SSH Tectia

Appendix A Broker Configuration File Syntax

The DTD of the broker configuration file is shown below:

<!-- secsh-broker.dtd                                               -->
<!--                                                                -->
<!-- Copyright (c) 2004-2008 SSH Communications Security, Finland   -->
<!--         All rights reserved.                                   -->
<!--                                                                -->
<!-- Document type definition for the Connection Broker XML         -->
<!-- configuration files.                                           -->
<!--                                                                -->

<!-- The top-level element -->
<!ELEMENT secsh-broker   (general?,default-settings?,profiles?,
                          static-tunnels?,gui?,
                          filter-engine?,logging?)>
<!ATTLIST secsh-broker
                 version  CDATA #IMPLIED>

<!-- General element. -->
<!ELEMENT general        (crypto-lib?,cert-validation?,key-stores?,
                          strict-host-key-checking?,host-key-always-ask?,
                          accept-unknown-host-keys?,known-hosts?)>

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib     EMPTY>
<!ATTLIST crypto-lib
                   mode (fips|standard) "standard">

<!-- PKI settings. -->
<!ELEMENT cert-validation   
                         (ldap-server*,ocsp-responder*,
                          crl-prefetch*,dod-pki?,
                          ca-certificate*,key-store*)>

<!ATTLIST cert-validation
                   end-point-identity-check (yes|no|YES|NO) "yes"
                   default-domain            CDATA #IMPLIED
                   http-proxy-url            CDATA #IMPLIED
                   socks-server-url          CDATA #IMPLIED>

<!ELEMENT ldap-server     EMPTY>
<!ATTLIST ldap-server
                   address         CDATA #REQUIRED
                   port            CDATA "389">

<!ELEMENT ocsp-responder EMPTY>
<!ATTLIST ocsp-responder
                   url             CDATA #REQUIRED
                   validity-period CDATA "0">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch  EMPTY>
<!ATTLIST crl-prefetch
                   interval        CDATA "3600"
                   url             CDATA #REQUIRED>

<!-- CA certificates. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
                   name             CDATA #REQUIRED
                   file             CDATA #IMPLIED
                   disable-crls    (yes|no|YES|NO) "no"
                   use-expired-crls CDATA "0" >

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki          EMPTY>
<!ATTLIST dod-pki
                   enable   (yes|no|YES|NO) "no" >

<!ELEMENT key-stores ((key-store|user-keys|identification)*)>

<!ELEMENT key-store EMPTY>
<!ATTLIST key-store
                   type             CDATA #REQUIRED
                   init             CDATA #IMPLIED>
                   trust-anchors   (yes|no|YES|NO) "no" >

<!ELEMENT user-keys EMPTY>
<!ATTLIST user-keys
                   directory               CDATA #IMPLIED
                   passphrase-timeout      CDATA "0"
                   passphrase-idle-timeout CDATA "0">

<!ELEMENT identification EMPTY>
<!ATTLIST identification
                   file                    CDATA #REQUIRED
                   base-path               CDATA #IMPLIED
                   passphrase-timeout      CDATA "0"
                   passphrase-idle-timeout CDATA "0">

<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
                   enable (yes|no|YES|NO) #REQUIRED>

<!ELEMENT host-key-always-ask EMPTY>
<!ATTLIST host-key-always-ask
                   enable (yes|no|YES|NO) #REQUIRED>

<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
                   enable (yes|no|YES|NO) #REQUIRED>
                   
<!ELEMENT exclusive-connection EMPTY>
<!ATTLIST exclusive-connection
                   enable (yes|no|YES|NO) #REQUIRED>

<!ELEMENT known-hosts (key-store*)>
<!ATTLIST known-hosts
                   path               CDATA #IMPLIED
                   filename-format   (hash|plain) "hash" >
                   
<!-- Extended plugin configuration -->
<!ELEMENT extended (ext)*>

<!ELEMENT ext (#PCDATA | EMPTY | ext)*>
<!ATTLIST ext
                   name CDATA #REQUIRED>
        
<!-- Default settings element. -->
<!ELEMENT default-settings   (ciphers?, macs?,
                             transport-distribution?, rekey?,
                             authentication-methods?,
                             hostbased-default-domain?,
                             compression?, proxy?, idle-timeout?,
                             exclusive-connection?,
                             server-banners?, forwards?, extended?,
                             remote-environment?,
                             server-authentication-methods?)>

<!-- Server banners. -->
<!ELEMENT server-banners EMPTY>

<!ATTLIST server-banners
                   visible (yes|no|YES|NO) "yes">

<!-- Ciphers element. -->
<!ELEMENT ciphers   (cipher*)>

<!ELEMENT cipher EMPTY>
<!ATTLIST cipher
                   name CDATA #REQUIRED>

<!-- Macs element. -->
<!ELEMENT macs   (mac*)>

<!ELEMENT mac   EMPTY>
<!ATTLIST mac
                   name CDATA #REQUIRED>

<!ELEMENT rekey EMPTY>
<!ATTLIST rekey
                   bytes CDATA "0">

<!-- Hostbased default domain. -->
<!ELEMENT hostbased-default-domain EMPTY>
<!ATTLIST hostbased-default-domain
                   name CDATA #REQUIRED>

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods  (authentication-method|auth-hostbased
                                  |auth-password|auth-publickey|auth-gssapi
                                  |auth-keyboard-interactive)*>

<!ELEMENT server-authentication-methods (authentication-method*)>

<!ELEMENT remote-environment (environment*)>

<!ELEMENT environment EMPTY>
<!ATTLIST environment
                   name    CDATA #REQUIRED
                   value   CDATA #REQUIRED
                   format (yes|no|YES|NO) "no">

<!-- Transport distribution. -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
                   num-transports  CDATA #REQUIRED>

<!-- Authentication method. -->
<!ELEMENT authentication-method   EMPTY>
<!ATTLIST authentication-method
                   name   CDATA #REQUIRED>
                    
<!ELEMENT auth-hostbased   (local-hostname?)>
<!ELEMENT local-hostname EMPTY>
<!ATTLIST local-hostname 
                   name   CDATA #REQUIRED>

<!ELEMENT auth-password (password?)>
<!ELEMENT password (#PCDATA)>
<!ATTLIST password
                   file   CDATA #IMPLIED>

<!ELEMENT auth-publickey EMPTY>

<!ELEMENT auth-keyboard-interactive EMPTY>

<!ELEMENT auth-gssapi EMPTY>

<!-- User identities. -->
<!ELEMENT user-identities (identity*)>

<!ELEMENT identity EMPTY>
<!ATTLIST identity
                   identity-file CDATA #IMPLIED
                   file          CDATA #IMPLIED
                   hash          CDATA #IMPLIED
                   id            CDATA #IMPLIED
                   data          CDATA #IMPLIED>

<!-- Proxy rules. -->
<!ELEMENT proxy   EMPTY>
<!ATTLIST proxy
                   ruleset   CDATA #REQUIRED>

<!-- Idle timeout. -->
<!ELEMENT idle-timeout   EMPTY>
<!ATTLIST idle-timeout
                   type  (connection) "connection"
                   time   CDATA #IMPLIED>

<!-- Forwards element. -->
<!ELEMENT forwards   (forward*)>

<!ELEMENT forward   EMPTY>
<!ATTLIST forward
                   type  (x11|agent)     #REQUIRED
                   state (on|off|denied) #REQUIRED>


<!-- Compression. -->
<!ELEMENT compression   EMPTY>
<!ATTLIST compression
                   name   CDATA #IMPLIED
                   level  CDATA #IMPLIED>

<!-- Profiles element. -->
<!ELEMENT profiles   (profile*)>

<!-- Connection profile. -->
<!ELEMENT profile       (hostkey?, ciphers?, macs?,
                         transport-distribution?, rekey?,
                         authentication-methods?,
                         user-identities?,
                         compression?, proxy?, idle-timeout?,
                         exclusive-connection?,
                         server-banners?, forwards?, tunnels?, 
                         extended?, remote-environment?,
                         server-authentication-methods?)>

<!ATTLIST profile
                   id        ID #REQUIRED
                   name      CDATA #IMPLIED
                   host      CDATA #REQUIRED
                   port      CDATA "22"
                   protocol  CDATA "secsh2"
                   connect-on-startup (yes|no|YES|NO) "no"
                   user                CDATA #IMPLIED
                   gateway-profile     CDATA #IMPLIED>

<!-- Hostkey. -->
<!ELEMENT hostkey   (#PCDATA)>
<!ATTLIST hostkey
                   file   CDATA #IMPLIED>

<!-- Tunnels element. -->
<!ELEMENT tunnels   (local-tunnel*,remote-tunnel*)>

<!-- Local tunnel. -->
<!ELEMENT local-tunnel   EMPTY>
<!ATTLIST local-tunnel
                   type            CDATA "tcp" 
                   listen-address  CDATA "127.0.0.1" 
                   listen-port     CDATA #REQUIRED 
                   dst-host        CDATA "127.0.0.1" 
                   dst-port        CDATA #REQUIRED
                   allow-relay    (yes|no|YES|NO) "no">

<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel   EMPTY>
<!ATTLIST remote-tunnel
                   type           CDATA "tcp" 
                   listen-address CDATA "127.0.0.1" 
                   listen-port    CDATA #REQUIRED 
                   dst-host       CDATA "127.0.0.1" 
                   dst-port       CDATA #REQUIRED 
                   allow-relay   (yes|no|YES|NO) "no">

<!-- Static tunnels element. -->
<!ELEMENT static-tunnels   (tunnel*)>

<!-- Static tunnel. -->
<!ELEMENT tunnel   EMPTY>
<!ATTLIST tunnel
                   type           CDATA "tcp"
                   listen-address CDATA "127.0.0.1"
                   listen-port    CDATA #REQUIRED
                   dst-host       CDATA "127.0.0.1"
                   dst-port       CDATA #REQUIRED
                   allow-relay   (yes|no|YES|NO) "no"
                   profile        CDATA #REQUIRED>

<!-- GUI. -->
<!ELEMENT gui EMPTY>
<!ATTLIST gui
                   hide-tray-icon    (yes|no|YES|NO) #IMPLIED
                   show-exit-button  (yes|no|YES|NO) #IMPLIED
                   show-admin        (yes|no|YES|NO) #IMPLIED
                   enable-connector  (yes|no|YES|NO) #IMPLIED
               show-security-notification (yes|no|YES|NO) #IMPLIED>

<!ELEMENT filter-engine (network|dns|filter|rule)*>
<!ATTLIST filter-engine
                   ip-generate-start    CDATA #IMPLIED
                   ftp-filter-at-signs (yes|no|YES|NO) "no">

<!ELEMENT network EMPTY>
<!ATTLIST network
                   id                ID    #REQUIRED
                   address           CDATA #IMPLIED
                   domain            CDATA #IMPLIED
                   ip-generate-start CDATA #IMPLIED>

<!ELEMENT dns EMPTY>
<!ATTLIST dns
                   id                ID    #REQUIRED
                   network-id        IDREF #IMPLIED
                   application       CDATA #IMPLIED
                   host              CDATA #IMPLIED
                   ip-address        CDATA #IMPLIED
                   pseudo-ip        (yes|no|YES|NO) "no">

<!ELEMENT filter EMPTY>
<!ATTLIST filter
                   dns-id             IDREF #REQUIRED
                   ports              CDATA #REQUIRED
                   action (block|direct|tunnel|ftp-tunnel|ftp-proxy|
                           BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)
                                            #REQUIRED
                   profile-id         CDATA #IMPLIED
                   destination        CDATA #IMPLIED
                   destination-port   CDATA #IMPLIED
                   fallback-to-plain (yes|no|YES|NO) "no">

<!ELEMENT rule EMPTY>
<!ATTLIST rule
                   application        CDATA #IMPLIED
                   host               CDATA #IMPLIED
                   ip-address         CDATA #IMPLIED
                   pseudo-ip         (yes|no|YES|NO) "no"
                   ports              CDATA #REQUIRED
                   action (block|direct|tunnel|ftp-tunnel|ftp-proxy|
                           BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)  
                                            #REQUIRED
                   profile-id         CDATA #IMPLIED
                   destination        CDATA #IMPLIED
                   destination-port   CDATA #IMPLIED
                   username           CDATA #IMPLIED
                   hostname-from-app (yes|no|YES|NO) "no"
                   username-from-app (yes|no|YES|NO) "no"
                   fallback-to-plain (yes|no|YES|NO) "no">


<!ELEMENT logging   (log-events*)>

<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility        "normal">

<!-- Log event severity. -->
<!ENTITY default-log-event-severity        "notice">

<!ELEMENT log-events   (#PCDATA)>
<!ATTLIST log-events
                 facility   (normal|daemon|user|auth|local0|local1|local2
                            |local3|local4|local5|local6|local7|discard)
                           "&default-log-event-facility;"
                 severity   (informational|notice|warning|error|critical
                            |security-success|security-failure)
                           "&default-log-event-severity;">