This Appendix contains a quick reference to the elements of the XML-based
configuration files ssh-broker-config.xml
and
ssh-socks-proxy-config.xml
.
The quick reference is divided into four tables:
The tables list the available configuration file elements with their attributes, attribute values (with the default value, if available, marked in bold) and descriptions. The element names in the tables are links that take you to detailed descriptions of the elements in ssh-broker-config(5).
The element hierarchy is expressed with slashes ('/') between parent and child elements.
Table A.1.
Configuration File
Quick Reference - the general
element
Element | Attributes and their values | Description |
---|---|---|
crypto-lib |
mode = "standard|fips"
| Cryptographic library mode: standard or FIPS 140-2 certified. |
cert-validation |
end-point-identity-check = "yes|no|ask"
| Client will verify server's host name or IP address against the server host certificate |
default-domain = domain_name
| Default domain part of the remote system name | |
http-proxy-url = HTTP_proxy
| HTTP proxy for making queries for certificate validity | |
socks-server-url = SOCKS_server
| SOCKS server for making queries for certificate validity | |
max-path-length = number
(default: "10" )
| Maximum length of certification paths when validating certificates | |
cert-validation / ldap-server |
address = LDAP_server_address
| LDAP server address for fetching CRLs and/or subordinate CA certificates |
port = port_number
(default: "389" )
| LDAP server port for fetching CRLs and/or subordinate CA certificates | |
cert-validation / ocsp-responder |
url = URL_address
| OCSP (Online Certificate Status Protocol) responder service address |
validity-period = seconds
(default: "0" )
| Time period during which new OCSP queries for the same certificate are not made (the old result is used) | |
cert-validation / crl-prefetch |
url = LDAP_URL |HTTP_URL |file_URL
| Tectia client tools for z/OS periodically downloads a CRL from this URL |
interval = seconds
(default: "3600" )
| How often the CRL is downloaded | |
cert-validation / dod-pki |
enable = "yes|no"
| Require certificates to be compliant with DoD PKI |
cert-validation / ca-certificate |
name = CA_name
| Name of the certification authority (CA) used in server authentication |
file = path
| Path to the X.509 CA certificate file | |
disable-crls = "yes|no"
| Disable CRL checking | |
use-expired-crls = seconds
(default: "0" )
| Time period for using expired CRLs | |
cert-validation /
key-store
(z/OS only) |
type = "zos-saf"
| CA certificates are stored in an external key store (System Authorization Facility) for server authentication |
init = init_info
| Key-store-provider-specific initialization info | |
disable-crls = "yes|no"
| Disable CRL checking | |
use-expired-crls = seconds
(default: "0" )
| Time period for using expired CRLs | |
key-stores / key-store |
type = "mscapi|pkcs11|software|zos-saf"
| Key store type |
init = init_info
| Key-store-provider-specific initialization info | |
key-stores / user-keys |
directory = path
| Directory where the user private keys are stored |
passphrase-timeout = seconds
(default: "0" )
| Time after which the passphrase-protected private key will time out | |
passphrase-idle-timeout = seconds
(default: "0" )
| Time after which the passphrase-protected private key will time out unless the user accesses or uses the key | |
key-stores / identification |
file = path
| Location of the identification file that defines the user keys |
base-path = path
| Directory where the identification file expects the user private keys to be stored | |
passphrase-timeout = seconds
(default: "0" )
| Time after which the user must enter the passphrase again | |
passphrase-idle-timeout = seconds
(default: "0" )
| Time after which the passphrase times out if there are no user actions | |
user-config-directory |
path = path
(default: "%USER_CONFIG_DIRECTORY%" )
| Non-default location of user-specific configuration files |
file-access-control (Unix only) |
enable = "yes|no"
| Enable checking of file access permissions defined for global and user-specific configuration files and private keys files |
protocol-parameters |
threads = number
(if set to 0 , default value is used)
| The number of threads the protocol library uses (fast path dispatcher threads) |
known-hosts |
path = path
| Non-default location of known hosts file or directory |
file = path
| Location of OpenSSH-style known_hosts file | |
directory = path
| Non-default directory for storing known host keys | |
filename-format = "hash|plain|default"
( "default" = "hash" )
| The format in which new host key files will be stored | |
known-hosts /
key-store
(z/OS only)
| type = "zos-saf" | Certificates of known server hosts are stored in an external key store (System Authorization Facility) |
init = init_info | Key-store-provider-specific initialization info |
Table A.2.
Configuration File
Quick Reference - the default-settings
element
Element | Attributes and their values | Description |
---|---|---|
user = user_name
| Default user name to be used when connecting to remote servers | |
ciphers / cipher |
name = cipher_name
| A cipher that the client requests for data encryption |
macs / mac |
name = MAC_name
| A MAC that the client requests for data integrity verification |
kexs /kex |
name = KEX_name
| A KEX that the client requests for the key exchange method |
hostkey-algorithms /
hostkey-algorithm |
name = hostkey-algorithm_name
| A host key signature algorithm to be used in server authentication with host keys or certificates |
rekey |
bytes = number
(default: "1000000000" (1 GB))
| Number of transferred bytes after which key exchange is done again |
authentication-methods / auth-hostbased |
-
| Host-based authentication will be used |
authentication-methods /
auth-hostbased /
local-hostname |
name = host_name
| Local host name that is advertised to the remote server during host-based authentication |
authentication-methods / auth-password |
-
| Password authentication will be used |
authentication-methods / auth-publickey |
-
| Public-key authentication will be used |
signature-algorithms = comma-separated_list
| Public-key signature algorithms used for client authentication | |
authentication-methods / auth-publickey /
key-selection |
policy = "automatic|interactive-shy"
| Key selection policy used by the client when proposing user public keys to the server |
authentication-methods / auth-publickey /
key-selection / public-key |
type = "plain|certificate"
(by default, both are tried) | Only plain public keys or only certificates are tried during public-key authentication |
authentication-methods / auth-publickey /
key-selection / issuer-name |
name = certificate_issuer_name
| Client-side user certificates can be filtered by comparing this name to the certificate issuers requested or accepted by the server |
match-server-certificate = "yes|no"
| The Connection Broker tries matching the user certificate issuer name to the server certificate issuer name | |
authentication-methods / auth-gssapi |
-
| GSSAPI will be used in authentication |
dll-path = path (ignored on Windows) | Location of the necessary GSSAPI libraries | |
allow-ticket-forwarding = "yes|no"
| Allow forwarding the Kerberos ticket over several connections | |
authentication-methods / auth-keyboard-interactive |
-
| Keyboard-interactive methods will be used in authentication |
hostbased-default-domain |
name = domain_name
| Host's default domain name that is appended to the short host name before transmitting it to the server |
compression |
name = "none|zlib"
| Compress the data that the client sends |
level = [0 to 9]
(default: "0" ( = level 6 ))
| For zlib , compression level. | |
proxy |
ruleset = rule_sequence
| Rules for HTTP proxy or SOCKS servers the client will use for connections |
idle-timeout |
type = "connection"
| Idle timeout is always defined for connections |
time = seconds
(default: "5" )
| Idle time (after all connection channels are closed) allowed for a connection before automatically closing the connection | |
tcp-connect-timeout |
time = seconds
(default: "5" )
| Timeout for TCP connections (after which connection attempts to a Secure Shell server are stopped if the remote host is down or unreachable) |
keepalive-interval |
time = seconds
(default: "0" )
| Time interval for sending keepalive messages to the Secure Shell server |
exclusive-connection |
enable = "yes|no"
| A new connection is opened for each new channel |
server-banners |
visible = "yes|no"
| Show server banner message file (if it exists) to the user before login |
forwards / forward |
type = "x11|agent"
| Forwarding type |
state = "on|off|denied"
| Set forwarding on or off, or deny it | |
remote-environment / environment |
name = env_var_name
| Name of an environment variable that is to be passed to the server from the client side |
value = string
| Value of the environment variable | |
format = "yes|no"
| The Connection Broker processes Tectia-specific special variables in value
(e.g. %U% ) | |
server-authentication-methods /
auth-server-certificate |
-
| Use certificates for server authentication |
server-authentication-methods /
auth-server-publickey |
-
| Use public host keys for server authentication |
policy = "strict|ask|tofu|advisory"
| Policy for handling unknown server host keys | |
authentication-success-message |
enable = "yes|no"
| Output and log the AuthenticationSuccessMsg messages |
sftpg3-mode |
compatibility-mode = "tectia|ftp|openssh"
| Behavior of sftpg3 when transferring files |
terminal-selection |
selection-type = "select-words|select-paths"
| Behavior of the Tectia terminal when the user selects text with double-clicks |
terminal-bell |
bell-style = "none|pc-speaker|system-default"
| Tectia terminal repeats audible notifications from destination (Unix) server |
close-window-on-disconnect |
enable = "yes|no"
| Tectia terminal window is to be closed while disconnecting from a server session by pressing CTRL+D |
quiet-mode |
enable = "yes|no"
| Make scpg3, sshg3, and sftpg3 suppress warnings, error messages and authentication success messages |
checksum |
type = "yes|no|md5|sha1|md5-force|sha1-force|checkpoint"
| Default setting for comparing checksums |
address-family |
type = "any|inet|inet6"
| IP address family: both, IPv4, or IPv6 |
Table A.3.
Configuration File
Quick Reference - the profiles
element
Element | Attributes and their values | Description |
---|---|---|
profile |
id =
| Unique identifier that does not change during the lifetime of the profile |
name =
| Unique name (free-form text string) that can be used for connecting with the profile on the command line | |
host = IP_address|FQDN|short_hostname
| Secure Shell server host address | |
port = port_number
(default: "22" )
| Secure Shell server listener port number | |
protocol = "secsh2"
| The communications protocol used by the profile | |
host-type = "default|windows|unix"
| Server type for ASCII (text) file transfer | |
connect-on-startup = "yes|no"
| Connect automatically with the profile when the Connection Broker is started | |
user = user_name
| User name for opening the connection | |
gateway-profile = profile_name
| Create nested tunnels | |
profile / hostkey |
file = path
| Path to the remote server host public key file |
profile / ciphers / cipher |
name = cipher_name
| A cipher used with this profile |
profile / macs / mac |
name = MAC_name
| A MAC used with this profile |
profile / kexs / kex |
name = KEX_name
| A KEX used with this profile |
profile /
hostkey-algorithms /
hostkey-algorithm |
name = hostkey-algorithm_name
| Host key signature algorithm used with this profile |
profile / rekey |
bytes = number
(default: "1000000000" (1 GB))
| Number of transferred bytes after which key exchange is done again when using this profile |
profile / authentication-methods |
Define the authentication methods for this profile using the same child elements as with
default-settings / authentication-methods
(see Table A.2) | |
profile / user-identities /
identity |
identity-file = path
| The user identity is read in the identification file used with public-key authentication |
file = path
| Path to the public-key file (primarily) or to a certificate | |
hash = hash
| Hash of the public key that will be used to identify the related private key | |
profile / compression |
name = "none|zlib"
| Compression settings (for the data that the client sends) used with this profile |
level = [0 to 9]
(default: "0" ( = level 6 ))
| For zlib , compression level. | |
profile / proxy |
ruleset = rule_sequence
| Rules for HTTP proxy or SOCKS servers the client will use for connections with this profile |
profile / idle-timeout |
type = "connection"
| Idle timeout is always defined for connections |
time = seconds
(default: "5" )
| Idle time (after all connection channels are closed) allowed for a connection before automatically closing the connection opened with this profile | |
profile / tcp-connect-timeout |
time = seconds
(default: "5" )
| Timeout for TCP connections with this profile: Connection attempts to a Secure Shell server are stopped after the defined time if the remote host is down or unreachable |
profile / keepalive-interval |
time = seconds
(default: "0" )
| Time interval for sending keepalive messages to the Secure Shell server with this profile |
profile / exclusive-connection |
enable = "yes|no"
| A new connection is opened for each new channel with this profile |
profile / server-banners |
visible = "yes|no"
| Show server banner message file (if it exists) to the user before login with this profile |
profile / forwards / forward |
type = "x11|agent"
| Forwarding type for this profile |
state = "on|off|denied"
| Set forwarding on, off, or deny it (i.e. the user cannot enable it on the command-line) with this profile | |
profile / tunnels /
local-tunnel |
type = "tcp|ftp|socks"
| Type of the local tunnel that is opened automatically when a connection is made with this profile |
listen-address = IP_address
(default: 127.0.0.1 )
| The network interfaces that should be listened on the client | |
listen-port = port_number
| Listener port number on the local client | |
dst-host = IP_address|domain_name
(default: 127.0.0.1 )
| Destination host address | |
dst-port = port_number
| Destination port | |
allow-relay = "yes|no"
| Allow connections to the listened port from outside the client host | |
profile / tunnels /
remote-tunnel |
type = "tcp|ftp"
| Type of the remote tunnel that is opened automatically when a connection is made with this profile |
listen-address = IP_address
(default: 127.0.0.1 )
| The network interfaces that should be listened on the server | |
listen-port = port_number
| Listener port number on the remote server | |
dst-host = IP_address|domain_name
(default: 127.0.0.1 )
| Destination host address | |
dst-port = port_number
| Destination port | |
allow-relay = "yes|no"
| Allow connections to the listener port from outside the server host | |
profile /
remote-environment /
environment |
name = env_var_name
| Name of an environment variable that is to be passed to the server from the client side |
value = string
| Value of the environment variable | |
format = "yes|no"
| The Connection Broker processes Tectia-specific special variables in value
(e.g. %U% ) | |
profile / server-authentication-methods |
Define the server authentication methods allowed with this profile using the same child
elements as with default-settings / server-authentication-methods
(see Table A.2)
| |
profile / password |
string = password
| User password that the client will send as a response to password authentication |
file = password_file
| File containing the password | |
command = path
| Path to a program or script that outputs the password |
Table A.4.
Configuration File
Quick Reference - the static-tunnels
,
filter-engine
,
and logging
elements
Element | Attributes and their values | Description |
---|---|---|
static-tunnels / tunnel |
type = "tcp|ftp"
| Type of the static tunnel |
listen-address = IP_address
(default: 127.0.0.1 )
| The network interfaces that should be listened on the client | |
listen-port = port_number
| Listener port number on the local client | |
dst-host = IP_address|domain_name
(default: 127.0.0.1 )
| Destination host address | |
dst-port = port_number
| Destination port | |
allow-relay = "yes|no"
| Allow connections to the listened port from outside the client host | |
profile = ID
| Connection profile ID that is used for the tunnel | |
filter-engine | ip-generate-start = IPv4_address | Start address of the pseudo IPv4 address space |
ip6-generate-start = IPv6_address | Start address of the pseudo IPv6 address space | |
filter-engine / network | id = ID | Unique identifier for the element |
address = network_address | (Optional) network address | |
domain = domain_name | Domain name of the computer | |
ip-generate-start = IPv4_address | Start address of the pseudo IPv4 address space | |
ip6-generate-start = IPv6_address | Start address of the pseudo IPv6 address space | |
filter-engine / rule | application = application | One or more applications to which the rule is applied. Regular expressions (egrep) can be used. |
host = host_name | Filtered connection's target host name. Regular expressions (egrep) can be used. | |
ip-address = IP_address | Filtered connection's target host IP address. Regular expressions (egrep) can be used. | |
pseudo-ip = "yes|no" | The Connection Broker assigns a pseudo IP address for the target host and Tectia Server resolves the real IP address. | |
ports =
port_number|port_range | Filtered connection's target ports | |
action = "direct|block
|tunnel|ftp-tunnel|ftp-proxy" | The action to be done when a filter matches | |
profile-id = ID | The connection profile that defines the connection settings | |
destination = address | Static destination address that will be used as the end point of the connection | |
destination-port = port_number | Static destination port that will be used as the end point of the connection | |
username = user_name|path | User name used for connecting to the Secure Shell server, or the path from where the user name should be retrieved | |
hostname-from-app = "yes|no" | The Connection Broker should either extract the Secure Shell server's host name
from data sent by the application, or use a Secure Shell server defined by the
connection profile in profile-id . | |
username-from-app = "yes|no" | FTP tunneling or FTP-SFTP conversion extracts the user name from data sent by the FTP application | |
fallback-to-plain = "yes|no" | Direct (unsecured) connection is used if creating the tunnel fails | |
show-sftp-server-banner = yes|no | In FTP-SFTP conversion, make the Connection Broker forward the SFTP server banner to the FTP client | |
logging / log-target |
file = path
| File where the audit data is written to |
type = "file|syslog|discard"
| Logging facility to which audit data is output | |
logging / log-events |
facility = "normal|daemon|user|auth|local0|local1|local2
(On Windows: facility = "normal|discard" )
| Facility of logging event |
severity = "informational|notice|warning|error|
| Severity of logging event | |
logging / log-events / log-target | The same as logging / log-target |