SSH

Appendix A Tectia Server Configuration File Quick Reference

This Appendix contains a quick reference to the elements of the Tectia Server configuration file, ssh-server-config.xml. The quick reference is divided into four tables, one for each block of the configuration file:

The tables list the available configuration file elements with their attributes, attribute values (with the default value, if available, marked in bold) and descriptions. The element names in the tables are links that take you to detailed descriptions of the elements in ssh-server-config(5).

The element hierarchy is expressed with slashes ('/') between parent and child elements. For example, in Table A.2 , "connection / selector / ip" means that a connection element can have a selector child element, which can have an ip child element.

Table A.1. ssh-server-config.xml Quick Reference - the params block

ElementAttributes and their valuesDescription
address-family type = "inet|inet6|any" IP address type
crypto-lib mode = "standard|fips" Cryptographic library mode
settings proxy-scheme = semicolon-separated_sequence HTTP and SOCKS proxy server rules for local tunneling
xauth-path = path (Unix only) Path to a supplementary XAuth binary used with X11 forwarding
xauth-shell = shell (Unix only) Shell used to run the XAuth binary. Default is the user shell.
x11-listen-address = "localhost|any" (Unix only) Type of address the x11 listener is created on
pam-account-checking-only = "yes|no" (Unix only) Only PAM will be used to check if the user is allowed to log in
resolve-clienthostname = "yes|no" Client host name is resolved from IP address during connection setup
ignore-aix-rlogin = "yes|no" Ignore remote login restriction on AIX
ignore-aix-login = "yes|no" Ignore local login restriction on AIX
record-ptyless-sessions = "yes|no" Record sessions without PTYs as user logins in the OS
user-config-dir = directory (default: "%D/.ssh2") Directory for user-specific configuration data (can include pattern strings)
default-path = path (Unix only) Default PATH value for the user environment
windows-logon-type = "batch|interactive|network|network-cleartext" (Windows only) Accepted user logon methods for the local host
windows-terminal-mode = "console|stream" (Windows only) Mode of operation of a terminal session on the server side
ignore-nisplus-no-permission = "yes|no" (Linux and Solaris only) If NIS+ gives no permission to the user during authentication, ignore it
quiet-login = "yes|no" Suppress messages about last login, password expiry, etc. during login
default-domain = domain Append a domain to server host names that are not FQDNs 
pluggable-authentication-modules
(Unix only)
pam-calls-with-commands = "yes|no" Enable PAM Account and Session Management when user executes shells, remote commands and subsystems
service-name = name Instruct PAM about which configuration it should use
dll-path = path Location of the PAM library
protocol-parameters threads = number (default: "0")Number of threads the protocol library uses
hostkey / private file = path Path to the private key file
hostkey / public file = path Path to the public key file
hostkey / x509-certificate file = path Path to the X.509 user certificate file
hostkey / externalkey type = "none|software|mscapi|pkcs11|pkcs12" External host key type
init-info = keyword(value)_list Init info for the external host key
listener id = ID Unique ID for the server listener
address = IP_address The address where the server listens for connections
port = port_number The port at which the server listens for connections
domain-policy
(Windows only)
windows-domain-precedence = comma-separated_list Trusted domains and special values %default% and %local%
domain-policy / windows-domain
(Windows only)
name = domain_name Domain name for domain access with one-way trust
user = user_name User account for domain access with one-way trust
logging / log-events facility = "normal|daemon|user|auth|local0|local1|local2
|local3|local4|local5|local6|local7|discard"
Facility of logging event
severity = "informational|notice|warning|error
|critical|security-success|security-failure"
Severity of logging event
limits max-processes = [1 to 2048] (default: "40")Maximum number of servant processes the master server will launch
max-connections = number (default: "256")Maximum number of client connections allowed per servant
limits / servant-lifetime total-connections = [1 to 4000000000] (recommended: "5000") Total number of connections the servant process will handle during its lifetime
cert-validation http-proxy-url = address HTTP proxy address
socks-server-url = address SOCKS proxy address
cache-size = [1 to 512] (default: "35")Maximum size (MB) of in-memory cache for certificates and CRLs
max-crl-size = [1 to 512] (default: "11")Maximum size (MB) of CRLs accepted
external-search-timeout = [1 to 3600] (default: "60")Time limit (seconds) for external HTTP and LDAP searches for CRLs and certificates
max-ldap-response-length = [1 to 512] (default: "11")Maximum size (MB) of LDAP responses accepted
ldap-idle-timeout = [1 to 3600] (default: "30")Idle timeout (seconds) for LDAP connections
max-path-length = number Maximum length of the certification paths when validating certificates
cert-validation / ldap-server address = LDAP-address LDAP server address
port = port_number (default: "389")LDAP server port
cert-validation / ocsp-responder validity-period = seconds Validity period for OCSP data
url = address OCSP responder service address
cert-validation / cert-cache-file file = path File for storing certificates and CRLs
cert-validation / crl-auto-update update-before = seconds Time before expiration for automatic updating of certificate revocation lists
minimum-interval = seconds Limit for maximum CRL update frequency
cert-validation / crl-prefetch url = address URL from which CRL is downloaded
interval = seconds (default: "3600") How often the CRL is downloaded
cert-validation / dod-pki enable = "yes|no" Enforce digital signature in key usage
cert-validation / ca-certificate name = CA_name Name of the CA
file = path Path to X.509 CA certificate file
disable-crls = "yes|no" Disable CRL checking
use-expired-crls = seconds (default: "0") Time period for using expired CRLs
trusted = "yes|no" Set CA certificate as a trust anchor and trust it explicitly
password-cache file = path Location of server password cache file
load-control enable = "yes|no" Enable load control
discard-limit = [1 to max-connections-1]
(default: 90% of max-connections)
Limit for discarding new connections from outside the server's white list
white-list-size = [1 to 10000] (default: "1000") Number of IP addresses on the server's white list

Table A.2. ssh-server-config.xml Quick Reference - the connections block

ElementAttributes and their valuesDescription
connection name = XML_name Identifier (valid XML name) for the connection rule
action = "allow|deny" Allow/deny connection
tcp-keepalive = "yes|no" Send keepalive messages to the other side
connection / selector / interface id = ID Match the server listener interface ID
address = address Match the server listener interface address
port = port_number Match the server listener interface port
connection / selector / ip address = IP_address|IP_address_range|IP_sub-network_mask Match the client's IP address
fqdn = FQDN_pattern Match the client's FQDN
connection / rekey seconds = seconds (default: "3600")Number of seconds after which key exchange is done again
bytes = bytes (default: "1000000000")Number of transferred bytes after which key exchange is done again
connection / cipher name = cipher_name Cipher allowed for data encryption
allow-missing = "yes|no" Server restarts normally even if cipher not found during configuration reading
connection / mac name = HMAC_name MAC allowed for data integrity verification
allow-missing = "yes|no" Server restarts normally even if MAC not found during configuration reading
connection / kex name = KEX_name KEX allowed for key exchange method
allow-missing = "yes|no" Server restarts normally even if KEX not found during configuration reading
connection / hostkey-algorithm name = algorithm_name Host key signature algorithm used in server authentication with host keys or certificates
allow-missing = "yes|no" Server restarts normally even if host key algorithm not found during configuration reading

Table A.3. ssh-server-config.xml Quick Reference - the authentication-methods block

ElementAttributes and their valuesDescription
banner-message file = path Path to the file that contains the message that is sent to the client before authentication
auth-file-modes (Unix only) strict = "yes|no" Check permissions and ownership of the user's key files or the directory they are stored in
mask-bits = octal_permissions (default: "022")Specify forbidden permission bits in octal format
dir-mask-bits = octal_permissions Specify the forbidden permission bits for the user key directory
authentication action = "allow|deny" Allow/deny access to/from users who match a selector
authentication / selector /
certificate
field = "ca-list|issuer-name|subject-name|serial-number
|altname-email|altname-upn|altname-ip|altname-fqdn|extended-key-usage"
The field of user certificates used in public-key authentication that has to be matched
pattern The information in the field to be matched
pattern-case-sensitive The information in the field to be matched case-sensitively
regexp = egrep_regexp Regular expression to match a range of values in the selected field
ignore-prefix = "yes|no" Match only the end of subject name
ignore-suffix = "yes|no" Match only the beginning of the subject name
explicit = "yes|no" (With extended-key-usage) Request that the certificate must include the key purpose ID specified with the pattern
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
host-certificate
field = "ca-list|issuer-name|subject-name|serial-number
|altname-email|altname-upn|altname-ip|altname-fqdn|extended-key-usage"
The field of host certificates used in public-key authentication that has to be matched
pattern The information in the field to be matched
pattern-case-sensitive The information in the field to be matched case-sensitively
regexp = egrep_regexp Regular expression to match a range of values in the selected field
ignore-prefix = "yes|no" Match only the end of subject name
ignore-suffix = "yes|no" Match only the beginning of the subject name
explicit = "yes|no" (With extended-key-usage) Request that the certificate must include the key purpose ID specified with the pattern
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
interface
id = ID Match the listener interface ID
address = IP_address Match the listener address
port = port_number Match the listener port
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
ip
address = IP_address|IP_address_range|IP_sub-network_mask Match client's IP address
fqdn = FQDN_pattern Match client's FQDN
fqdn-regexp = regexp_pattern Match a range of FQDNs specified with a regular expression
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
user
name = comma-separated_list Match user names
name-case-sensitive = comma-separated_list Match user names case-sensitively
name-regexp = regexp_pattern Match a range of names specified with a regular expression
id = comma-separated_list Match user IDs
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
user-group
name = comma-separated_list Match user group names
name-case-sensitive = comma-separated_list Match user group names case-sensitively
name-regexp = regexp_pattern Match a range of user group names specified with a regular expression
id = comma-separated_list Match user group IDs
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
user-privileged
value = "yes|no" Match a privileged user
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
blackboard
field Match based on the information in this blackboard field
pattern The information in the field to be matched
pattern-case-sensitive The information to be matched case-sensitively
regexp = egrep_regexp Regular expression to match a range of values in the selected field
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
publickey-passed
length = [ length_range ] Public key length range
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / selector /
user-password-change-needed
(Unix only)
value = "yes|no" Matches if the user password has expired and should be changed
allow-undefined = "yes|no" Control behavior of selector when required data is not defined
authentication / set-blackboard field = blackboard_key Describe an item that will be added to the blackboard when this authentication block is encountered
value Desired value
file = path Path to a file containing the desired value
authentication / set-user name = user_name Specify user name that will be used from here on
authentication / auth-publickey require-dns-match = "yes|no" Accept or deny a public key which has the allow/deny-from option set in the authorization file
signature-algorithms = comma-separated_list Public-key signature algorithms used for user authentication
authorization-file = comma-separated_list Paths to files that contain the user public keys that are authorized for login
authorized-keys-directory = comma-separated_list Directories that contain the user public keys that are authorized for login
openssh-authorized-keys-file = comma-separated_list Paths to OpenSSH-style authorized_keys files that contain the user public keys that are authorized for login
authentication / auth-hostbased require-dns-match = "yes|no" Host-based authentication will require the host name given by the client to match the one found in DNS
disable-authorization = "yes|no" Host-based authentication ignores authorization requirements
allow-missing = "yes|no" Ignore missing element
authentication / auth-password failure-delay = seconds (default: "2")Delay between failed password authentication attempts
max-tries = number (default: "3")Maximum number of password authentication attempts
allow-missing = "yes|no" Ignore missing element
authentication /
auth-keyboard-interactive
failure-delay = seconds (default: "2")Delay between failed keyboard-interactive authentication attempts
max-tries = number (default: "3")Maximum number of keyboard-interactive authentication attempts
authentication /
auth-keyboard-interactive /
submethod-pam (Unix only)
service-name Instruct PAM about which configuration it should use
dll-path = path|comma-separated_list Non-standard location for the PAM library, or PAM DLLs
authentication /
auth-keyboard-interactive /
submethod-password
-Set the keyboard-interactive password submethod in use
authentication /
auth-keyboard-interactive /
submethod-securid
dll-path = path Path to the SecurID DLL
authentication /
auth-keyboard-interactive /
submethod-radius
-Sets the keyboard-interactive RADIUS submethod in use
authentication /
auth-keyboard-interactive /
submethod-radius / radius-server
address = IP_address RADIUS server's IP address
port = port_number (default: "1812")RADIUS server port
timeout = seconds (default: "10")Time after which the RADIUS query is terminated if no response is gained
client-nas-identifier = ID Network access server identifier to be used when talking to the RADIUS server
authentication /
auth-keyboard-interactive /
submethod-radius / radius-server /
radius-shared-secret
file = path Path to the RADIUS shared secret file
authentication /
auth-keyboard-interactive /
submethod-aix-lam
enable-password-change = "yes|no" Enable LAM on AIX and allow users to change their expired passwords
authentication /
auth-keyboard-interactive /
submethod-generic
name = method_name Set the named generic submethod in use
params = parameters Optional parameters for the submethod
authentication / auth-gssapi dll-path = path Path to required GSSAPI libraries
allow-ticket-forwarding = "yes|no" Allow forwarding the Kerberos ticket over several connections
allow-missing = "yes|no" Ignore Kerberos/GSSAPI unavailability
authentication / mapper command = external_application External application used to supplement authentication
timeout = [1 to 3600] (default: "15")Time limit for the external application to exit

Table A.4. ssh-server-config.xml Quick Reference - the services block

ElementAttributes and their valuesDescription
group name = XML_name Group name (a valid XML name)
group / selector This element has the same child elements as authentication-methods / authentication / selector (see Table A.3)
rule group = group_name Match user's group
idle-timeout = seconds (default: "0")Idle timeout limit
print-motd = "yes|no" Print message of the day at interactive login to a Unix server
rule / environment allowed = comma-separated_list Environment variables the user group is allowed to set at the client side
allowed-case-sensitive = comma-separated_list Specify case-sensitive variables
rule / terminal action = "allow|deny" Allow/deny terminal access for the user group
chroot = directory (Unix only) Directory where user is chrooted during the terminal session
rule / subsystem type = subsystem Subsystem for which the settings are made
action = "allow|deny" Allow/deny use of the subsystem
audit = "yes|no" Record audit messages of the subsystem in the system log
exec-directly = "yes|no" (Unix only) Server will launch sft-server-g3 directly without invoking the user's shell
application = executable The executable of the subsystem
chroot = directory Directory where the user is chrooted when running the subsystem
rule / subsystem / attribute name = attribute_name Name for the subsystem attribute
value = attribute_value Value of the subsystem attribute
rule / command action = "allow|deny|forced" Allow/deny/force shell command
interactive = "yes|no" (Windows only) For forced action: the application requires user interaction
application = application_name The application that is allowed/forced to run
application-case-sensitive = application_name (Alternative to application:) The application is matched case-sensitively
chroot = directory Directory where user is chrooted when running the command
rule / tunnel-agent action = "allow|deny" Allow/deny agent forwarding
rule / tunnel-x11 action = "allow|deny" Allow/deny X11 forwarding
rule / tunnel-local action = "allow|deny" Allow/deny local tunnels
rule / tunnel-local / src address = IP_address |IP_address_range|IP_sub-network_mask Source address for client using the local tunnel
fqdn = FQDN_pattern Source FQDN for client (matches case-insensitively)
fqdn-regexp = regexp_pattern Regular expression (egrep) to match a range of FQDNs
rule / tunnel-local / tunnel-src address = IP_address |IP_address_range|IP_sub-network_mask Source address for local tunnel
fqdn = FQDN_pattern Source FQDN for local tunnel (matches case-insensitively)
fqdn-regexp = regexp_pattern Regular expression (egrep) to match a range of FQDNs
rule / tunnel-local / dst address = IP_address |IP_address_range|IP_sub-network_mask Destination address for local tunnel
fqdn = FQDN_pattern Destination FQDN for local tunnel (matches case-insensitively)
fqdn-regexp = regexp_pattern Regular expression (egrep) to match a range of FQDNs
port = port_number Destination port or port range for local tunnel
rule / tunnel-local / mapper command = external_application External application which is the executable of the subsystem
timeout = [1 to 3600] (default: "15")Time limit for the external application to exit
rule / tunnel-remote action = "allow|deny" Allow/deny remote tunnels
rule / tunnel-remote / src address = IP_address |IP_address_range|IP_sub-network_mask Source address for remote tunnel
fqdn = FQDN_pattern Source FQDN for remote tunnel (matches case-insensitively)
fqdn-regexp = regexp_pattern Regular expression (egrep) to match a range of FQDNs
rule / tunnel-remote / tunnel-dst address = IP_address |IP_address_range|IP_sub-network_mask Destination address for remote tunnel
fqdn = FQDN_pattern Destination FQDN for remote tunnel (matches case-insensitively)
fqdn-regexp = regexp_pattern Regular expression (egrep) to match a range of FQDNs
rule / tunnel-remote / listen address = IP_address |IP_address_range|IP_sub-network_mask Listen address for remote tunnel
port = port_number Listen port or port range for remote tunnel