|
     |
This Appendix contains a quick reference to the elements of the Tectia Server configuration file,
ssh-server-config.xml. The quick reference is divided into four tables,
one for each block of the configuration file:
The tables list the available configuration file elements with their attributes, attribute values (with the default value, if available, marked in bold) and descriptions. The element names in the tables are links that take you to detailed descriptions of the elements in ssh-server-config(5).
The element hierarchy is expressed with slashes ('/') between parent and child elements. For
example, in Table A.2 , "connection /
selector / ip" means that a connection element can have a
selector child element, which can have an ip child
element.
Table A.1. ssh-server-config.xml Quick Reference - the params block
| Element | Attributes and their values | Description |
|---|---|---|
| address-family |
type = "inet|inet6|any"
| IP address type |
| crypto-lib |
mode = "standard|fips"
| Cryptographic library mode |
| settings |
proxy-scheme =
semicolon-separated_sequence
| HTTP and SOCKS proxy server rules for local tunneling |
xauth-path =
path
(Unix only)
| Path to a supplementary XAuth binary used with X11 forwarding | |
xauth-shell =
shell
(Unix only)
| Shell used to run the XAuth binary. Default is the user shell. | |
x11-listen-address =
"localhost|any"
(Unix only)
| Type of address the x11 listener is created on | |
pam-account-checking-only =
"yes|no"
(Unix only)
| Only PAM will be used to check if the user is allowed to log in | |
resolve-clienthostname = "yes|no"
| Client host name is resolved from IP address during connection setup | |
ignore-aix-rlogin = "yes|no"
| Ignore remote login restriction on AIX | |
ignore-aix-login = "yes|no"
| Ignore local login restriction on AIX | |
record-ptyless-sessions = "yes|no"
| Record sessions without PTYs as user logins in the OS | |
user-config-dir = directory
(default: "%D/.ssh2") | Directory for user-specific configuration data (can include pattern strings) | |
default-path =
path
(Unix only)
| Default PATH value for the user environment | |
windows-logon-type =
"batch|interactive|network|network-cleartext"
(Windows only)
| Accepted user logon methods for the local host | |
windows-terminal-mode =
"console|stream"
(Windows only)
| Mode of operation of a terminal session on the server side | |
ignore-nisplus-no-permission =
"yes|no"
(Linux and Solaris only)
| If NIS+ gives no permission to the user during authentication, ignore it | |
quiet-login = "yes|no"
| Suppress messages about last login, password expiry, etc. during login | |
default-domain =
domain
| Append a domain to server host names that are not FQDNs | |
|
pluggable-authentication-modules
(Unix only) |
pam-calls-with-commands =
"yes|no"
| Enable PAM Account and Session Management when user executes shells, remote commands and subsystems |
service-name =
name
| Instruct PAM about which configuration it should use | |
dll-path =
path
| Location of the PAM library | |
| protocol-parameters | threads = number
(default: "0") | Number of threads the protocol library uses |
| hostkey / private |
file =
path
| Path to the private key file |
| hostkey / public |
file =
path
| Path to the public key file |
| hostkey / x509-certificate |
file =
path
| Path to the X.509 user certificate file |
| hostkey / externalkey |
type =
"none|software|mscapi|pkcs11|pkcs12"
| External host key type |
init-info =
keyword(value)_list
| Init info for the external host key | |
| listener |
id =
ID
| Unique ID for the server listener |
address =
IP_address
| The address where the server listens for connections | |
port =
port_number
| The port at which the server listens for connections | |
|
domain-policy
(Windows only) |
windows-domain-precedence =
comma-separated_list
| Trusted domains and special values %default% and
%local% |
|
domain-policy
/
windows-domain
(Windows only) |
name =
domain_name
| Domain name for domain access with one-way trust |
user =
user_name
| User account for domain access with one-way trust | |
| logging / log-events |
facility =
"normal|daemon|user|auth|local0|local1|local2
| Facility of logging event |
severity =
"informational|notice|warning|error
| Severity of logging event | |
| limits | max-processes = [1 to 2048]
(default: "40") | Maximum number of servant processes the master server will launch |
max-connections = number
(default: "256") | Maximum number of client connections allowed per servant | |
| limits / servant-lifetime |
total-connections = [1 to 4000000000]
(recommended: "5000") | Total number of connections the servant process will handle during its lifetime |
| cert-validation |
http-proxy-url =
address
| HTTP proxy address |
socks-server-url =
address
| SOCKS proxy address | |
cache-size = [1 to 512]
(default: "35") | Maximum size (MB) of in-memory cache for certificates and CRLs | |
max-crl-size = [1 to 512]
(default: "11") | Maximum size (MB) of CRLs accepted | |
external-search-timeout = [1 to 3600]
(default: "60") | Time limit (seconds) for external HTTP and LDAP searches for CRLs and certificates | |
max-ldap-response-length = [1 to 512] (default:
"11") | Maximum size (MB) of LDAP responses accepted | |
ldap-idle-timeout = [1 to 3600]
(default: "30") | Idle timeout (seconds) for LDAP connections | |
max-path-length =
number
| Maximum length of the certification paths when validating certificates | |
| cert-validation / ldap-server |
address =
LDAP-address
| LDAP server address |
port = port_number (default:
"389") | LDAP server port | |
| cert-validation / ocsp-responder |
validity-period =
seconds
| Validity period for OCSP data |
url =
address
| OCSP responder service address | |
| cert-validation / cert-cache-file |
file =
path
| File for storing certificates and CRLs |
| cert-validation / crl-auto-update |
update-before =
seconds
| Time before expiration for automatic updating of certificate revocation lists |
minimum-interval =
seconds
| Limit for maximum CRL update frequency | |
| cert-validation / crl-prefetch |
url =
address
| URL from which CRL is downloaded |
interval = seconds
(default: "3600") | How often the CRL is downloaded | |
| cert-validation / dod-pki |
enable = "yes|no"
| Enforce digital signature in key usage |
| cert-validation / ca-certificate |
name =
CA_name
| Name of the CA |
file =
path
| Path to X.509 CA certificate file | |
disable-crls = "yes|no"
| Disable CRL checking | |
use-expired-crls = seconds
(default: "0") | Time period for using expired CRLs | |
trusted = "yes|no"
| Set CA certificate as a trust anchor and trust it explicitly | |
| password-cache |
file =
path
| Location of server password cache file |
| load-control |
enable = "yes|no"
| Enable load control |
discard-limit = [1 to max-connections-1]
(default: 90% of max-connections) | Limit for discarding new connections from outside the server's white list | |
white-list-size = [1 to 10000] (default:
"1000") | Number of IP addresses on the server's white list |
Table A.2. ssh-server-config.xml Quick Reference - the connections block
| Element | Attributes and their values | Description |
|---|---|---|
| connection |
name =
XML_name
| Identifier (valid XML name) for the connection rule |
action = "allow|deny"
| Allow/deny connection | |
tcp-keepalive = "yes|no"
| Send keepalive messages to the other side | |
| connection / selector / interface |
id =
ID
| Match the server listener interface ID |
address =
address
| Match the server listener interface address | |
port =
port_number
| Match the server listener interface port | |
| connection / selector / ip |
address =
IP_address|IP_address_range|IP_sub-network_mask
| Match the client's IP address |
fqdn =
FQDN_pattern
| Match the client's FQDN | |
| connection / rekey | seconds = seconds
(default: "3600") | Number of seconds after which key exchange is done again |
bytes = bytes
(default: "1000000000") | Number of transferred bytes after which key exchange is done again | |
| connection / cipher |
name =
cipher_name
| Cipher allowed for data encryption |
allow-missing = "yes|no"
| Server restarts normally even if cipher not found during configuration reading | |
| connection / mac |
name =
HMAC_name
| MAC allowed for data integrity verification |
allow-missing = "yes|no"
| Server restarts normally even if MAC not found during configuration reading | |
| connection / kex |
name =
KEX_name
| KEX allowed for key exchange method |
allow-missing = "yes|no"
| Server restarts normally even if KEX not found during configuration reading | |
| connection / hostkey-algorithm |
name =
algorithm_name
| Host key signature algorithm used in server authentication with host keys or certificates |
allow-missing = "yes|no"
| Server restarts normally even if host key algorithm not found during configuration reading |
Table A.3. ssh-server-config.xml Quick Reference - the authentication-methods
block
| Element | Attributes and their values | Description |
|---|---|---|
| banner-message |
file =
path
| Path to the file that contains the message that is sent to the client before authentication |
| auth-file-modes (Unix only) |
strict = "yes|no"
| Check permissions and ownership of the user's key files or the directory they are stored in |
mask-bits =
octal_permissions (default:
"022") | Specify forbidden permission bits in octal format | |
dir-mask-bits =
octal_permissions
| Specify the forbidden permission bits for the user key directory | |
| authentication |
action = "allow|deny"
| Allow/deny access to/from users who match a selector |
|
authentication
/
selector
/ certificate |
field =
"ca-list|issuer-name|subject-name|serial-number
| The field of user certificates used in public-key authentication that has to be matched |
pattern
| The information in the field to be matched | |
pattern-case-sensitive
| The information in the field to be matched
case-sensitively | |
regexp =
egrep_regexp
| Regular expression to match a range of values in the selected field | |
ignore-prefix = "yes|no"
| Match only the end of subject name | |
ignore-suffix = "yes|no"
| Match only the beginning of the subject name | |
explicit = "yes|no"
| (With extended-key-usage) Request that the certificate must
include the key purpose ID specified with the pattern | |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ host-certificate |
field =
"ca-list|issuer-name|subject-name|serial-number
| The field of host certificates used in public-key authentication that has to be matched |
pattern
| The information in the field to be matched | |
pattern-case-sensitive
| The information in the field to be matched
case-sensitively | |
regexp =
egrep_regexp
| Regular expression to match a range of values in the selected field | |
ignore-prefix = "yes|no"
| Match only the end of subject name | |
ignore-suffix = "yes|no"
| Match only the beginning of the subject name | |
explicit = "yes|no"
| (With extended-key-usage) Request that the certificate must
include the key purpose ID specified with the pattern | |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ interface |
id =
ID
| Match the listener interface ID |
address =
IP_address
| Match the listener address | |
port =
port_number
| Match the listener port | |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ ip |
address =
IP_address|IP_address_range|IP_sub-network_mask
| Match client's IP address |
fqdn =
FQDN_pattern
| Match client's FQDN | |
fqdn-regexp =
regexp_pattern
| Match a range of FQDNs specified with a regular expression | |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ user |
name =
comma-separated_list
| Match user names |
name-case-sensitive =
comma-separated_list
| Match user names case-sensitively | |
name-regexp =
regexp_pattern
| Match a range of names specified with a regular expression | |
id =
comma-separated_list
| Match user IDs | |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ user-group |
name =
comma-separated_list
| Match user group names |
name-case-sensitive =
comma-separated_list
| Match user group names case-sensitively | |
name-regexp =
regexp_pattern
| Match a range of user group names specified with a regular expression | |
id =
comma-separated_list
| Match user group IDs | |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ user-privileged |
value = "yes|no"
| Match a privileged user |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ blackboard |
field
| Match based on the information in this blackboard field |
pattern
| The information in the field to be matched | |
pattern-case-sensitive
| The information to be matched case-sensitively | |
regexp =
egrep_regexp
| Regular expression to match a range of values in the selected field | |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ publickey-passed |
length = [
length_range
]
| Public key length range |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
|
authentication
/
selector
/ user-password-change-needed (Unix only) |
value = "yes|no"
| Matches if the user password has expired and should be changed |
allow-undefined = "yes|no"
| Control behavior of selector when required data is not defined | |
| authentication / set-blackboard |
field =
blackboard_key
| Describe an item that will be added to the blackboard when this authentication block is encountered |
value
| Desired value | |
file =
path
| Path to a file containing the desired value | |
| authentication / set-user |
name =
user_name
| Specify user name that will be used from here on |
| authentication / auth-publickey |
require-dns-match = "yes|no"
| Accept or deny a public key which has the allow/deny-from option
set in the authorization file |
signature-algorithms =
comma-separated_list
| Public-key signature algorithms used for user authentication | |
authorization-file =
comma-separated_list
| Paths to files that contain the user public keys that are authorized for login | |
authorized-keys-directory =
comma-separated_list
| Directories that contain the user public keys that are authorized for login | |
openssh-authorized-keys-file =
comma-separated_list
| Paths to OpenSSH-style authorized_keys files that contain the user public keys that are authorized for login | |
| authentication / auth-hostbased |
require-dns-match = "yes|no"
| Host-based authentication will require the host name given by the client to match the one found in DNS |
disable-authorization = "yes|no"
| Host-based authentication ignores authorization requirements | |
allow-missing = "yes|no"
| Ignore missing element | |
| authentication / auth-password | failure-delay = seconds
(default: "2") | Delay between failed password authentication attempts |
max-tries = number (default:
"3") | Maximum number of password authentication attempts | |
allow-missing = "yes|no"
| Ignore missing element | |
|
authentication
/ auth-keyboard-interactive | failure-delay = seconds
(default: "2") | Delay between failed keyboard-interactive authentication attempts |
max-tries = number (default:
"3") | Maximum number of keyboard-interactive authentication attempts | |
|
authentication
/ auth-keyboard-interactive / submethod-pam (Unix only) |
service-name
| Instruct PAM about which configuration it should use |
dll-path =
path|comma-separated_list
| Non-standard location for the PAM library, or PAM DLLs | |
|
authentication
/ auth-keyboard-interactive / submethod-password | - | Set the keyboard-interactive password submethod in use |
|
authentication
/ auth-keyboard-interactive / submethod-securid |
dll-path =
path
| Path to the SecurID DLL |
|
authentication
/ auth-keyboard-interactive / submethod-radius | - | Sets the keyboard-interactive RADIUS submethod in use |
|
authentication
/ auth-keyboard-interactive / submethod-radius / radius-server |
address =
IP_address
| RADIUS server's IP address |
port = port_number
(default: "1812") | RADIUS server port | |
timeout = seconds
(default: "10") | Time after which the RADIUS query is terminated if no response is gained | |
client-nas-identifier =
ID
| Network access server identifier to be used when talking to the RADIUS server | |
|
authentication
/ auth-keyboard-interactive / submethod-radius / radius-server / radius-shared-secret |
file =
path
| Path to the RADIUS shared secret file |
|
authentication
/ auth-keyboard-interactive / submethod-aix-lam |
enable-password-change = "yes|no"
| Enable LAM on AIX and allow users to change their expired passwords |
|
authentication
/ auth-keyboard-interactive / submethod-generic |
name =
method_name
| Set the named generic submethod in use |
params =
parameters
| Optional parameters for the submethod | |
| authentication / auth-gssapi |
dll-path =
path
| Path to required GSSAPI libraries |
allow-ticket-forwarding = "yes|no"
| Allow forwarding the Kerberos ticket over several connections | |
allow-missing = "yes|no"
| Ignore Kerberos/GSSAPI unavailability | |
| authentication / mapper |
command =
external_application
| External application used to supplement authentication |
timeout = [1 to 3600]
(default: "15") | Time limit for the external application to exit |
Table A.4. ssh-server-config.xml Quick Reference - the services block
| Element | Attributes and their values | Description |
|---|---|---|
| group |
name =
XML_name
| Group name (a valid XML name) |
| group / selector | This element has the same child elements
as authentication-methods / authentication / selector (see Table A.3) | |
| rule |
group =
group_name
| Match user's group |
idle-timeout = seconds
(default: "0") | Idle timeout limit | |
print-motd = "yes|no"
| Print message of the day at interactive login to a Unix server | |
| rule / environment |
allowed =
comma-separated_list
| Environment variables the user group is allowed to set at the client side |
allowed-case-sensitive =
comma-separated_list
| Specify case-sensitive variables | |
| rule / terminal |
action = "allow|deny"
| Allow/deny terminal access for the user group |
chroot =
directory
(Unix only)
| Directory where user is chrooted during the terminal session | |
| rule / subsystem |
type =
subsystem
| Subsystem for which the settings are made |
action = "allow|deny"
| Allow/deny use of the subsystem | |
audit = "yes|no"
| Record audit messages of the subsystem in the system log | |
exec-directly =
"yes|no" (Unix
only) | Server will launch sft-server-g3 directly without invoking the user's shell | |
application =
executable
| The executable of the subsystem | |
chroot =
directory
| Directory where the user is chrooted when running the subsystem | |
| rule / subsystem / attribute |
name =
attribute_name
| Name for the subsystem attribute |
value =
attribute_value
| Value of the subsystem attribute | |
| rule / command |
action = "allow|deny|forced"
| Allow/deny/force shell command |
interactive = "yes|no"
(Windows only)
| For forced action: the application requires user
interaction | |
application =
application_name
| The application that is allowed/forced to run | |
application-case-sensitive =
application_name
| (Alternative to application:) The application is matched
case-sensitively | |
chroot =
directory
| Directory where user is chrooted when running the command | |
| rule / tunnel-agent |
action = "allow|deny"
| Allow/deny agent forwarding |
| rule / tunnel-x11 |
action = "allow|deny"
| Allow/deny X11 forwarding |
| rule / tunnel-local |
action = "allow|deny"
| Allow/deny local tunnels |
| rule / tunnel-local / src |
address =
IP_address
|IP_address_range|IP_sub-network_mask
| Source address for client using the local tunnel |
fqdn =
FQDN_pattern
| Source FQDN for client (matches case-insensitively) | |
fqdn-regexp =
regexp_pattern
| Regular expression (egrep) to match a range of FQDNs | |
| rule / tunnel-local / tunnel-src |
address =
IP_address
|IP_address_range|IP_sub-network_mask
| Source address for local tunnel |
fqdn =
FQDN_pattern
| Source FQDN for local tunnel (matches case-insensitively) | |
fqdn-regexp =
regexp_pattern
| Regular expression (egrep) to match a range of FQDNs | |
| rule / tunnel-local / dst |
address =
IP_address
|IP_address_range|IP_sub-network_mask
| Destination address for local tunnel |
fqdn =
FQDN_pattern
| Destination FQDN for local tunnel (matches case-insensitively) | |
fqdn-regexp =
regexp_pattern
| Regular expression (egrep) to match a range of FQDNs | |
port =
port_number
| Destination port or port range for local tunnel | |
| rule / tunnel-local / mapper |
command =
external_application
| External application which is the executable of the subsystem |
timeout = [1 to 3600]
(default: "15") | Time limit for the external application to exit | |
| rule / tunnel-remote |
action = "allow|deny"
| Allow/deny remote tunnels |
| rule / tunnel-remote / src |
address =
IP_address
|IP_address_range|IP_sub-network_mask
| Source address for remote tunnel |
fqdn =
FQDN_pattern
| Source FQDN for remote tunnel (matches case-insensitively) | |
fqdn-regexp =
regexp_pattern
| Regular expression (egrep) to match a range of FQDNs | |
| rule / tunnel-remote / tunnel-dst |
address =
IP_address
|IP_address_range|IP_sub-network_mask
| Destination address for remote tunnel |
fqdn =
FQDN_pattern
| Destination FQDN for remote tunnel (matches case-insensitively) | |
fqdn-regexp =
regexp_pattern
| Regular expression (egrep) to match a range of FQDNs | |
| rule / tunnel-remote / listen |
address =
IP_address
|IP_address_range|IP_sub-network_mask
| Listen address for remote tunnel |
port =
port_number
| Listen port or port range for remote tunnel | |
| |
Copyright 
2021 SSH Communications Security Corporation
This software is protected by international copyright laws. All rights reserved.
Contact Information