Appendix B Server Configuration File Syntax

The DTD of the server configuration file is shown below:

<!--                                                                    -->
<!--                                                                    -->
<!--                                                                    -->
<!-- secsh-server.dtd                                                   -->
<!--                                                                    -->
<!-- Copyright (c) 2017 SSH Communications Security Corporation.        -->
<!-- This software is protected by international copyright laws.        -->
<!-- All rights reserved.                                               -->
<!--                                                                    -->
<!-- Document type definition for the Tectia Server XML                 -->
<!-- configuration files.                                               -->
<!--                                                                    -->
<!--                                                                    -->

<!-- Tunable parameters used in the policy. -->

<!-- Default connection action. -->
<!ENTITY default-connection-action                      "allow">

<!-- Default terminal action. -->
<!ENTITY default-terminal-action                        "allow">

<!-- Default subsystem action. -->
<!ENTITY default-subsystem-action                       "allow">

<!-- Default subsystem audit value. -->
<!ENTITY default-subsystem-audit                        "yes">

<!-- Default for allowing undefined blackboard entries by selectors. -->
<!ENTITY default-allow-undefined-value                  "no">

<!-- Default user-privileged value. -->
<!ENTITY default-user-privileged-value                  "yes">

<!-- Default user-password-change-needed value. -->
<!ENTITY default-user-password-change-needed-value      "yes">

<!-- Reverse mapping is not required by default in
     publickey authentication. -->
<!ENTITY default-auth-publickey-require-dns-match       "no">

<!-- Default tunnel action. -->
<!ENTITY default-tunnel-action                          "allow">

<!-- Default command action. -->
<!ENTITY default-command-action                         "allow">

<!-- Default interactive command action. -->
<!ENTITY default-interactive-command-action             "no">

<!-- Default rekey interval in seconds. -->
<!ENTITY default-rekey-interval-seconds                 "3600">

<!-- Default rekey interval in bytes (1GB). -->
<!ENTITY default-rekey-interval-bytes                   "1000000000">

<!-- Default login grace time in seconds. -->
<!ENTITY default-login-grace-time-seconds               "600">

<!-- Default authentication action. -->
<!ENTITY default-authentication-action                  "allow">

<!-- Password authentication default failure delay in seconds. -->
<!ENTITY default-auth-password-failure-delay            "2">

<!-- Password authentication default maximum tries. -->
<!ENTITY default-auth-password-max-tries                "3">

<!-- Password cache is disabled by default -->
<!ENTITY default-password-cache                         "no">

<!-- DNS match not required by default in host-based authentication. -->
<!ENTITY default-auth-hostbased-require-dns-match       "no">

<!-- Keyboard-interactive authentication default failure delay in seconds. -->
<!ENTITY default-auth-kbdint-failure-delay              "2">

<!-- Keyboard-interactive authentication default maximum tries. -->
<!ENTITY default-auth-kbdint-max-tries                  "3">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-radius-server-port                     "1812">

<!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. -->
<!ENTITY default-radius-server-timeout                  "10">

<!-- GSSAPI default ticket forwarding policy. -->
<!ENTITY default-gssapi-ticket-forwarding-policy        "no">

<!-- gssapi default library values. -->
<!ENTITY default-gssapi-dll-path "/usr/lib/,/usr/lib64/,/usr/lib/,/usr/lib/,/usr/local/gss/gl/,/usr/local/lib/,/usr/local/lib/,/usr/kerberos/lib/,/usr/kerberos/lib/,/usr/lib/gss/,/usr/kerberos/lib/,/usr/lib/,/usr/lib/amd64/gss/,/usr/lib/amd64/">

<!-- Default time in seconds for using expired CRLs. -->
<!ENTITY default-use-expired-crls                       "0">

<!-- CRLs are not disabled by default. -->
<!ENTITY default-disable-crls                           "no">

<!-- Digital signature in key usage is not enforced by default. -->
<!ENTITY default-dod-pki                                "no">

<!-- LDAP server default port. -->
<!ENTITY default-ldap-server-port                       "389">

<!-- Default CRL update minimum interval. -->
<!ENTITY default-crl-update-min-interval                "30">

<!-- Default interval for CRL prefetching. -->
<!ENTITY default-crl-prefetch-interval                  "3600">

<!-- Default crypto library mode ("fips" or "standard"). -->
<!ENTITY default-crypto-lib-mode                        "standard">

<!-- Both ipv4 and ipv6 are enabled by default -->
<!ENTITY default-address-family-type                    "inet">

<!-- Default terminate user started processes -->
<!ENTITY default-terminate-user-processes               "no">

<!ENTITY default-allow-configuration                    "no">

<!-- Default log event facility. -->
<!ENTITY default-log-event-facility                     "normal">

<!-- Default log event severity. -->
<!ENTITY default-log-event-severity                     "notice">

<!ENTITY default-access-action                          "allow">

<!-- Default value for the feature -->
<!ENTITY default-load-control-enable                    "yes">

<!-- Default value for the feature -->
<!ENTITY default-white-list-size                        "1000">

<!-- Default ignore AIX rlogin setting. -->
<!ENTITY default-ignore-aix-rlogin                      "no">

<!-- Default ignore AIX login setting. -->
<!ENTITY default-ignore-aix-login                       "no">

<!-- Default record sessions without PTYs. -->
<!ENTITY default-record-ptyless-sessions                "yes">

<!-- Default Windows logon type. -->
<!ENTITY default-windows-logon-type                     "interactive">

<!-- Default Windows terminal mode. -->
<!ENTITY default-windows-terminal-mode                  "console">

<!-- Default Ignore nisplus no permission error. -->
<!ENTITY default-ignore-nisplus-no-permission           "no">

<!-- TCP keepalives are disabled by default. -->
<!ENTITY default-tcp-keepalive                          "no">

<!-- Whether a plugin is allowed to not initialize (due to e.g. -->
<!-- system configuration, missing shared libraries).           -->
<!ENTITY default-allow-missing                          "no">

<!-- Default connection idle timeout in seconds.  The value zero -->
<!-- disables idle timeout. -->
<!ENTITY default-idle-timeout                           "0">

<!-- Message of the day (MOTD) is printed on login by default. -->
<!ENTITY default-print-motd                             "yes">

<!-- Authentication file permissions are checked by default. -->
<!ENTITY default-strict-modes                           "yes">

<!-- Default authentication file permission mask bits (octal). -->
<!ENTITY default-mask-bits                              "022">

<!-- Service name used with PAM. -->
<!ENTITY default-pam-service-name                       "ssh-server-g3">
<!-- Whether to perform PAM Account and Session management when executing -->
<!-- commands, i.e. shells, subsystems and remote commands.               -->
<!ENTITY default-pam-command-action                     "no">

<!-- Whether to bind x11 listeners to the localhost interface or to the   -->
<!-- 'any' interface. If the x11 listener is bound to the 'any' interface -->
<!-- the SO_REUSEADDR socket option will not be set.                      -->
<!ENTITY default-x11-listen-address                     "localhost">

<!-- Whether to only use PAM to check if the user is allowed to login.    -->
<!-- PAM can be used during authentication or via the                     -->
<!-- pam-calls-with-commands setting. If PAM is not used in either        -->
<!-- authentication or with pam-calls-with-commands the normal system     -->
<!-- checks will be used to determine whether the user is allowed to      -->
<!-- login i.e. account is not locked etc.                                -->
<!ENTITY default-pam-account-checking-only              "no">

<!-- Whether the server tries to resolve the client hostname during       -->
<!-- connection setup                                                     -->
<!ENTITY default-resolve-client-hostname                "yes">

<!-- Whether to suppress last login, password expiry, motd etc. messages  -->
<!-- during login.                                                        -->
<!ENTITY default-quiet-login                            "no">

<!-- Default certificate cache size in MBs. -->
<!ENTITY default-cert-cache-size                        "150">

<!-- Default CRL size limit (in MB). -->
<!ENTITY default-max-crl-size                           "50">

<!-- The default maximum path length for certificate validation. -->
<!ENTITY default-max-path-length                        "10">

<!-- Default timeout for external searches (LDAP, HTTP, OCSP) (seconds). -->
<!ENTITY default-external-search-timeout                "360">

<!-- Default limit of LDAP responses (MBs). -->
<!ENTITY default-max-ldap-response-length               "50">

<!-- Default LDAP connection idle timeout in seconds. -->
<!ENTITY default-ldap-idle-timeout                      "30">

<!-- Whether to enable AIX LAM password change by default. -->
<!ENTITY default-aix-lam-password-change                "no">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-tunnel-mapper-timeout                  "15">

<!-- Windows administrator is able to request elevated privileges. -->
<!ENTITY default-allow-elevation                        "yes">

<!-- Policy elements. -->

<!-- The top-level element. -->
<!ELEMENT secsh-server  (params?,connections?,authentication-methods?

<!-- Parameter element. Only "hostkey" and "listener" are allowed multiple -->
<!-- times.                                                                -->
<!ELEMENT params (crypto-lib|address-family|hostkey|listener|settings|domain-policy

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib    EMPTY>
<!ATTLIST crypto-lib
          mode          (fips|standard) "&default-crypto-lib-mode;">

<!-- address-family mode setting ipv4 & ipv6-->
<!ELEMENT address-family        EMPTY>
<!ATTLIST address-family
          type          (any|inet|inet6) "&default-address-family-type;">

<!-- Settings - a block for stuff that is too minor to have its
     own element in the params block. -->
<!ELEMENT settings      EMPTY>
<!ATTLIST settings
      signature-algorithms    CDATA    #IMPLIED
      proxy-scheme            CDATA    #IMPLIED
      xauth-path              CDATA    #IMPLIED
      x11-listen-address      (localhost|any)
      pam-account-checking-only (yes|no)
      ignore-aix-rlogin       (yes|no) "&default-ignore-aix-rlogin;"
      ignore-aix-login        (yes|no) "&default-ignore-aix-login;"
      record-ptyless-sessions (yes|no) "&default-record-ptyless-sessions;"
      user-config-dir         CDATA    #IMPLIED
      default-path            CDATA    #IMPLIED
      windows-logon-type      (batch|interactive|network|network-cleartext)
      windows-terminal-mode   (console|stream)
      ignore-nisplus-no-permission (yes|no)
      resolve-client-hostname (yes|no) "&default-resolve-client-hostname;"
      quiet-login             (yes|no) "&default-quiet-login;"
      default-domain          CDATA    #IMPLIED
      terminate-user-processes (yes|no) "&default-terminate-user-processes;"
      allow-elevation (yes|no) "&default-allow-elevation;">

<!ELEMENT pluggable-authentication-modules EMPTY>
<!ATTLIST pluggable-authentication-modules
          service-name            CDATA         "&default-pam-service-name;"
          dll-path                CDATA         #IMPLIED
          pam-calls-with-commands (yes|no)      "&default-pam-command-action;">

<!ELEMENT protocol-parameters EMPTY>
<!ATTLIST protocol-parameters
          threads CDATA #IMPLIED>

<!-- Hostkey specification. -->
<!ELEMENT hostkey       (((private,(public|x509-certificate|
<!ATTLIST hostkey
	  status        CDATA   #IMPLIED
	  advertise     CDATA   #IMPLIED
	  rotation-period CDATA #IMPLIED
	  rotation-margin CDATA #IMPLIED>

<!-- Private key specification. -->
<!ELEMENT private       (#PCDATA)>
<!ATTLIST private
          file          CDATA   #IMPLIED>

<!-- Public key. -->
<!ELEMENT public        (#PCDATA)>
<!ATTLIST public
          file          CDATA   #IMPLIED>

<!-- Certificate (host). -->
<!ELEMENT x509-certificate      (#PCDATA)>
<!ATTLIST x509-certificate
          file          CDATA   #IMPLIED>

<!ELEMENT x509-certificate-chain (x509-certificate)*>

<!ELEMENT openssh-certificate      (#PCDATA)>
<!ATTLIST openssh-certificate
          file          CDATA   #IMPLIED>

<!-- External key. -->
<!ELEMENT externalkey   EMPTY>
<!ATTLIST externalkey
          type          CDATA   #REQUIRED
          init-info     CDATA   #IMPLIED>

<!ELEMENT certificate-authority (ca-external-command*)>
<!ATTLIST certificate-authority
          type                CDATA #IMPLIED
	  name                CDATA #IMPLIED
	  max-validity-period CDATA #IMPLIED
	  log-file            CDATA #IMPLIED
	  revocation-file     CDATA #IMPLIED>

<!ELEMENT ca-external-command   EMPTY>
<!ATTLIST ca-external-command
	  type                CDATA #IMPLIED
	  command             CDATA #IMPLIED
	  args                CDATA #IMPLIED>

<!-- CA certificate. -->
<!ELEMENT ca-certificate        (#PCDATA)>
<!ATTLIST ca-certificate
          file                  CDATA           #IMPLIED
          name                  CDATA           #REQUIRED
          disable-crls          (yes|no)        "&default-disable-crls;"
          use-expired-crls      CDATA           "&default-use-expired-crls;"
          trusted               (yes|no)        "yes">

<!-- OpenSSH CA key. -->
<!ELEMENT openssh-ca-key        (#PCDATA)>
<!ATTLIST openssh-ca-key
          file                  CDATA           #IMPLIED
          name                  CDATA           #REQUIRED>

<!-- Certificate caching. -->
<!ELEMENT cert-cache-file       EMPTY>
<!ATTLIST cert-cache-file
          file                  CDATA   #REQUIRED>

<!-- CRL automatic updating. -->
<!ELEMENT crl-auto-update       EMPTY>
<!ATTLIST crl-auto-update
          update-before         CDATA   #IMPLIED
          minimum-interval      CDATA   "&default-crl-update-min-interval;">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch          EMPTY>
<!ATTLIST crl-prefetch
          interval              CDATA   "&default-crl-prefetch-interval;"
          url                   CDATA   #REQUIRED>

<!-- LDAP server. -->
<!ELEMENT ldap-server           EMPTY>
<!ATTLIST ldap-server
          address               CDATA   #REQUIRED
          port                  CDATA   "&default-ldap-server-port;">

<!-- OCSP responder. -->
<!ELEMENT ocsp-responder        (#PCDATA)>
<!ATTLIST ocsp-responder
          validity-period       CDATA   #IMPLIED
          url                   CDATA   #REQUIRED
          certificate           CDATA   #IMPLIED>

<!-- Enforce digital signature in key usage. -->
<!ELEMENT dod-pki               EMPTY>
<!ATTLIST dod-pki
          enable                (yes|no)        "&default-dod-pki;">

<!-- Secure Shell server TCP listener address and port. -->
<!ELEMENT listener      EMPTY>
<!ATTLIST listener
          id            ID      #REQUIRED
          port          CDATA   "22"
          address       CDATA   #IMPLIED>

<!-- Server domain policy type -->
<!ELEMENT domain-policy                 (windows-domain)*>
<!ATTLIST domain-policy
          windows-domain-precedence     CDATA   #IMPLIED>

<!ELEMENT windows-domain      EMPTY>
<!ATTLIST windows-domain
    name    CDATA #REQUIRED
    user    CDATA #REQUIRED>

<!ELEMENT password-cache                        EMPTY>
<!ATTLIST password-cache
          file          CDATA   #REQUIRED>

<!-- Logging. -->
<!ELEMENT logging       (log-events*)>

<!-- Log events. -->
<!ELEMENT log-events    (#PCDATA)>
<!ATTLIST log-events
          facility      (normal|daemon|user|auth|local0|local1
          severity      (informational|notice|warning|error|critical

<!-- Certificate validation. Maximum one of each of "cert-cache-file", -->
<!-- "crl-auto-update" and "dod-pki" can be present.                   -->
<!ELEMENT cert-validation (ldap-server|ocsp-responder|cert-cache-file

<!ATTLIST cert-validation
          http-proxy-url           CDATA   #IMPLIED
          socks-server-url         CDATA   #IMPLIED
          cache-size               CDATA   "&default-cert-cache-size;"
          max-crl-size             CDATA   "&default-max-crl-size;"
          external-search-timeout  CDATA   "&default-external-search-timeout;"
          max-ldap-response-length CDATA   "&default-max-ldap-response-length;"
          ldap-idle-timeout        CDATA   "&default-ldap-idle-timeout;"
          max-path-length          CDATA   "&default-max-path-length;">


<!ATTLIST access
          user                     CDATA   #REQUIRED
          action                   (allow|deny)      "&default-access-action;">

<!-- Limits. -->
<!-- max-connections is _per_servant_ .-->
<!-- servant-lifetime    - how many connections a servant will handle -->
<!-- before it is retired. -->

<!ELEMENT limits                   (servant-lifetime)*>
<!ATTLIST limits
          max-connections          CDATA   #IMPLIED
          max-processes            CDATA   #IMPLIED>

<!ELEMENT servant-lifetime         EMPTY>
<!ATTLIST servant-lifetime
          total-connections        CDATA   #IMPLIED>

<!ELEMENT load-control             EMPTY>
<!ATTLIST load-control
          enable                   (yes|no)      "&default-load-control-enable;"
          discard-limit            CDATA   #IMPLIED
          white-list-size          CDATA   "&default-white-list-size;">

<!-- This element is deprecated and included for backwards compatibility only -->
<!ELEMENT password-change-rules  EMPTY>
<!ATTLIST password-change-rules
          allow-configuration   (yes|no) "&default-allow-configuration;">

<!-- Connections. -->
<!ELEMENT connections   (connection+)>

<!-- Connection. -->
<!ELEMENT connection    (selector*,rekey?,cipher*,mac*,kex*,hostkey-algorithm*,compression*)>
<!ATTLIST connection
          name          ID                      #IMPLIED
          action        (allow|deny)            "&default-connection-action;"
          tcp-keepalive (yes|no)                "&default-tcp-keepalive;">

<!-- Rekey intervals. -->
<!ELEMENT rekey         EMPTY>
<!ATTLIST rekey
          seconds       CDATA   "&default-rekey-interval-seconds;"
          bytes         CDATA   "&default-rekey-interval-bytes;">

<!-- Cipher. -->
<!ELEMENT cipher        EMPTY>
<!ATTLIST cipher
          name          CDATA                   #REQUIRED
          allow-missing (yes|no)                "&default-allow-missing;">

<!-- MAC. -->
<!ELEMENT mac           EMPTY>
          name          CDATA                   #REQUIRED
          allow-missing (yes|no)                "&default-allow-missing;">

<!-- KEX. -->
<!ELEMENT kex           EMPTY>
          name          CDATA                   #REQUIRED
          allow-missing (yes|no)                "&default-allow-missing;">

<!-- Hostkey algorithm. -->
<!ELEMENT hostkey-algorithm  EMPTY>
<!ATTLIST hostkey-algorithm
          name          CDATA                   #REQUIRED
          allow-missing (yes|no)                "&default-allow-missing;">

<!-- Compression. -->
<!ELEMENT compression	 EMPTY>
<!ATTLIST compression
          name         CDATA                    #IMPLIED>

<!-- Selector element. -->
<!ELEMENT selector      (interface|certificate|host-certificate|ip

<!-- Interface selector. At least one parameter must be given. If id is -->
<!-- set, the others MUST NOT be set. If id is not set, either or both  -->
<!-- of address and port may be defined.                                -->
<!ELEMENT interface       EMPTY>
<!ATTLIST interface
          id              IDREF    #IMPLIED
          address         CDATA    #IMPLIED
          port            CDATA    #IMPLIED
          allow-undefined (yes|no) "&default-allow-undefined-value;">

<!-- Public key (plain) passed selector. -->
<!ELEMENT publickey-passed      EMPTY>
<!ATTLIST publickey-passed
          length                CDATA    #IMPLIED
          allow-undefined       (yes|no)

<!-- Certificate selector. -->
<!ELEMENT certificate   EMPTY>
<!ATTLIST certificate
          field           (ca-list|issuer-name|subject-name|serial-number
                           |openssh-extension|openssh-key-id) #REQUIRED
          pattern                CDATA  #IMPLIED
          pattern-case-sensitive CDATA  #IMPLIED
          regexp                 CDATA  #IMPLIED
          ignore-prefix          (yes|no) #IMPLIED
          ignore-suffix          (yes|no) #IMPLIED
          explicit               (yes|no) #IMPLIED
          allow-undefined        (yes|no)

<!-- Host certificate selector. -->
<!ELEMENT host-certificate      EMPTY>
<!ATTLIST host-certificate
          field           (ca-list|issuer-name|subject-name|serial-number
                           |openssh-extension|openssh-key-id) #REQUIRED
          pattern                CDATA  #IMPLIED
          pattern-case-sensitive CDATA  #IMPLIED
          regexp                 CDATA  #IMPLIED
          ignore-prefix          (yes|no) #IMPLIED
          ignore-suffix          (yes|no) #IMPLIED
          explicit               (yes|no) #IMPLIED
          allow-undefined        (yes|no)

<!-- IP address selector. -->
<!-- The address will be one of the following:                          -->
<!--   - an IP range of the form x.x.x.x-y.y.y.y                        -->
<!--   - an IP mask of the form x.x.x.x/y                               -->
<!--   - a straight IP address x.x.x.x                                  -->
<!--   - an FQDN pattern (form not checked, either it matches or not)   -->
<!-- Exactly one of address or fqdn must be set. -->
<!ELEMENT ip            EMPTY>
          address               CDATA   #IMPLIED
          fqdn                  CDATA   #IMPLIED
          fqdn-regexp           CDATA   #IMPLIED
          allow-undefined       (yes|no)

<!-- User name selector. -->
<!ELEMENT user                  EMPTY>
<!ATTLIST user
          name                  CDATA   #IMPLIED
          name-case-sensitive   CDATA   #IMPLIED
          name-regexp           CDATA   #IMPLIED
          id                    CDATA   #IMPLIED
          allow-undefined       (yes|no)

<!-- User group selector. -->
<!ELEMENT user-group            EMPTY>
<!ATTLIST user-group
          name                  CDATA   #IMPLIED
          name-case-sensitive   CDATA   #IMPLIED
          name-regexp           CDATA   #IMPLIED
          id                    CDATA   #IMPLIED
          allow-undefined       (yes|no)

<!-- User privileged (administrator) selector. -->
<!ELEMENT user-privileged       EMPTY>
<!ATTLIST user-privileged
          value                 (yes|no)
          allow-undefined       (yes|no)

<!-- Selector for the need of user password change. -->
<!ELEMENT user-password-change-needed   EMPTY>
<!ATTLIST user-password-change-needed
          value                 (yes|no)
          allow-undefined       (yes|no)

<!-- Blackboard selector. -->
<!ELEMENT blackboard            EMPTY>
<!ATTLIST blackboard
          field                         CDATA   #REQUIRED
          pattern                       CDATA   #IMPLIED
          pattern-case-sensitive        CDATA   #IMPLIED
          regexp                        CDATA   #IMPLIED
          allow-undefined               (yes|no)

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods        (banner-message?,auth-file-modes?
<!ATTLIST authentication-methods
          login-grace-time      CDATA   "&default-login-grace-time-seconds;">

<!-- Banner message element. -->
<!ELEMENT banner-message        (#PCDATA)>
<!ATTLIST banner-message
          file          CDATA   #IMPLIED>

<!-- Authentication file permission checks. -->
<!ELEMENT auth-file-modes       EMPTY>
<!ATTLIST auth-file-modes
          strict                (yes|no)        "&default-strict-modes;"
          mask-bits             CDATA           "&default-mask-bits;"
          dir-mask-bits         CDATA           #IMPLIED>

<!-- Authentication element.  In an authentication element, different -->
<!-- authentication methods are in OR-relation.  User must pass one of -->
<!-- them. -->
<!ELEMENT authentication        (selector*
<!ATTLIST authentication
        name            ID              #IMPLIED
          action        (allow|deny)    "&default-authentication-action;"
          set-group     CDATA           #IMPLIED
          repeat-block  (yes|no)        "no"
          password-cache (yes|no)       "&default-password-cache;" >

<!ELEMENT set-user      EMPTY>
<!ATTLIST set-user
          name          CDATA           #REQUIRED>

<!ELEMENT mapper        EMPTY>
<!ATTLIST mapper
          command       CDATA           #REQUIRED
          timeout       CDATA           "&default-tunnel-mapper-timeout;">

<!ELEMENT login-restrictions EMPTY>
<!ATTLIST login-restrictions
          ignore-password-expiration    CDATA #IMPLIED
          ignore-aix-rlogin             CDATA #IMPLIED
          ignore-aix-login              CDATA #IMPLIED
          ignore-nisplus-no-permission  CDATA #IMPLIED>

<!ELEMENT set-blackboard                (#PCDATA)>
<!ATTLIST set-blackboard
          field                         CDATA #REQUIRED
          value                         CDATA #IMPLIED
          file                          CDATA #IMPLIED>

<!-- Public-key authentication. -->
<!ELEMENT auth-publickey        EMPTY>
<!ATTLIST auth-publickey
          require-dns-match             (yes|no)
          signature-algorithms          CDATA #IMPLIED
          authorization-file            CDATA #IMPLIED
          authorized-keys-directory     CDATA #IMPLIED
          openssh-authorized-keys-file  CDATA #IMPLIED
          allow-missing                  (yes|no)

<!-- Host-based authentication. -->
<!ELEMENT auth-hostbased        EMPTY>
<!ATTLIST auth-hostbased
          require-dns-match     (yes|no)
          disable-authorization (yes|no) "no"
          allow-missing         (yes|no)

<!-- Password authentication. -->
<!ELEMENT auth-password         EMPTY>
<!ATTLIST auth-password
          failure-delay         CDATA "&default-auth-password-failure-delay;"
          max-tries             CDATA "&default-auth-password-max-tries;"
          allow-missing         (yes|no) "&default-allow-missing;" >

<!-- Keyboard-interactive authentication. -->
<!ELEMENT auth-keyboard-interactive     ((submethod-pam

<!ATTLIST auth-keyboard-interactive
          failure-delay         CDATA "&default-auth-kbdint-failure-delay;"
          max-tries             CDATA "&default-auth-kbdint-max-tries;">

<!-- Keyboard-interactive submethods. -->

<!-- PAM. service-name is #IMPLIED, as it will be by default whatever is -->
<!-- set in "params" block.                                              -->
<!ELEMENT submethod-pam         EMPTY>
<!ATTLIST submethod-pam
          service-name          CDATA   #IMPLIED
          dll-path              CDATA   #IMPLIED>

<!-- Password. -->
<!ELEMENT submethod-password    EMPTY>

<!-- SecurID. -->
<!ELEMENT submethod-securid     EMPTY>
<!ATTLIST submethod-securid
          dll-path              CDATA   #IMPLIED>

<!-- RADIUS. -->
<!ELEMENT submethod-radius      (radius-server+)>

<!-- RADIUS server. -->
<!ELEMENT radius-server         (radius-shared-secret)>
<!ATTLIST radius-server
          address               CDATA   #REQUIRED
          port                  CDATA   "&default-radius-server-port;"
          timeout               CDATA   "&default-radius-server-timeout;"
          client-nas-identifier CDATA   #IMPLIED>

<!-- Secret. "file" has precedence over #PCDATA. -->
<!ELEMENT radius-shared-secret  (#PCDATA)>
<!ATTLIST radius-shared-secret
          file                  CDATA   #IMPLIED>

<!-- AIX LAM. -->
<!ELEMENT submethod-aix-lam      EMPTY>
<!ATTLIST submethod-aix-lam
          enable-password-change (yes|no) "&default-aix-lam-password-change;">

<!-- Generic submethod. -->
<!ELEMENT submethod-generic     EMPTY>
<!ATTLIST submethod-generic
          name                  CDATA   #REQUIRED
          params                CDATA   #IMPLIED>

<!-- GSSAPI authentication. -->
<!ELEMENT auth-gssapi   EMPTY>
<!ATTLIST auth-gssapi
          dll-path                    CDATA     "&default-gssapi-dll-path;"
          allow-ticket-forwarding     (yes|no)
          allow-missing               (yes|no)

<!-- Services element. -->
<!ELEMENT services      (group*,rule+)>

<!-- Group element. -->
<!ELEMENT group         (selector+)>
<!ATTLIST group
          name          ID      #REQUIRED>

<!-- Rule element. Maximum one of each of "terminal", "tunnel-agent"    -->
<!-- or "tunnel-x11" can be present.                                    -->
<!ELEMENT rule          (environment|terminal|subsystem|command

<!-- "group", if defined, will be used to match the rule. -->
<!ATTLIST rule
          group         CDATA           #IMPLIED
          idle-timeout  CDATA           "&default-idle-timeout;"
          print-motd    (yes|no)        "&default-print-motd;">

<!-- Environment. -->
<!-- The default allowed environment variables are:            -->
<!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*"           -->
<!-- If neither allowed nor allowed-case-sensitive is set,     -->
<!-- the default is used.                                      -->
<!ELEMENT environment   EMPTY>
<!ATTLIST environment
          allowed                       CDATA   #IMPLIED
          allowed-case-sensitive        CDATA   #IMPLIED>

<!-- Terminal. -->
<!ELEMENT terminal      EMPTY>
<!ATTLIST terminal
          action        (allow|deny)            "&default-terminal-action;"
          chroot        CDATA                   #IMPLIED>

<!-- Subsystem. -->
<!ELEMENT subsystem     (attribute*)>
<!ATTLIST subsystem
          type          CDATA           #REQUIRED
          action        (allow|deny)    "&default-subsystem-action;"
          audit         (yes|no)        "&default-subsystem-audit;"
          exec-directly CDATA   #IMPLIED
          application   CDATA           #IMPLIED
          chroot        CDATA           #IMPLIED>

<!ELEMENT attribute     EMPTY>
<!ATTLIST attribute
          name          CDATA   #REQUIRED
          value         CDATA   #IMPLIED>

<!-- Tunnels. -->

<!ELEMENT tunnel-x11    EMPTY>
<!ATTLIST tunnel-x11
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-agent  EMPTY>
<!ATTLIST tunnel-agent
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-local  (mapper|((src|tunnel-src|dst)*))>
<!ATTLIST tunnel-local
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-remote ((src|tunnel-dst|listen)*)>
<!ATTLIST tunnel-remote
          action        (allow|deny)            "&default-tunnel-action;"
          disable-privilege-check (yes|no) "no">

<!-- Tunnel selectors. These apply only to TCP local and remote tunnels.-->
<!-- src and dst are for local-tcp                                      -->
<!-- src and listen are for remote-tcp                                  -->

<!-- address or fqdn are not mandatory. If set, exactly one must be set -->
<!-- (not both).                                                        -->

<!-- Source. -->

<!ELEMENT src           EMPTY>
          address       CDATA   #IMPLIED
          fqdn          CDATA   #IMPLIED
          fqdn-regexp   CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Destination. -->
<!ELEMENT dst           EMPTY>
          address       CDATA   #IMPLIED
          fqdn          CDATA   #IMPLIED
          fqdn-regexp   CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Listener. -->
<!ELEMENT listen        EMPTY>
<!ATTLIST listen
          address       CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Tunnel source. -->
<!ELEMENT tunnel-src           EMPTY>
<!ATTLIST tunnel-src
          address       CDATA   #IMPLIED
          fqdn          CDATA   #IMPLIED
          fqdn-regexp   CDATA   #IMPLIED>

<!ELEMENT tunnel-dst           EMPTY>
<!ATTLIST tunnel-dst
          address       CDATA   #IMPLIED
          fqdn          CDATA   #IMPLIED
          fqdn-regexp   CDATA   #IMPLIED>

<!-- Command. -->
<!ELEMENT command                       EMPTY>
<!ATTLIST command
          action                        (allow|deny|forced)
          interactive                   (yes|no)
          application                   CDATA   #IMPLIED
          application-case-sensitive    CDATA   #IMPLIED
          chroot                        CDATA   #IMPLIED>