SSH Tectia

Appendix D Broker Configuration File Syntax

The DTD of the broker configuration file is shown below:

<!-- secsh-broker.dtd                                                   -->
<!--                                                                    -->
<!-- Copyright (c) 2004-2007 SSH Communications Security, Finland       -->
<!--               All rights reserved.                                 -->
<!--                                                                    -->
<!-- Document type definition for the Connection Broker XML             -->
<!-- configuration files.                                               -->
<!--                                                                    -->

<!-- The top-level element -->
<!ELEMENT secsh-broker  (general?,default-settings?,profiles?,
                         static-tunnels?,gui?,
                         filter-engine?,logging?)>
<!ATTLIST secsh-broker
          version        CDATA #IMPLIED>

<!-- General element. -->
<!ELEMENT general      (crypto-lib?,cert-validation?,key-stores?,
                        strict-host-key-checking?,host-key-always-ask?,
                        accept-unknown-host-keys?,known-hosts?)>

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib     EMPTY>
<!ATTLIST crypto-lib
          mode  (fips|standard) "standard">

<!-- PKI settings. -->
<!ELEMENT cert-validation      (ldap-server*,ocsp-responder*,crl-prefetch*,
                                dod-pki?, ca-certificate*)>

<!ATTLIST cert-validation
          end-point-identity-check (yes|no|YES|NO) "yes"
          default-domain      CDATA   #IMPLIED
          http-proxy-url      CDATA   #IMPLIED
          socks-server-url    CDATA   #IMPLIED>

<!ELEMENT ldap-server    EMPTY>
<!ATTLIST ldap-server
          address        CDATA #REQUIRED
          port           CDATA "389">

<!ELEMENT ocsp-responder  EMPTY>
<!ATTLIST ocsp-responder
          url             CDATA #REQUIRED
          validity-period CDATA "0">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch   EMPTY>
<!ATTLIST crl-prefetch
          interval       CDATA "3600"
          url            CDATA #REQUIRED>

<!-- CA certificates. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
          name            CDATA #REQUIRED
          file            CDATA #IMPLIED
          disable-crls   (yes|no|YES|NO) "no"
          use-expired-crls CDATA "0" >

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki        EMPTY>
<!ATTLIST dod-pki
          enable        (yes|no|YES|NO) "no" >

<!ELEMENT key-stores (key-store*)>

<!ELEMENT key-store      EMPTY>
<!ATTLIST key-store
          type           CDATA #REQUIRED
          init           CDATA #IMPLIED>

<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT host-key-always-ask EMPTY>
<!ATTLIST host-key-always-ask
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT known-hosts    EMPTY>
<!ATTLIST known-hosts
          path           CDATA #REQUIRED>

<!-- Default settings element. -->
<!ELEMENT default-settings     (ciphers?, macs?,
                                transport-distribution?, rekey?,
                                authentication-methods?,
                            		hostbased-default-domain?,
                                compression?, proxy?, idle-timeout?,
                                server-banners?, forwards?,
                                remote-environment?)>

<!-- Server banners. -->
<!ELEMENT server-banners EMPTY>
<!ATTLIST server-banners  
          visible       (yes|no|YES|NO) "yes">

<!-- Ciphers element. -->
<!ELEMENT ciphers       (cipher*)>

<!-- Cipher. -->
<!ELEMENT cipher         EMPTY>
<!ATTLIST cipher
          name           CDATA #REQUIRED>

<!-- Macs element. -->
<!ELEMENT macs          (mac*)>

<!-- Mac. -->
<!ELEMENT mac            EMPTY>
<!ATTLIST mac
          name           CDATA #REQUIRED>

<!ELEMENT rekey          EMPTY>
<!ATTLIST rekey
          bytes          CDATA "0">

<!-- Hostbased default domain. -->
<!ELEMENT hostbased-default-domain EMPTY>
<!ATTLIST hostbased-default-domain
          name           CDATA #REQUIRED>
          
<!-- Authentication methods element. -->
<!ELEMENT authentication-methods (authentication-method*)>

<!-- Remote environment element. -->
<!ELEMENT remote-environment (environment*)>
  <!ELEMENT environment  EMPTY>
  <!ATTLIST environment
            name		     CDATA #REQUIRED
            value        CDATA #REQUIRED
            format	     (yes|no|YES|NO) "no">

<!-- Transport distribution. -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
          num-transports CDATA #REQUIRED>

<!-- Authentication method. -->
<!ELEMENT authentication-method  EMPTY>
<!ATTLIST authentication-method
          name           CDATA #REQUIRED

<!-- Proxy rules. -->
<!ELEMENT proxy  EMPTY>
<!ATTLIST proxy
          ruleset        CDATA #REQUIRED>

<!-- Idle timeout. -->
<!ELEMENT idle-timeout   EMPTY>
<!ATTLIST idle-timeout
          type          (connection) "connection"
          time           CDATA #IMPLIED>

<!-- Forwards element. -->
<!ELEMENT forwards      (forward*)>

<!-- Forward. -->
<!ELEMENT forward        EMPTY>
<!ATTLIST forward
          type          (x11|agent)     #REQUIRED
          state         (on|off|denied) #REQUIRED>

<!-- Compression. -->
<!ELEMENT compression    EMPTY>
<!ATTLIST compression
          name           CDATA #IMPLIED
          level          CDATA #IMPLIED>

<!-- Profiles element. -->
<!ELEMENT profiles      (profile*)>

<!-- Connection profile. -->
<!ELEMENT profile       (hostkey?, ciphers?, macs?,
                         transport-distribution?, rekey?,
                         authentication-methods?,
                         compression?, proxy?, idle-timeout?,
                         server-banners?, forwards?, tunnels?,
                         remote-environment?)>
                         
<!ATTLIST profile
          id             ID #REQUIRED
          name           CDATA #IMPLIED
          host           CDATA #REQUIRED
          port           CDATA "22"
          connect-on-startup (yes|no|YES|NO) "no"
          user           CDATA #IMPLIED
          gateway-profile CDATA #IMPLIED>

<!-- Hostkey. -->
<!ELEMENT hostkey       (#PCDATA)>
<!ATTLIST hostkey
          file           CDATA #IMPLIED>

<!-- Tunnels element. -->
<!ELEMENT tunnels       (local-tunnel*,remote-tunnel*)>

<!-- Local tunnel. -->
<!ELEMENT local-tunnel   EMPTY>
<!ATTLIST local-tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA "127.0.0.1"
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no">

<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel  EMPTY>
<!ATTLIST remote-tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA "127.0.0.1"
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no">

<!-- Static tunnels element. -->
<!ELEMENT static-tunnels (tunnel*)>

<!-- Static tunnel. -->
<!ELEMENT tunnel         EMPTY>
<!ATTLIST tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA "127.0.0.1"
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no"
          profile        CDATA #REQUIRED>

<!-- GUI. -->
<!ELEMENT gui            EMPTY>
<!ATTLIST gui
          hide-tray-icon              (yes|no|YES|NO) #IMPLIED
          show-exit-button            (yes|no|YES|NO) #IMPLIED
          show-admin                  (yes|no|YES|NO) #IMPLIED
          enable-connector            (yes|no|YES|NO) #IMPLIED
          show-security-notification  (yes|no|YES|NO) #IMPLIED>

<!ELEMENT filter-engine      (network|dns|filter)*>
<!ATTLIST filter-engine
          ip-generate-start    CDATA #IMPLIED>
          ftp-filter-at-signs (yes|no|YES|NO) "no">

<!ELEMENT network        EMPTY>
<!ATTLIST network
          id                  ID    #REQUIRED
          address             CDATA #IMPLIED
          domain              CDATA #IMPLIED
          ip-generate-start   CDATA #IMPLIED>

<!ELEMENT dns            EMPTY>
<!ATTLIST dns
          id                  ID    #REQUIRED
          network-id          IDREF #IMPLIED
          application         CDATA #IMPLIED
          host                CDATA #IMPLIED
          ip-address          CDATA #IMPLIED
          pseudo-ip          (yes|no|YES|NO) "no">

<!ELEMENT filter         EMPTY>
<!ATTLIST filter
          dns-id              IDREF #REQUIRED
          ports               CDATA #REQUIRED
          action              CDATA #REQUIRED
          profile-id          CDATA #IMPLIED
          fallback-to-plain  (yes|no|YES|NO) "no">

<!ELEMENT logging            (log-events*)>

<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility    "normal">

<!-- Log event severity. -->
<!ENTITY default-log-event-severity    "notice">

<!ELEMENT log-events    (#PCDATA)>
<!ATTLIST log-events
          facility      (normal|daemon|user|auth|local0|local1|
                         local2|local3|local4|local5|local6|local7|discard)
                         "&default-log-event-facility;"
          severity      (informational|notice|warning|error|critical|
                         security-success|security-failure)
                         "&default-log-event-severity;">