It is possible to divide the SSH Tectia Server configuration into several files. You can define external XML files containing sub-configurations for example with department-specific or user-group-specific settings. This can make the configuration easier to manage as it is in smaller parts, and the sub-configuration files can be used repeatedly in several places.
Note | |
---|---|
Configuration files consisting of several XML-files must be maintained manually, because split configuration files cannot be edited with the SSH Tectia Server Configuration GUI. |
The sub-configuration files must be declared as external SYSTEM
entities within the DOCTYPE element of the
ssh-server-config.xml
file. For example the
entity-name
below:
<!DOCTYPE secsh-server SYSTEM "/etc/ssh2/ssh-tectia/auxdata/ssh-server-ng/ssh-server-ng-config-1.dtd" [ <!ENTITY entity-name SYSTEM "sub-config-file.xml">
The defined entity can then be used in the main configuration file
instead of defining all the settings there. The server configuration will
read the contents of the sub-configuration file in the place of the entity.
So the sub-configuration file contents must be designed so that they produce
a valid XML structure in the ssh-server-config.xml
file.
In this example we have a sub-configuration file named
group-example-rules.xml
, located in
sub-directory subconfigs/
, and with the following
contents:
<terminal action="deny" /> <subsystem type="sftp" application="sft-server-g3" chroot="%homedir%" /> <tunnel-agent action="deny" /> <tunnel-x11 action="deny" /> <tunnel-local action="deny" /> <tunnel-remote action="deny" />
In the example below, we first declare the sub-configuration file (and
its location) as an external entity in the beginning of the
ssh-server-config.xml
file, and then use the
group-A-rules
entity in the actual configuration as
follows:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE secsh-server SYSTEM "/etc/ssh2/ssh-tectia/auxdata/ssh-server-ng/ssh-server-ng-config-1.dtd" [ <!ENTITY group-A-rules SYSTEM "subconfigs/group-example-rules.xml"> ]> <secsh-server> ... <services> <group name="example"> <selector> <user-group name="example"/> </selector> </group> ... <rule group="example"> &group-A-rules; </rule> ... </services> </secsh-server>