Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Appendix D Broker Configuration File Syntax

The DTD of the broker configuration file is shown below:

<!-- secsh-broker.dtd                                                   -->
<!--                                                                    -->
<!-- Copyright (c) 2004-2006 SSH Communications Security, Finland       -->
<!--               All rights reserved.                                 -->
<!--                                                                    -->
<!-- Document type definition for the Connection Broker XML             -->
<!-- configuration files.                                               -->
<!--                                                                    -->

<!-- The top-level element -->
<!ELEMENT secsh-broker  (general?,default-settings?,profiles?,
<!ATTLIST secsh-broker
          version        CDATA #IMPLIED>

<!-- General element. -->
<!ELEMENT general      (crypto-lib?,cert-validation?,key-stores?,

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib     EMPTY>
<!ATTLIST crypto-lib
          mode  (fips|standard) "standard">

<!-- PKI settings. -->
<!ELEMENT cert-validation      (ldap-server*,ocsp-responder*,dod-pki?,
<!ATTLIST cert-validation
          end-point-identity-check (yes|no|YES|NO) "yes"
          default-domain      CDATA   #IMPLIED
          http-proxy-url      CDATA   #IMPLIED
          socks-server-url    CDATA   #IMPLIED>

<!ELEMENT ldap-server    EMPTY>
<!ATTLIST ldap-server
          address        CDATA #REQUIRED
          port           CDATA "389">

<!ELEMENT ocsp-responder EMPTY>
<!ATTLIST ocsp-responder
          url             CDATA #REQUIRED
          validity-period CDATA "0">

<!-- CA certificates. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
          name            CDATA #REQUIRED
          file            CDATA #IMPLIED
          disable-crls   (yes|no|YES|NO) "no"
          use-expired-crls CDATA "0" >

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki        EMPTY>
<!ATTLIST dod-pki
          enable        (yes|no|YES|NO) "no" >

<!ELEMENT key-stores (key-store*)>

<!ELEMENT key-store      EMPTY>
<!ATTLIST key-store
          type           CDATA #REQUIRED
          init           CDATA #IMPLIED>

<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT host-key-always-ask EMPTY>
<!ATTLIST host-key-always-ask
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT known-hosts    EMPTY>
<!ATTLIST known-hosts
          path           CDATA #REQUIRED>

<!-- Default settings element. -->
<!ELEMENT default-settings     (ciphers?, macs?,
                                transport-distribution?, rekey?,
                                compression?, proxy?, idle-timeout?,
                                server-banners?, forwards?)>

<!-- Server banners. -->
<!ELEMENT server-banners EMPTY>
<!ATTLIST server-banners  
          visible       (yes|no|YES|NO) "yes">

<!-- Ciphers element. -->
<!ELEMENT ciphers       (cipher*)>

<!-- Cipher. -->
<!ELEMENT cipher         EMPTY>
<!ATTLIST cipher
          name           CDATA #REQUIRED>

<!-- Macs element. -->
<!ELEMENT macs          (mac*)>

<!-- Mac. -->
<!ELEMENT mac            EMPTY>
          name           CDATA #REQUIRED>

<!ELEMENT rekey          EMPTY>
<!ATTLIST rekey
          bytes          CDATA "0">

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods (authentication-method*)>

<!-- Transport distribution. -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
          num-transports CDATA #REQUIRED>

<!-- Authentication method. -->
<!ELEMENT authentication-method  EMPTY>
<!ATTLIST authentication-method
          name           CDATA #REQUIRED

<!-- Proxy rules. -->
<!ATTLIST proxy
          ruleset        CDATA #REQUIRED>

<!-- Idle timeout. -->
<!ELEMENT idle-timeout   EMPTY>
<!ATTLIST idle-timeout
          type          (connection) "connection"
          time           CDATA #IMPLIED>

<!-- Forwards element. -->
<!ELEMENT forwards      (forward*)>

<!-- Forward. -->
<!ELEMENT forward        EMPTY>
<!ATTLIST forward
          type          (x11|agent)     #REQUIRED
          state         (on|off|denied) #REQUIRED>

<!-- Compression. -->
<!ELEMENT compression    EMPTY>
<!ATTLIST compression
          name           CDATA #IMPLIED
          level          CDATA #IMPLIED>

<!-- Profiles element. -->
<!ELEMENT profiles      (profile*)>

<!-- Connection profile. -->
<!ELEMENT profile       (hostkey?, ciphers?, macs?,
                         transport-distribution?, rekey?,
                         compression?, proxy?, idle-timeout?,
                         server-banners?, forwards?, tunnels?)>
<!ATTLIST profile
          id             ID #REQUIRED
          name           CDATA #IMPLIED
          host           CDATA #REQUIRED
          port           CDATA "22"
          connect-on-startup (yes|no|YES|NO) "no"
          user           CDATA #IMPLIED
          gateway-profile CDATA #IMPLIED>

<!-- Hostkey. -->
<!ELEMENT hostkey       (#PCDATA)>
<!ATTLIST hostkey
          file           CDATA #IMPLIED>

<!-- Tunnels element. -->
<!ELEMENT tunnels       (local-tunnel*,remote-tunnel*)>

<!-- Local tunnel. -->
<!ELEMENT local-tunnel   EMPTY>
<!ATTLIST local-tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA ""
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no">

<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel  EMPTY>
<!ATTLIST remote-tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA ""
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no">

<!-- Static tunnels element. -->
<!ELEMENT static-tunnels (tunnel*)>

<!-- Static tunnel. -->
<!ELEMENT tunnel         EMPTY>
<!ATTLIST tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA ""
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no"
          profile        CDATA #REQUIRED>

<!-- GUI. -->
<!ELEMENT gui            EMPTY>
          hide-tray-icon              (yes|no|YES|NO) #IMPLIED
          show-exit-button            (yes|no|YES|NO) #IMPLIED
          show-admin                  (yes|no|YES|NO) #IMPLIED
          enable-connector            (yes|no|YES|NO) #IMPLIED
          show-security-notification  (yes|no|YES|NO) #IMPLIED>

<!ELEMENT filter-engine      (network|dns|filter)*>
<!ATTLIST filter-engine
          ip-generate-start   CDATA #IMPLIED>

<!ELEMENT network        EMPTY>
<!ATTLIST network
          id                  ID    #REQUIRED
          address             CDATA #IMPLIED
          domain              CDATA #IMPLIED
          ip-generate-start   CDATA #IMPLIED>

          id                  ID    #REQUIRED
          network-id          IDREF #IMPLIED
          application         CDATA #IMPLIED
          host                CDATA #IMPLIED
          ip-address          CDATA #IMPLIED
          pseudo-ip          (yes|no|YES|NO) "no">

<!ATTLIST filter
          dns-id              IDREF #REQUIRED
          ports               CDATA #REQUIRED
          action              CDATA #REQUIRED
          profile-id          CDATA #IMPLIED
          fallback-to-plain  (yes|no|YES|NO) "no">

<!ELEMENT logging            (log-events*)>

<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility    "normal">

<!-- Log event severity. -->
<!ENTITY default-log-event-severity    "notice">

<!ELEMENT log-events    (#PCDATA)>
<!ATTLIST log-events
          facility      (normal|daemon|user|auth|local0|local1|
          severity      (informational|notice|warning|error|critical|


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more