ssh-broker-config

ssh-broker-config — SSH Connection Broker configuration file format

The Connection Broker configuration file ssh-broker-config.xml is used by SSH Tectia Client and ConnectSecure on Unix and Windows and by SSH Tectia client tools on z/OS. It must be a valid XML file that follows the ssh-broker-ng-config-1.dtd document type definition.

The SOCKS Proxy configuration file ssh-socks-proxy-config.xml is used by the SSH Tectia SOCKS Proxy on z/OS. The ssh-socks-proxy-config.xml configuration file uses the same format as the ssh-broker-config.xml configuration file. The configuration file must be a valid XML file that follows the ssh-broker-ng-config-1.dtd document type definition.

Connection Broker Files

The Connection Broker reads three configuration files (if all are available):

The ssh-broker-config-default.xml file is read first. It holds the factory default settings. It is not recommended to edit the file, but you can use it to view the default settings.
This file must be available and correctly formatted for the Connection Broker to start.
Next, the Connection Broker reads the global configuration file. The settings in the global configuration file override the default settings.
If the global configuration file is missing or malformed, the Connection Broker will start normally, and will read the user-specific configuration file, instead. A malformed global configuration file is ignored and the default settings or user-specific settings, if they exist, are used instead.
Last, the Connection Broker reads the user-specific configuration file, if it is available. The settings in the user-specific configuration file override the settings in the global configuration file, with the following exceptions:
- The following settings from the user-specific configuration are combined with the settings of the global configuration file:
  - In general element, the key-stores and cert-validation settings
  - In profiles element, all settings
  - In static-tunnels element, all settings.
- If a connection profile with the same name has been defined in both the global configuration file and user-specific configuration file, the latter one is used.
- If the crypto-lib, strict-host-key-checking, host-key-always-ask, and accept-unknown-host-keys elements have different values in the global and user-specific configuration, the more secure of the values is used.
- If the filter-engine settings have been defined in the global configuration file, and the file is valid (not malformed), those settings are used, and any filter-engine settings made in the user-specific configuration file are ignored.
If the user-specific configuration file is missing, the Connection Broker will start using the previously read configuration files. However, if a user-specific configuration exists but is malformed, the Connection Broker will not start at all.

On z/OS, the default configuration file locations are as follows:

the default configuration:
/opt/tectia/etc/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-config-default.xml
the global configuration: /opt/tectia/etc/ssh-broker-config.xml
the user-specific configuration: $HOME/.ssh2/ssh-broker-config.xml
the XML DTD:
/opt/tectia/etc/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-ng-config-1.dtd

The following sections describe the options available in the Connection Broker configuration file. See Appendix A for more information on the syntax of the configuration file.

SOCKS Proxy Files

The SOCKS Proxy also reads three configuration files (if all are available). The files are read in the same order as with the Connection Broker. See the section called “Connection Broker Files” above.

On z/OS, the default configuration file locations are as follows:

the default configuration:
/opt/tectia/etc/ssh-tectia/auxdata/ssh-broker-ng/ssh-socks-proxy-config-default.xml
the global configuration: /opt/tectia/etc/ssh-socks-proxy-config.xml
the user-specific configuration: $HOME/.ssh2/ssh-socks-proxy-config.xml
the XML DTD:
/opt/tectia/etc/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-ng-config-1.dtd

The information in the following sections on the options of the Connection Broker configuration file is also valid for the options of the SOCKS Proxy configuration file. See Appendix A for more information on the syntax of the configuration file.

Document Type Declaration and the Root Element

The broker configuration file is a valid XML file and starts with the Document Type Declaration.

The root element in the configuration file is secsh-broker. It can include general, default-settings, profiles, static-tunnels, gui, filter-engine, and logging elements.

An example of an empty configuration file is shown below:

<!DOCTYPE secsh-broker SYSTEM "ssh-broker-ng-config-1.dtd">
<secsh-broker version="1.0">
  <general />
  <default-settings />
  <profiles />
  <static-tunnels />
  <gui />
  <filter-engine /> 
  <logging />

</secsh-broker>

The gui element is used on Windows only.

The `general` Element

The general element contains settings such as the cryptographic library and the key stores to be used.

crypto-lib

This element selects the cryptographic library mode to be used. Either the standard version (standard) or the FIPS 140-2 certified version (fips) of the cryptographic library can be used. The library name is given as a value of the mode attribute. By default, standard cryptographic libraries are used.

<crypto-lib mode="standard" />

	Note
	The FIPS library is not available on z/OS.

For a list of platforms on which the FIPS library has been validated or tested, see SSH Tectia Client/Server Product Description.

cert-validation

This element defines public-key infrastructure (PKI) settings used for validating remote server authentication certificates. The element can have the following attributes: end-point-identity-check, default-domain, http-proxy-url, and socks-server-url.

The end-point-identity-check attribute specifies whether the client will verify the server's hostname or IP address against the Subject Name or Subject Alternative Name (DNS Address) specified in the server host certificate. The default value is yes. If set to no, the fields in the server host certificate are not verified and the certificate is accepted based on the validity period and CRL check only.

	Caution
	Setting `end-point-identity-check="no"` is a security risk. Then anyone with a certificate issued by the same trusted certification authority (CA) that issues the server host certificates can perform a man-in-the-middle attack on the server.

The default-domain attribute can be used when the end-point identity check is enabled. It specifies the default domain part of the remote system name and it is used if only the base part of the system name is available. The default-domain is appended to the system name if it does not contain a dot (.).

If the default domain is not specified, the end-point identity check fails, for example, when a user tries to connect to a host "rock" giving only the short hostname and the certificate contains the full DNS address "rock.example.com".

The http-proxy-url attribute defines an HTTP proxy and the socks-server-url attribute defines a SOCKS server for making LDAP or OCSP queries for certificate validity.

The address of the server is given as the value of the attribute. The format of the address is socks://username@socks_server:port/network/netmask,network/netmask ... (with a SOCKS server) or http://username@proxy_server:port/network/netmask,network/netmask ... (with an HTTP proxy).

For example, to make the SOCKS server use host socks.ssh.com and port 1080 for connections outside of networks 192.196.0.0 (16-bit domain) and 10.100.23.0 (8-bit domain), and to get these networks connected directly, set socks-server-url as follows:

"socks://mylogin@socks.ssh.com:1080/192.196.0.0/16,10.100.23.0/24"

The cert-validation element can contain multiple ldap-server, ocsp-responder, crl-prefetch elements, one dod-pki element, and multiple ca-certificate and key-store elements. The elements have to be in the listed order.

ldap-server

This element specifies an LDAP server address and port used for fetching CRLs and/or subordinate CA certificates based on the issuer name of the certificate being validated. Several LDAP servers can be specified by using several ldap-server elements.

CRLs are automatically retrieved from the CRL distribution point defined in the certificate to be verified if the point exists.

The default value for port is 389.

ocsp-responder

This element specifies an OCSP (Online Certificate Status Protocol) responder service address in URL format with attribute url. Several OCSP responders can be specified by using several ocsp-responder elements.

If the certificate has a valid Authority Info Access extension with an OCSP Responder URL, it will be used instead of this setting. Note that for the OCSP validation to succeed, both the end-entity certificate and the OCSP Responder certificate must be issued by the same CA.

The validity-period (in seconds) can be optionally defined. During this time, new OCSP queries for the same certificate are not made but the old result is used. The default validity period is 0 (a new query is made every time).

crl-prefetch

This element instructs SSH Tectia Client/ConnectSecure to periodically download a CRL from the specified URL. The url value can be an LDAP or HTTP URL, or it can refer to a local file. The file format must be either binary DER or base64, PEM is not supported.

To download CRLs from the local file system, define the file URL in this format:

file:///absolute/path/name

To download CRLs from an LDAP server, define the LDAP URL in this format:

ldap://ldap.server.com:389/CN=Root%20CA,OU=certification%20authorities,
DC=company,DC=com?certificaterevocationlist

Use the interval attribute to specify how often the CRL is downloaded. The default is 3600 seconds.

dod-pki

This element defines whether the certificates are required to be compliant with the US Department of Defense Public-Key Infrastructure (DoD PKI). In practise, this means that the Digital Signature bit must be set in the Key Usage of the certificate. The enable attribute can have a value of yes or no. The default is no.

ca-certificate

This element defines a certification authority (CA) used in server authentication. It can have four attributes: name, file, disable-crls, and use-expired-crls.

The name attribute must contain the name of the CA.

The element must either contain the path to the X.509 CA certificate file as a value of the file attribute, or include the certificate as a base64-encoded ASCII block.

CRL checking can be disabled by setting the disable-crls attribute to yes. The default is no.

Expired CRLs can be used by setting a numeric value (in seconds) for the use-expired-crls attribute. The default is 0 (do not use expired CRLs).

key-store

This element defines CA certificates stored in an external key store for server authentication. Currently it is used only on z/OS for CA certificates stored in System Authorization Facility (SAF).

The cert-validation/key-store element has four attributes: type, init, disable-crls, and use-expired-crls.

The type attribute defines the key store type. Currently the only supported type is "zos-saf".

The init attribute is the key-store-provider-specific initialization info.

CRL checking can be disabled by setting the disable-crls attribute to yes. The default is no.

Expired CRLs can be used by setting a numeric value (in seconds) for the use-expired-crls attribute. The default is 0 (do not use expired CRLs).

For key store configuration examples, see the section called “Key Store Configuration Examples”.

An example of a certificate validation configuration is shown below:

<cert-validation end-point-identity-check="yes" 
                 default-domain="example.com"
                 http-proxy-url="http://proxy.example.com:8080">
  <ldap-server address="ldap://ldap.example.com:389" />
  <ocsp-responder url="http://ocsp.example.com:8090" validity-period="0" /> 
  <crl-prefetch url="file:///full.path.to.crlfile" interval="1800" />
  <dod-pki enable="no" />
  <ca-certificate name="ssh_ca1"
                  file="ssh_ca1.crt"
                  disable-crls="no"
                  use-expired-crls="100" />
</cert-validation>

key-stores

This element defines settings for user public-key and certificate authentication.

Under the <general> element, there can be one <key-stores> instance which in turn can have any number of <key-store>, <user-keys>, and <identification> elements, and the order of the elements is free.

key-store

Each of the key-store elements configures one key store provider. The key-stores/key-store element can take the following attributes: type and init.

The type attribute is the key store type. The currently supported types are "entrust", "mscapi", "pkcs11", "software", and "zos-saf".

The init attribute is the key-store-provider-specific initialization info.

The initialization string can contain special strings that are expanded according the following list:

%U = %USERNAME% = user name
%USERNAME-WITHOUT-DOMAIN% = user name without the domain part
%IU = %USERID% = user ID
%IG = %GROUPID% = user group ID
%D = %HOMEDIR% = the user's home directory
%G = %GROUPNAME% = the name of the user's default group

Also environment variables are replaced with their current values. For example it is possible to use strings $HOME or %HOME% to expand to user's home directory (if environment variable HOME is set).

	Note
	Short alias names (for example, `%U`) are case-sensitive and long alias names (for example, `%USERNAME%`) are case-insensitive.

For key store configuration examples, see the section called “Key Store Configuration Examples”.

user-keys

The user-keys element can be used to override the default directory for the user keys. The user-keys element can take the following attributes:

The directory attribute defines the directory where the user private keys are stored. Enter the full path.

The passphrase-timeout attribute defines the time (in seconds) after which the passphrase-protected private key will time out, and the user must enter the passphrase again. The default is 0, meaning that the passphrase does not time out. The value of this element should be longer than the passphrase-idle-timeout value.

By default, the Connection Broker keeps the passphrase-protected private keys open once the user has entered the passphrase successfully. This can be changed with the passphrase timeout options. When passphrase-timeout is set, the private key stays open (usable without further passphrase prompts) until the timeout expires. The passphrase-timeout attribute sets the hard timeout, that is set only once when the key is opened and will not be reset even if the key is used multiple times.

The passphrase-idle-timeout attribute defines the time (in seconds) after which the passphrase-protected private key will time out unless the user accesses or uses the key. The passphrase-idle-timeout is reset every time the key is accessed. The default is 0, meaning that the passphrase never times out.

Both of the timeout options can be set simultaneously, but notice that if the idle timeout is set longer than the hard timeout, the idle timeout has no effect.

identification

The identification element can be used to override the default location of the identification file that defines the user keys. The identification element can take the following attributes:

The file attribute specifies the location of the identification file. Enter the full path.

The base-path attribute defines the directory where the identification file expects the user private keys to be stored. This element can be used to override the default relative path interpretation of the identification file (paths relative to the identification file directory).

The passphrase-timeout attribute defines the time (in seconds) after which the user must enter the passphrase again. The default is 0, meaning that the passphrase is not re-requested.

The passphrase-idle-timeout attribute defines a time (in seconds) after which the passphrase times out if there are no user actions. The default is 0, meaning that the passphrase does not time out.

The timeout settings affect only those private keys that are listed in the identification file.

strict-host-key-checking

This element enables strict host key checking. If it is enabled, the Connection Broker never adds host keys to the user's .ssh2/hostkeys directory upon connection, and refuses to connect to hosts whose key has changed. This provides maximum protection against man-in-the-middle attacks. However, it can be somewhat annoying if you frequently connect to new hosts.

The word yes or no is given as the value of the enable attribute. The default is no (the user is asked whether to accept a new or changed host key).

Strict host key checking will be used, if it is so specified in either the global or the user configuration file (or both).

<strict-host-key-checking enable="yes" />

host-key-always-ask

This element defines whether the Connection Broker should prompt the user to accept the proposed host key even if it is already known.

The word yes or no is given as the value of the enable attribute. The default is no (known host keys are accepted without prompting).

Host keys are always asked, if it is so specified in either the global or the user configuration file (or both).

<host-key-always-ask enable="yes" />

	Note
	When transparent FTP tunneling or FTP-SFTP conversion is used, accepting the host key cannot be prompted from the user (this setting must be set to `no`).

accept-unknown-host-keys

This element defines whether the Connection Broker will always accept the proposed host key without saving the key. It is the equivalent of automatically answering "Once" to all accept-host-key prompts.

The word yes or no is given as the value of the enable attribute. The default is no (unknown host keys are not automatically accepted).

If this element is set to no either in the global or the user configuration file, the changed or new host keys are prompted normally. Additionally, setting this element to yes takes effect only when both strict-host-key-checking and host-key-always-ask are set to no (or are not explicitly defined).

<accept-unknown-host-keys enable="no" />

Note

When transparent FTP tunneling or FTP-SFTP conversion is used, accepting the host key cannot be prompted from the user. Either this setting must be set to yes in the ssh-socks-proxy-config.xml file (not recommended) or the host keys of the Secure Shell tunneling and SFTP servers must be obtained beforehand and stored based on the IP addresses of the servers, for example, by using the ssh-keydist-g3 key distribution tool. See Fetching Remote Server Keys.

	Caution
	Consider carefully before enabling this option. Disabling the host-key checks makes you vulnerable to man-in-the-middle attacks.

exclusive-connection

In the Connection Broker configuration file, the exclusive-connection element can be used to specify that a new connection is opened for each new channel. This setting takes one attribute enable, with value yes or no. The default is no, meaning that open connections are reused for new channels requested by a client.

On z/OS, the SOCKS Proxy always uses the exclusive connection type, meaning it opens a new connection for each new channel. This element is not needed in the SOCKS Proxy configuration file, and irrespective of the value set by the user, the SOCKS Proxy always interprets this setting as: exclusive-connection enable="yes".

known-hosts

This element specifies different ways for storing the host keys of known server hosts. On z/OS (only), it can contain key-store elements.

This element can be used:

To specify the location of an OpenSSH-style known-hosts file that contains the public-key data of known server hosts.
To specify the directory that contains the public-key data or public-key files of known server hosts.
(On z/OS) To specify a SAF key store that contains the certificates of known server hosts.

Enter full path to the known-hosts file or to the directory as a value of the path attribute. In addition, you can specify the filename-format attribute that takes values plain and hash.

<known-hosts path="/u/username/.ssh/known_hosts" />
<known-hosts path="/etc/ssh2/hostkeys" />
<known-hosts path="/u/username/.ssh2/hostkeys" />
<known-hosts path="/h/username/hostkeys" filename-format="plain" />

Server hostkeys are searched from 'known-hosts' paths in the order they are specified in the configuration. If no known-hosts directory is specified, the default directories are searched. See the section called “Files” for the default locations.

New host keys are always stored to the last specified directory. If no directory is specified, the new host keys are stored to the default location.

The filename-format attribute affects the file name of the stored hostkey. plain means that the file name format is key_port_host.pub, for example "key_22_my.example.com.pub". With value hash, the file name format is keys_hash, for example "keys_182166d2efe5a134d3fb948646e0b48f780bff6c". The default is hash.

key-store

This element defines an external key store for certificates of known server hosts. Currently it is used only on z/OS for server certificates stored in System Authorization Facility (SAF).

The known-hosts/key-store element has two attributes: type and init.

The type attribute defines the key store type. Currently the only supported type is "zos-saf".

The init attribute is the key-store-provider-specific initialization info.

For key store configuration examples, see the section called “Key Store Configuration Examples”.

extended

This element is reserved for future use.

Key Store Configuration Examples

Software Provider

The software provider handles key pairs stored on disk in standard Secure Shell v2 or legacy OpenSSH formats and X.509 certificates stored in native X.509, PKCS#7, and PKCS#12 formats.

To add a single key file (for example, /u/exa/keys/enigma and /etc/my_key), specify both the private key file and the public key file:

<key-stores>
  <key-store type="software" 
             init="key_files(/u/exa/keys/enigma.pub,/u/exa/keys/enigma)" />
  <key-store type="software" 
             init="key_files(/etc/my_key.pub,/etc/my_key)" />
</key-stores>

To add all keys from a specific directory (for example all keys from /u/exa/keys and /etc/keys):

<key-stores>
  <key-store type="software" 
             init="directory(path(/u/exa/keys))" />
  <key-store type="software" 
             init="directory(path(/etc/keys))" />
</key-stores>

z/OS SAF Provider

The zos-saf provider is used for accessing keys stored in the IBM z/OS System Authorization Facility (SAF).

The initialization string for the zos-saf provider specifies the key(s) to be used and it has the following components:

{KEYS([ID(xxx)]RING(xxx) [LABEL(xxx)|DEFAULT])}... [TRUST-ANCHORS]

KEYS(..) may repeat. The subattributes are:

ID: A SAF user ID signifying the owner of the key ring. If missing, the current user's ID is used.
RING: Key ring name. Mandatory.
LABEL: The SAF key label. If missing, and DEFAULT is missing, use all the keys in the key ring.
DEFAULT: Use the key that is marked as the default key on the key ring. Do not specify together with LABEL.
TRUST-ANCHORS: Specifies that the certificates in the key ring are trusted CA certificates.

Specifying CA certificates stored in SAF as trusted for server authentication:

<cert-validation>
...         
  <key-store type="zos-saf"
             init="KEYS(ID(SSHD2) RING(SSH-HOSTCA)) TRUST-ANCHORS"
             disable-crls="no"
             use-expired-crls="100" />
</cert-validation>

Specifying server certificates stored in SAF for server authentication:

<known-hosts>
...
  <key-store type="zos-saf" 
             init="KEYS(ID(USER) RING(SSH-HOSTKEYS))" />
</known-hosts>

Specifying user certificates stored in SAF for user authentication:

<key-stores>
 <key-store type="zos-saf" 
            init="KEYS(ID(%U) RING(%U))" />
</key-stores>

The `default-settings` Element

The default-settings element defines the default connection-related settings. Profile-specific settings can override these settings. See the section called “The profiles Element”.

The default-settings element can contain zero or one instance of the following elements in the listed order: ciphers, macs, transport-distribution, rekey, authentication-methods, hostbased-default-domain, compression, proxy, idle-timeout, exclusive-connection, server-banners, forwards, extended, server-authentication-methods.

ciphers

This element defines the ciphers that the client will propose to the server. The ciphers element can contain multiple cipher elements.

The ciphers are tried in the order they are specified.

cipher

This element selects a cipher name that the client requests for data encryption.

The supported ciphers are 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, arcfour, blowfish-cbc, twofish-cbc, twofish128-cbc, twofish192-cbc, twofish256-cbc, seed-cbc@ssh.com, and none (no encryption).

The default ciphers used by the Connection Broker are, in order: aes128-cbc, aes192-cbc, aes256-cbc, 3des, and seed-cbc@ssh.com.

<ciphers>
  <cipher name="aes128-cbc" />
  <cipher name="3des-cbc" />
</ciphers>

macs

This element defines the MACs that the client will propose to the server. The macs element can contain multiple mac elements.

The MACs are tried in the order they are specified.

mac

This element selects a MAC name that the client requests for data integrity verification.

The supported MAC algorithms are hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, and none (no data integrity verification).

The default MACs used by the Connection Broker are, in order: hmac-md5 and hmac-sha1.

<macs>
  <mac name="hmac-sha1" />
</macs>

transport-distribution

This setting defines the number of transport channels used by the Secure Shell connection. Using more than one transport may increase the throughput over low bandwidth connections.

The number of transports is given as value of the num-transports attribute. Currently, a value of 1 to 8 transports is supported. On Unix, the default is 1 transport.

<transport-distribution num-transports="1" />

rekey

This element specifies the number of transferred bytes after which the key exchange is done again. The value "0" turns rekey requests off. This does not prevent the server from requesting rekeys, however. The default is 1000000000 (1 GB).

<rekey bytes="1000000000" />

authentication-methods

This element specifies the authentication methods that are requested by the SSH Tectia client components. The authentication-methods element can contain one of each: auth-hostbased, auth-password, auth-publickey, auth-gssapi, and auth-keyboard-interactive. Alternatively, you can specify multiple authentication-method elements. The order of these elements is free.

The authentication methods are tried in the order the auth-* or authentication-method elements are listed. This means that the least interactive methods should be placed first.

authentication-method

This element specifies an authentication method name. It is included for backwards compatibility. Use the auth-* elements instead.

auth-hostbased

This element specifies that host-based authentication will be used.

The auth-hostbased element takes the local-hostname element with attribute name to specify a name that will be advertised to the remote server. The remote server can use the client host name as a hint when locating the public key for the client host. This information is not significant to the authentication result, but makes it faster to find the relevant client host key, if the server has such a big storage of host identities, that trying them all would be infeasible.

auth-password

This element specifies that password authentication will be used.

The auth-password element takes the password element with attribute file to specify a password or a password file to be used in authentication.

Notice, that any password given on the command line will override this setting.

auth-publickey

This element specifies that public-key authentication will be used.

auth-keyboard-interactive

This element specifies that keyboard-interactive methods will be used in authentication.

auth-gssapi

This element specifies that GSSAPI will be used in authentication.

	Note
	GSSAPI authentication is not available on z/OS.

<authentication-methods>
  <auth-hostbased>
          <local-hostname name="host.example.com" />
  </auth-hostbased>
  <auth-gssapi />
  <auth-publickey />
  <auth-keyboard-interactive />
  <auth-password>
          <password file="/path/filename" />
  </auth-password>
</authentication-methods>

hostbased-default-domain

This element specifies the host's default domain name (as name). This element is used to make sure the fully qualified domain name (FQDN) of the client host is transmitted to the server when using host-based user authentication.

	Note
	This element is not used by SSH Tectia Server 6.0 for IBM z/OS. Instead the `DefaultDomain` keyword of `ssh2_config` is used for the same purpose. See SSH Tectia Server for IBM z/OS Administrator Manual for more information.

compression

This element specifies whether to use compression on all traffic. When activated, the compression is applied to all transferred data on-the-fly; note that this is different from compressing files for the duration of the transfer.

The name of the compression algorithm and the compression level can be given as attributes. The name attribute can be defined as none (compression not used) or zlib, currently the only supported algorithm. By default, compression is not used.

The level attribute can be given an integer from 0 to 9. The default compression level is 6, when compression is activated but no level is given.

Example: to activate compression on the maximum level, make the following setting:

<compression name="zlib" level="9" />

Compression can also be activated per connection when using the sshg3 command-line tool. For information, see sshg3(1).

proxy

This element defines rules for HTTP proxy or SOCKS servers the client will use for connections. It has a single attribute: ruleset.

The format of the attribute value is a sequence of rules delimited by semicolons (;). Each rule has a format that resembles the URL format. In a rule, the connection type is given first. The type can be direct, socks, socks4, socks5, or http-connect (socks is a synonym for socks4). This is followed by the server address and port. If the port is not given, the default ports 1080 for SOCKS and 80 for HTTP are used.

After the address, zero or more conditions delimited by commas (,) are given. The conditions can specify IP addresses or DNS names.

direct:///[cond[,cond]...]
socks://server/[cond[,cond]...]
socks4://server/[cond[,cond]...]
socks5://server/[cond[,cond]...]
http-connect://server/[cond[,cond]...]

The IP address/port conditions have an address pattern and an optional port range:

ip_pattern[:port_range]

The ip_pattern may have one of the following forms:

a single IP address x.x.x.x
an IP address range of the form x.x.x.x-y.y.y.y
an IP sub-network mask of the form x.x.x.x/y

The DNS name conditions consist of a hostname which may be a regular expression containing the characters "*" and "?" and a port range:

name_pattern[:port_range]

An example proxy element is shown below. It causes the server to access the callback address and the ssh.com domain directly, access *.example with HTTP CONNECT, and all other destinations with SOCKS4.

<proxy ruleset="direct:///127.0.0.0/8,*.ssh.com;
                http-connect://http-proxy.ssh.com:8080/*.example;
                socks://fw.ssh.com:1080/" />

idle-timeout

This element specifies how long idle time (after all connection channels are closed) is allowed for a connection before automatically closing the connection. The time is given in seconds. The type is always connection.

The default setting is 5 seconds. Setting a longer time allows the connection to the server to remain open even after a session (for example, sshg3) is closed. During this time, a new session to the server can be initiated without re-authentication. Setting the time to 0 (zero) terminates the connection immediately when the last channel to the server is closed.

<idle-timeout time="5" />

exclusive-connection

server-banners

This element defines whether the server banner message file (if it exists) is visible to the user before login. The word yes or no is given as the value of the visible attribute. The default is yes.

To eliminate server banners:

<server-banners visible="no" />

forwards

This element contains forward elements that define whether X11 or agent forwarding (tunneling) are allowed on the client side.

	Note
	X11 forwarding is not available on z/OS.

forward

This element defines X11 or agent forwarding settings.

The type attribute defines the forwarding type (either x11 or agent). The state attribute sets the forwarding on, off, or denied. If the forwarding is set as denied, the user cannot enable it on the command-line.

An example forward configuration, which denies X11 forwarding and allows agent forwarding globally, is shown below:

<forwards>
  <forward type="x11" state="denied" />
  <forward type="agent" state="on" />
</forwards>

extended

This element is reserved for future use.

server-authentication-methods

This element can be used to force the Connection Broker to use only certain methods in server authentication. This element can contain up to two authentication-method elements.

authentication-method

The server-authentication-methods/authentication-method element takes a name attribute with values certificate or publickey.

If only certificate is specified, server certificate is needed. If no server certificate is received, connection fails.

If only publickey or both certificate and publickey are specified, server certificate is used if present. Otherwise server public key is used.

<server-authentication-methods>
  <authentication-method name="publickey" />
  <authentication-method name="certificate" />
</server-authentication-methods>

remote-environment

This element contains environment elements which define the environment variables to be passed to the server from the client side. The environment variables are then set on the server when requesting a command, shell or subsystem.

Note that the server can restrict the setting of environment variables.

environment

This element defines the name and value of the environment variables, and whether the Connection Broker should process the value. Possible attributes are name, value, and format.

An example remote environment configuration:

<remote-environment>
  <environment name="FOO" value="bar" />
  <environment name="QUX" value="%Ubaz" format="yes" />
  <environment name="ZAPPA" value="%Ubaz" />
</remote-environment>

You can use %U in the value to indicate a user name. When format="yes" is also defined, the Connection Broker processes the %U into the actual user name before sending it to the server.

Let's assume the user name is joedoe in this example. The example configuration results in the following environment variables on the server side, provided that the server allows setting the environment variables:

FOO=bar 
QUX=joedoebaz 
ZAPPA=%Ubaz

You can override the remote environment settings made in the configuration file if you use the sshg3 command with the following arguments on the command-line client: --remote-environment or --remote-environment-format

The `profiles` Element

The profiles element defines the connection profiles for connecting to different servers. It can contain multiple profile elements. Each profile defines the connection rules to one server.

When a profile is used for the connection, the settings in the profile override the default settings. See the section called “The default-settings Element”.

profile

The profile element defines a connection profile. It has the following attributes: id, name, host, port, protocol, connect-on-startup, user, and gateway-profile.

The profile id must be a unique identifier that does not change during the lifetime of the profile.

An additional name can be given to the profile. This is a free-form text string. The name can be used for connecting with the profile on the command line, so define a unique name for each profile.

The host attribute defines the address of the Secure Shell server host and it is a mandatory setting. The address can be either an IP address or a domain name. The value host="*" can be used to prompt the user to enter the host address when starting the session.

An empty value host="" can be used when the profile is used with transparent TCP or FTP tunneling or FTP-SFTP conversion and the host name is taken from the application (filter-engine/rule[@hostname-from-app="yes"]). See rule for details.

The port is a mandatory setting. The default port is 22.

The protocol is a mandatory setting. Currently the only allowed value is secsh2.

If you want to make the connection specified by the profile automatically when the Connection Broker is started, set the value of the connect-on-startup attribute to yes. In this case, give also the user attribute (the username the connection is made with). You also need to set up some form of non-interactive authentication for the connection.

The user attribute specifies the user name for opening the connection. The value "%USERNAME%" can be used to set the user name to the current user. The value user="*" can be used to prompt the user to enter the user name when logging in.

An empty value user="" can be used when the profile is used with transparent FTP tunneling or FTP-SFTP conversion and the user name is taken from the application (filter-engine/rule[@username-from-app="yes"]). See rule for details.

The gateway-profile attribute can be used to create nested tunnels. The tunnels defined under the local-tunnel element of the profile, and the tunnels defined under filter-engine and static-tunnels that refer to the profile can be nested. The profile name through which the connection is made is given as the value of the attribute. The first tunnel is created using the gateway host profile and from there the second tunnel is created to the host defined in this profile.

hostkey

This element gives the path to the remote server host public key file as a value of the file attribute.

Alternatively, the public key can be included as a base64-encoded ASCII block.

ciphers

This element defines the ciphers used with this profile. See ciphers for details.

macs

This element defines the MACs used with this profile. See macs for details.

transport-distribution

This element defines the transport distribution for this profile. See transport-distribution for details.

rekey

This element defines the rekeying settings used with this profile. See rekey for details.

authentication-methods

This element defines the authentication methods used with this profile. See authentication-methods for details.

user-identities

This element specifies the identities used in user public-key authentication. In contrast to the key-stores element that specifies all the keys that are available for the Connection Broker, this element can be used to control the keys that are attempted in authentication when this connection profile is used and to specify the order in which they are attempted.

The user-identities element can contain multiple identity elements. When multiple identity elements are used, they are tried out in the order they are listed.

The identity element has the following attributes: identity-file, file, hash, id, and data.

The identity-file attribute specifies that the user identity is read in the identification file used with public-key authentication. Enter the full path to the file if it is located somewhere else than the default identification file directory which is $HOME/.ssh2. See also ssh-broker-g3(1).

The file attribute specifies the path to the public-key file (primarily) or to a certificate. Enter the full path and file name as the value.

The hash attribute is used to enter the hash of the public key that will be used to identify the related private key. The key must be available for the Connection Broker The public key hashes of the available keys can be listed with the ssh-broker-ctl tool. See also ssh-broker-ctl(1).

The id attribute is reserved for future use.

The data attribute is reserved for future use.

An example user-identities element is shown below:

<user-identities>
  <identity identity-file="C:\\ mykey" />
  <identity file="$HOME/user/.ssh2/id_dsa_2048_a" />
  <identity file="C:\\private_keys\id_dsa_2048_a" />
  <identity hash="#a8edd3845005931aaa658b5573609e7d31e23afd" />
</user-identities>

compression

This element defines the compression settings used with this profile. See compression for details.

proxy

This element defines the HTTP proxy and SOCKS server settings used with this profile. See proxy for details.

If gateway-profile has been defined for this profile, the proxy setting is ignored and the default proxy setting or the proxy setting of the gateway profile is used instead.

idle-timeout

This element defines the idle timeout settings used with this profile. See idle-timeout for details.

exclusive-connection

In the Connection Broker configuration, this element defines whether a new connection is opened for each new channel when a connection is made with this profile. This setting takes one attribute enable, with value yes or no. The default is no, meaning that open connections are reused for new channels requested by a client. See also exclusive-connection.

server-banners

This element defines the server banner setting used with this profile. See server-banners for details.

forwards

This element defines the forwards allowed with this profile. See forwards for details.

tunnels

The tunnels element defines the tunnels that are opened when a connection with this profile is made. The element can contain multiple local-tunnel and remote-tunnel elements.

local-tunnel

This element defines a local tunnel (port forwarding) that is opened automatically when a connection is made with the connection profile. It has five attributes: type, listen-port, listen-address, dst-host, dst-port, and allow-relay.

The type attribute defines the type of the tunnel. This can be tcp (default, no special processing), ftp (temporary forwarding is created for FTP data channels, effectively securing the whole FTP session), or socks (SSH Tectia Client/ConnectSecure will act as a SOCKS server for other applications, creating forwards as requested by the SOCKS transaction).

The listen-port attribute defines the listener port number on the local client.

The listen-address attribute can be used to define which network interfaces on the client should be listened. Its value can be an IP address belonging to an interface on the local host. Value 0.0.0.0 listens to all interfaces. The default is 127.0.0.1 (localhost loopback address on the client). Setting any other value requires setting allow-relay="yes".

Whenever a connection is made to the specified listener, the connection is tunneled over Secure Shell to the remote server and another connection is made from the server to a specified destination host and port (dst-host, dst-port). The connection from the server onwards will not be secure, it is a normal TCP connection.

The dst-host and dst-port attributes define the destination host address and port. The value of dst-host can be either an IP address or a domain name. The default is 127.0.0.1 (localhost = server host).

The allow-relay attribute defines whether connections to the listened port are allowed from outside the client host. The default is no. If you use allow-relay="yes", it will check also the listen-address setting.

remote-tunnel

This element defines a remote tunnel (port forwarding) that is opened automatically when a connection is made with the connection profile. It has four attributes: type, listen-port, listen-address, dst-host, dst-port, and allow-relay.

The type attribute defines the type of the tunnel. This can be either tcp (default, no special processing) or ftp (temporary forwarding is created for FTP data channels, effectively securing the FTP session between the client and server).

The listen-port attribute defines the listener port number on the remote server.

The listen-address attribute can be used to define which network interfaces on the server should be listened. Its value can be an IP address belonging to an interface on the server host. Value 0.0.0.0 listens to all interfaces. The default is 127.0.0.1 (localhost loopback address on the server). Setting any other value requires that allow-relay="yes".

Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the local client and another connection is made from the client to a specified destination host and port (dst-host, dst-port). The connection from the client onwards will not be secure, it is a normal TCP connection.

The allow-relay attribute defines whether connections to the listener port are allowed from outside the server host. The default is no.

extended

This element is reserved for future use.

remote-environment

This element defines the remote environment settings used with this profile. Within the remote-environment element, define an environment element for each environment variable to be passed to the server. See remote-environment for details.

server-authentication-methods

This element defines the server authentication methods allowed with this profile. See server-authentication-methods for details.

An example connection profile is shown below:

<profile name="rock"
         id="id1"
         host="rock.example.com"
         port="22"
         connect-on-startup="no"
         user="doct">

  <hostkey file="key_22_rock.pub">
  </hostkey>

  <authentication-methods>
    <authentication-method name="publickey" />
    <authentication-method name="password" />
  </authentication-methods>

  <server-banners visible="yes" />

  <forwards>
    <forward type="agent" state="on" />
    <forward type="x11" state="on" />
  </forwards>

  <tunnels>
    <local-tunnel type="tcp"
                  listen-port="143"
                  dst-host="imap.example.com"
                  dst-port="143"
                  allow-relay="no" />
  </tunnels>

  <remote-environment>
    <environment name="FOO" value="bar" />
    <environment name="QUX" value="%Ubaz" format="yes" />
    <environment name="ZAPPA" value="%Ubaz" />
  </remote-environment>

</profile>

The `static-tunnels` Element

The static-tunnels setting is used to configure the behaviour of the automatic tunnels. You can create listeners for local tunnels automatically when the Connection Broker starts up. The actual tunnel is formed the first time a connection is made to the listener port. If the connection to the server is not open at that time, it will be opened automatically as well.

The static-tunnels element can contain any number of tunnel elements.

tunnel

The tunnel element specifies a static tunnel. It has the following attributes: type, listen-port, listen-address, dst-host, dst-port, allow-relay, and profile.

The type attribute defines the type of the tunnel. This can be either tcp, ftp, or socks-proxy.

tcp specifies a listener for generic TCP tunneling
ftp specifies a listener for FTP tunneling (also the FTP data channels are tunneled)
socks-proxy specifies a listener that acts as a SOCKS proxy towards the client applications. The traffic coming to the proxy is filtered using filter rules. When this option is used, a filter-engine element must be defined. See the section called “The filter-engine Element”.

The listen-port attribute defines the listener port number on the local client.

The allow-relay attribute defines whether connections to the listened port are allowed from outside the client host. The default is no.

The profile attribute specifies the connection profile id that is used for the tunnel.

<static-tunnels>
  <tunnel type="tcp"
          listen-address="127.0.0.1"
          listen-port="9000"
          dst-host="st.example.com"
          dst-port="9000"
          allow-relay="no"
          profile="id1" />
</static-tunnels>

The `filter-engine` Element

The filter-engine element defines the filter rules for FTP-SFTP conversion and transparent FTP tunneling. On z/OS, also the static-tunnels element with a socks-proxy tunnel needs to be defined for the transparent FTP security to work.

	Note
	The SOCKS Proxy reads the `filter-engine` element from the global configuration file (`/opt/tectia/etc/ssh-socks-proxy-config.xml`), if such a file is available. Only when the global configuration file does not contain the `filter-engine` element, this element is read from the user-specific configuration file (`$HOME/.ssh2/ssh-socks-proxy-config.xml`).

The top level element is filter-engine. It has two attributes: ip-generate-start and ftp-filter-at-signs (used with SSH Tectia ConnectSecure, only).

The ip-generate-start attribute defines the start address of the pseudo IP address space. Pseudo IPs are generated by the Connection Broker when applications do the DNS query through the SSH connection capture component.

	Note
	Under the `filter-engine` element there can be any amount of elements `network`, `dns`, `filter`, or `rule`. The order of the elements is important, because the filter engine uses the elements in the order they were specified in the configuration file.

network

The network element specifies a "location" where SSH Tectia Client/ConnectSecure is running. By using the network element, you can implement location-awareness for SSH Tectia Client/ConnectSecure. It has four attributes: id, address, domain, and ip-generate-start.

The id attribute specifies a unique identifier for the network element. The address attribute specifies the address of the network. It can be missing or empty, in which case it is not used. The domain attribute contains the domain name of the computer. It can also be missing or empty, in which case it is not used. The ip-generate-start attribute defines the start address of the pseudo IP space. If it is defined here, it overrides the ip-generate-start attribute of the filter-engine element.

dns

	Note
	The `dns` element exists for backward-compatibility reasons. Currently the `rule` element is used for the same settings.

The dns element creates a DNS rule for the filter engine. It has six attributes: id, network-id, application, host, ip-address, and pseudo-ip. For their descriptions, see rule below.

filter

	Note
	The `filter` element exists for backward-compatibility reasons. Currently the `rule` element is used for the same settings.

The filter element specifies an action for a connection. It has the following attributes: dns-id, ports, action, profile-id, destination, destination-port, fallback-to-plain.

The dns-id attribute is a reference to a dns element.

For the descriptions of the other attributes, see rule below.

rule

The rule element specifies how a filtered connection will be handled. It has the following attributes: application, host, ip-address, pseudo-ip, ports, action, profile-id, destination, destination-port, username, hostname-from-app, username-from-app, fallback-to-plain.

The application attribute can be used to specify one or more applications to which the rule is applied. This can be a regular expression using the egrep syntax. For information on the syntax, see Appendix C.

The host attribute specifies a target hostname. It can be a regular expression using the egrep syntax.

The ip-address attribute specifies the target host IP address. It can be a regular expression using the egrep syntax. If both the hostname and the IP address are defined, the host attribute takes precedence and the ip-address attribute is ignored.

The pseudo-ip setting has the following effects when the ip-address is left empty and the host matches:

When pseudo-ip="yes", the Connection Broker assigns a pseudo IP address for the target host and SSH Tectia Server resolves the real IP address. The pseudo IP addresses should be used when accessing an internal network from the outside, because name resolution for the machines in the internal network is not available from the outside.
When pseudo-ip="no", a normal DNS query is made for the target hostname. The default value is no.

The ports attribute can be a single port or a range. A range is specified with a hyphen between two integers (for example "21-25").

	Note
	For FTP-SFTP conversion, always specify the port unambiguosly if fallback mode is set. Do not use an asterisk (*), because it causes problems in passive mode file transfer when connected to a plaintext FTP server.

The action attribute specifies the action to be done when a filter matches. Its value can be DIRECT, BLOCK, TUNNEL (Windows only), FTP-TUNNEL, or FTP-PROXY.

DIRECT causes the connection to be made directly as plaintext without tunneling or FTP-SFTP conversion.
BLOCK causes the connection to be blocked.
FTP-TUNNEL activates transparent FTP tunneling
FTP-PROXY causes the FTP-SFTP conversion to start and a connection to be made to the Secure Shell SFTP server.

The profile-id attribute can be used to specify the connection profile that defines the connection settings.

If the profile-id attribute is left empty and hostname-from-app="yes" is specified, the Secure Shell connection is made to the server specified by the client application using default settings. If a profile-id is specified and also hostname-from-app="yes" is specified, or the referred profile has * (an asterisk) or empty as the value of the host attribute, the Secure Shell connection is made to the server specified by the client application using the profile settings.

The destination and destination-port attributes can be used to define a static destination address and port number that will be used as the end point of the connection instead of the original address and port given by the application.

The username attribute can be used to define the user name used for connecting to the Secure Shell server, or you can define the path from where the Connection Broker should retrieve the user name.

The hostname-from-app attribute defines whether the Connection Broker should extract the Secure Shell server's host name from data sent by the application, or use a Secure Shell server defined by the connection profile in profile-id. The value is yes or no, and the default is no.

When hostname-from-app="no", the tunnel or FTP-SFTP conversion will be created to the Secure Shell server specified in the connection profile referred in the profile-id attribute. Note that with transparent tunneling, the connection from the Secure Shell server to the final destination application will be unsecured and in plaintext. To achieve end-to-end security, the Secure Shell server should reside on the same host as the application.

When hostname-from-app="yes", the tunnel or FTP-SFTP conversion will be created to the destination server specified by the application. This setting can be used with both FTP and TCP tunneling and FTP-SFTP conversion. When using hostname-from-app="yes", it is no longer necessary to create a separate connection profile for each destination host. Note that this requires that a Secure Shell server is installed to each destination server (or that fallback-to-plain is enabled to allow direct connections to those servers that do not have Secure Shell installed).

The username-from-app attribute defines whether the FTP tunneling or FTP-SFTP conversion extracts the user name from data sent by the FTP application. The value is yes or no. The default is no.

When username-from-app="yes", the user name received from the FTP client application is used. This setting can be used with FTP tunneling and FTP-SFTP conversion. This setting will override any user name settings made in a related connection profile. When username-from-app="no", the user name is taken from the connection profile defined with the profile-id attribute.

The fallback-to-plain attribute can be used to define whether a direct (unsecured) connection is used if creating the tunnel fails or the connection to the Secure Shell server fails. The default value is no. Normally, when the secured connection fails when applying a filter rule, the Connection Broker will return a "host not reachable" error.

	Note
	Do not enable the `fallback-to-plain` and `pseudo-ip` options at the same time. If they both are enabled, and a secure connection fails, the application will try a direct connection with the pseudo IP, which will not work.

The `logging` Element

The logging element changes the logging settings that define the log event severities and logging facilities. The element contains one or more log-events elements.

log-events

This element sets the severity and facility of different logging events. The events have reasonable default values, which are used if no explicit logging settings are made. This setting allows customizing the default values.

For the events, facility and severity can be set as attributes. The events itself should be listed inside the log-events element.

The facility can be normal, daemon, user, auth, local0, local1, local2, local3, local4, local5, local6, local7, or discard. Setting the facility to discard causes the server to ignore the specified log events.

The severity can be informational, notice, warning, error, critical, security-success, or security-failure.

Any events that are not specifically defined in the configuration file will use the default values. The defaults can be overridden for all remaining events by giving an empty log-events element after all other definitions and by setting a severity value for it.