST listen address CDATA #IMPLIED port CDATA #IMPLIED> <!-- Command. --> <!ELEMENT command EMPTY> <!ATTLIST command action (allow|deny|forced) "&default-command-action;" application CDATA #IMPLIED application-case-sensitive CDATA #IMPLIED chroot CDATA #IMPLIED>