SSH

Appendix A Tectia Server Configuration File Quick Reference

This Appendix contains a quick reference to the elements of the Tectia Server configuration file, ssh-server-config.xml. The quick reference is divided into four tables, one for each block of the configuration file:

The tables list the available configuration file elements with their attributes, attribute values (with the default value, if available, marked in bold) and descriptions. The element names in the tables are links that take you to detailed descriptions of the elements in ssh-server-config(5).

The element hierarchy is expressed with slashes ('/') between parent and child elements. For example, in Table A.2 , "connection / selector / ip" means that a connection element can have a selector child element, which can have an ip child element.

Table A.1. ssh-server-config.xml Quick Reference - the params block

ElementAttributes and their valuesDescription
address-family type = "inet|inet6|any" IP address type
crypto-lib mode = "standard|fips" Cryptographic library mode
settings proxy-scheme = semicolon-separated_sequence HTTP and SOCKS proxy server rules for local tunneling
xauth-path = path (Unix only) Path to a supplementary XAuth binary used with X11 forwarding
x11-listen-address = "localhost|any" (Unix only) Type of address the x11 listener is created on
pam-account-checking-only = "yes|no" (Unix only) Only PAM will be used to check if the user is allowed to log in
resolve-clienthostname = "yes|no" Client host name is resolved from IP address during connection setup
ignore-aix-rlogin = "yes|no" Ignore remote login restriction on AIX
ignore-aix-login = "yes|no" Ignore local login restriction on AIX
record-ptyless-sessions = "yes|no" Record sessions without PTYs as user logins in the OS
user-config-dir = directory (default: "%D/.ssh2") Directory for user-specific configuration data (can include pattern strings)
default-path = path (Unix only) Default PATH value for the user environment
windows-logon-type = "batch|interactive|network|network-cleartext" (Windows only) Accepted user logon methods for the local host
windows-terminal-mode = "console|stream" (Windows only) Mode of operation of a terminal session on the server side
ignore-nisplus-no-permission = "yes|no" (Linux and Solaris only) If NIS+ gives no permission to the user during authentication, ignore it
quiet-login = "yes|no" Suppress messages about last login, password expiry, etc. during login
default-domain = domain Append a domain to server host names that are not FQDNs
terminate-user-processes = "yes|no" Terminate user processes on session close
allow-elevation = "yes|no" Allow elevation. Only applies to password logins.
pluggable-authentication-modules
(Unix only)
pam-calls-with-commands = "yes|no" Enable PAM Account and Session Management when user executes shells, remote commands and subsystems
service-name = name Instruct PAM about which configuration it should use
dll-path = path Location of the PAM library
protocol-parametersthreads = number (default: "0")Number of threads the protocol library uses
hostkey / private file = path Path to the private key file
hostkey / public file = path Path to the public key file
hostkey / x509-certificate file = path Path to the X.509 user certificate file
hostkey / externalkey type = "none|software|mscapi|pkcs11|pkcs12" External host key type
init-info = keyword(value)_list Init info for the external host key
listener id = ID Unique ID for the server listener
address = IP_address The address where the server listens for connections
port = port_number The port at which the server listens for connections
domain-policy
(Windows only)
windows-domain-precedence = comma-separated_list Trusted domains and special values %default% and %local%
domain-policy / windows-domain
(Windows only)
name = domain_name Domain name for domain access with one-way trust
user = user_name User account for domain access with one-way trust
logging / log-events facility = "normal|daemon|user|auth|local0|local1|local2
|local3|local4|local5|local6|local7|discard"
Facility of logging event
severity = "informational|notice|warning|error
|critical|security-success|security-failure"
Severity of logging event
limitsmax-processes = [1 to 2048] (default: "40")Maximum number of servant processes the master server will launch
max-connections = number (default: "256")Maximum number of client connections allowed per servant
limits / servant-lifetime total-connections = [1 to 4000000000] (recommended: "5000") Total number of connections the servant process will handle during its lifetime
cert-validation http-proxy-url = address HTTP proxy address
socks-server-url = address SOCKS proxy address
cache-size = [1 to 512] (default: "35")Maximum size (MB) of in-memory cache for certificates and CRLs
max-crl-size = [1 to 512] (default: "11")Maximum size (MB) of CRLs accepted
external-search-timeout = [1 to 3600] (default: "60")Time limit (seconds) for external HTTP and LDAP searches for CRLs and certificates
max-ldap-response-length = [1 to 512] (default: "11")Maximum size (MB) of LDAP responses accepted
ldap-idle-timeout = [1 to 3600] (default: "30")Idle timeout (seconds) for LDAP connections
max-path-length = number Maximum length of the certification paths when validating certificates
cert-validation / ldap-server address = LDAP-address LDAP server address
port = port_number (default: "389")LDAP server port
cert-validation / ocsp-responder validity-period = seconds Validity period for OCSP data
url = address OCSP responder service address
cert-validation / cert-cache-file file = path File for storing certificates and CRLs
cert-validation / crl-auto-update update-before = seconds Time before expiration for automatic updating of certificate revocation lists
minimum-interval = seconds Limit for maximum CRL update frequency
cert-validation / crl-prefetch url = address URL from which CRL is downloaded
interval = seconds (default: "3600") How often the CRL is downloaded
cert-validation / dod-pki enable = "yes|no" Enforce digital signature in key usage
cert-validation / ca-certificate name = CA_name Name of the CA
file = path Path to X.509 CA certificate file
disable-crls = "yes|no" Disable CRL checking
use-expired-crls = seconds (default: "0") Time period for using expired CRLs
trusted = "yes|no" Set CA certificate as a trust anchor and trust it explicitly
password-cache file = path Location of server password cache file
load-control enable = "yes|no" Enable load control
discard-limit = [1 to max-connections-1]
(default: 90% of max-connections)
Limit for discarding new connections from outside the server's white list
white-list-size = [1 to 10000] (default: "1000") Number of IP addresses on the server's white list

Table A.2. ssh-server-config.xml Quick Reference - the connections block

ElementAttributes and their valuesDescription
connectionname = XML_nameIdentifier (valid XML name) for the connection rule
action = "allow|deny"Allow/deny connection
tcp-keepalive = "yes|no"Send keepalive messages to the other side
connection / selector / interface id = IDMatch the server listener interface ID
address = addressMatch the server listener interface address
port = port_numberMatch the server listener interface port
connection / selector / ip address = IP_address|IP_address_range|IP_sub-network_maskMatch the client's IP address
fqdn = FQDN_patternMatch the client's FQDN
connection / rekey seconds = seconds (default: "3600")Number of seconds after which key exchange is done again
bytes = bytes (default: "1000000000")Number of transferred bytes after which key exchange is done again
connection / cipher name = cipher_nameCipher allowed for data encryption
allow-missing = "yes|no"Server restarts normally even if cipher not found during configuration reading
connection / compression name = compression_methodCompression method allowed for the connection
connection / mac name = HMAC_nameMAC allowed for data integrity verification
allow-missing = "yes|no"Server restarts normally even if MAC not found during configuration reading
connection / kex name = KEX_nameKEX allowed for key exchange method
allow-missing = "yes|no"Server restarts normally even if KEX not found during configuration reading
connection / hostkey-algorithm name = algorithm_nameHost key signature algorithm used in server authentication with host keys or certificates
allow-missing = "yes|no"Server restarts normally even if host key algorithm not found during configuration reading

Table A.3. ssh-server-config.xml Quick Reference - the authentication-methods block

ElementAttributes and their valuesDescription
banner-messagefile = pathPath to the file that contains the message that is sent to the client before authentication
auth-file-modes (Unix only)strict = "yes|no"Check permissions and ownership of the user's key files or the directory they are stored in
mask-bits = octal_permissions (default: "022")Specify forbidden permission bits in octal format
dir-mask-bits = octal_permissionsSpecify the forbidden permission bits for the user key directory
authenticationaction = "allow|deny"Allow/deny access to/from users who match a selector
authentication / selector /
certificate
field = "ca-list|issuer-name|subject-name|serial-number
|altname-email|altname-upn|altname-ip|altname-fqdn|extended-key-usage"
The field of user certificates used in public-key authentication that has to be matched
patternThe information in the field to be matched
pattern-case-sensitiveThe information in the field to be matched case-sensitively
regexp = egrep_regexpRegular expression to match a range of values in the selected field
ignore-prefix = "yes|no"Match only the end of subject name
ignore-suffix = "yes|no"Match only the beginning of the subject name
explicit = "yes|no"(With extended-key-usage) Request that the certificate must include the key purpose ID specified with the pattern
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
host-certificate
field = "ca-list|issuer-name|subject-name|serial-number
|altname-email|altname-upn|altname-ip|altname-fqdn|extended-key-usage"
The field of host certificates used in public-key authentication that has to be matched
patternThe information in the field to be matched
pattern-case-sensitiveThe information in the field to be matched case-sensitively
regexp = egrep_regexpRegular expression to match a range of values in the selected field
ignore-prefix = "yes|no"Match only the end of subject name
ignore-suffix = "yes|no"Match only the beginning of the subject name
explicit = "yes|no"(With extended-key-usage) Request that the certificate must include the key purpose ID specified with the pattern
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
interface
id = IDMatch the listener interface ID
address = IP_addressMatch the listener address
port = port_numberMatch the listener port
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
ip
address = IP_address|IP_address_range|IP_sub-network_mask Match client's IP address
fqdn = FQDN_patternMatch client's FQDN
fqdn-regexp = regexp_patternMatch a range of FQDNs specified with a regular expression
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
user
name = comma-separated_listMatch user names
name-case-sensitive = comma-separated_listMatch user names case-sensitively
name-regexp = regexp_patternMatch a range of names specified with a regular expression
id = comma-separated_listMatch user IDs
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
user-group
name = comma-separated_listMatch user group names
name-case-sensitive = comma-separated_listMatch user group names case-sensitively
name-regexp = regexp_patternMatch a range of user group names specified with a regular expression
id = comma-separated_listMatch user group IDs
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
user-privileged
value = "yes|no"Match a privileged user
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
blackboard
fieldMatch based on the information in this blackboard field
patternThe information in the field to be matched
pattern-case-sensitiveThe information to be matched case-sensitively
regexp = egrep_regexpRegular expression to match a range of values in the selected field
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
publickey-passed
length = [length_range]Public key length range
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
user-password-change-needed
(Unix only)
value = "yes|no"Matches if the user password has expired and should be changed
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / set-blackboard field = blackboard_keyDescribe an item that will be added to the blackboard when this authentication block is encountered
valueDesired value
file = pathPath to a file containing the desired value
authentication / set-user name = user_nameSpecify user name that will be used from here on
authentication / auth-publickey require-dns-match = "yes|no"Accept or deny a public key which has the allow/deny-from option set in the authorization file
signature-algorithms = comma-separated_listPublic-key signature algorithms used for user authentication
authorization-file = comma-separated_listPaths to files that contain the user public keys that are authorized for login
authorized-keys-directory = comma-separated_listDirectories that contain the user public keys that are authorized for login
openssh-authorized-keys-file = comma-separated_listPaths to OpenSSH-style authorized_keys files that contain the user public keys that are authorized for login
authentication / auth-hostbased require-dns-match = "yes|no"Host-based authentication will require the host name given by the client to match the one found in DNS
disable-authorization = "yes|no"Host-based authentication ignores authorization requirements
allow-missing = "yes|no"Ignore missing element
authentication / auth-password failure-delay = seconds (default: "2")Delay between failed password authentication attempts
max-tries = number (default: "3")Maximum number of password authentication attempts
allow-missing = "yes|no"Ignore missing element
authentication /
auth-keyboard-interactive
failure-delay = seconds (default: "2")Delay between failed keyboard-interactive authentication attempts
max-tries = number (default: "3")Maximum number of keyboard-interactive authentication attempts
authentication /
auth-keyboard-interactive /
submethod-pam (Unix only)
service-nameInstruct PAM about which configuration it should use
dll-path = path|comma-separated_listNon-standard location for the PAM library, or PAM DLLs
authentication /
auth-keyboard-interactive /
submethod-password
-Set the keyboard-interactive password submethod in use
authentication /
auth-keyboard-interactive /
submethod-securid
dll-path = pathPath to the SecurID DLL
authentication /
auth-keyboard-interactive /
submethod-radius
-Sets the keyboard-interactive RADIUS submethod in use
authentication /
auth-keyboard-interactive /
submethod-radius / radius-server
address = IP_addressRADIUS server's IP address
port = port_number (default: "1812")RADIUS server port
timeout = seconds (default: "10")Time after which the RADIUS query is terminated if no response is gained
client-nas-identifier = IDNetwork access server identifier to be used when talking to the RADIUS server
authentication /
auth-keyboard-interactive /
submethod-radius / radius-server /
radius-shared-secret
file = pathPath to the RADIUS shared secret file
authentication /
auth-keyboard-interactive /
submethod-aix-lam
enable-password-change = "yes|no"Enable LAM on AIX and allow users to change their expired passwords
authentication /
auth-keyboard-interactive /
submethod-generic
name = method_nameSet the named generic submethod in use
params = parametersOptional parameters for the submethod
authentication / auth-gssapi dll-path = pathPath to required GSSAPI libraries
allow-ticket-forwarding = "yes|no"Allow forwarding the Kerberos ticket over several connections
allow-missing = "yes|no"Ignore Kerberos/GSSAPI unavailability
authentication / mappercommand = external_applicationExternal application used to supplement authentication
timeout = [1 to 3600] (default: "15")Time limit for the external application to exit

Table A.4. ssh-server-config.xml Quick Reference - the services block

ElementAttributes and their valuesDescription
groupname = XML_nameGroup name (a valid XML name)
group / selector This element has the same child elements as authentication-methods / authentication / selector (see Table A.3)
rulegroup = group_nameMatch user's group
idle-timeout = seconds (default: "0")Idle timeout limit
print-motd = "yes|no"Print message of the day at interactive login to a Unix server
rule / environment allowed = comma-separated_listEnvironment variables the user group is allowed to set at the client side
allowed-case-sensitive = comma-separated_listSpecify case-sensitive variables
rule / terminal action = "allow|deny"Allow/deny terminal access for the user group
chroot = directory (Unix only) Directory where user is chrooted during the terminal session
rule / subsystem type = subsystemSubsystem for which the settings are made
action = "allow|deny"Allow/deny use of the subsystem
audit = "yes|no"Record audit messages of the subsystem in the system log
exec-directly = "yes|no" (Unix only) Server will launch sft-server-g3 directly without invoking the user's shell
application = executableThe executable of the subsystem
chroot = directoryDirectory where the user is chrooted when running the subsystem
rule / subsystem / attribute name = attribute_nameName for the subsystem attribute
value = attribute_valueValue of the subsystem attribute
rule / command action = "allow|deny|forced"Allow/deny/force shell command
interactive = "yes|no" (Windows only)For forced action: the application requires user interaction
application = application_nameThe application that is allowed/forced to run
application-case-sensitive = application_name(Alternative to application:) The application is matched case-sensitively
chroot = directoryDirectory where user is chrooted when running the command
rule / tunnel-agent action = "allow|deny"Allow/deny agent forwarding
rule / tunnel-x11 action = "allow|deny"Allow/deny X11 forwarding
rule / tunnel-local action = "allow|deny"Allow/deny local tunnels
rule / tunnel-local / src address = IP_address |IP_address_range|IP_sub-network_maskSource address for local tunnel
fqdn = FQDN_patternSource FQDN for local tunnel (matches case-insensitively)
fqdn-regexp = regexp_patternRegular expression (egrep) to match a range of FQDNs
rule / tunnel-local / dst address = IP_address |IP_address_range|IP_sub-network_maskDestination address for local tunnel
fqdn = FQDN_patternDestination FQDN for local tunnel (matches case-insensitively)
fqdn-regexp = regexp_patternRegular expression (egrep) to match a range of FQDNs
port = port_numberDestination port or port range for local tunnel
rule / tunnel-local / mapper command = external_applicationExternal application which is the executable of the subsystem
timeout = [1 to 3600] (default: "15")Time limit for the external application to exit
rule / tunnel-remote action = "allow|deny"Allow/deny remote tunnels
rule / tunnel-remote / src address = IP_address |IP_address_range|IP_sub-network_maskSource address for remote tunnel
fqdn = FQDN_patternSource FQDN for remote tunnel (matches case-insensitively)
fqdn-regexp = regexp_patternRegular expression (egrep) to match a range of FQDNs
rule / tunnel-remote / listen address = IP_address |IP_address_range|IP_sub-network_maskListen address for remote tunnel
port = port_numberListen port or port range for remote tunnel