Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

SSH Tectia

付録 B. ブローカー設定ファイルの構文

ブローカー設定ファイルの DTD は以下の通りです。

<!-- secsh-broker.dtd                                               -->
<!--                                                                -->
<!-- Copyright (c) 2004-2008 SSH Communications Security, Finland   -->
<!--         All rights reserved.                                   -->
<!--                                                                -->
<!-- Document type definition for the Connection Broker XML         -->
<!-- configuration files.                                           -->
<!--                                                                -->

<!-- The top-level element -->
<!ELEMENT secsh-broker   (general?,default-settings?,profiles?,
                          static-tunnels?,gui?,
                          filter-engine?,logging?)>
<!ATTLIST secsh-broker
                 version  CDATA #IMPLIED>

<!-- General element. -->
<!ELEMENT general        (crypto-lib?,cert-validation?,key-stores?,
                          strict-host-key-checking?,host-key-always-ask?,
                          accept-unknown-host-keys?,known-hosts?)>

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib     EMPTY>
<!ATTLIST crypto-lib
                   mode (fips|standard) "standard">

<!-- PKI settings. -->
<!ELEMENT cert-validation   
                         (ldap-server*,ocsp-responder*,
                          crl-prefetch*,dod-pki?,
                          ca-certificate*,key-store*)>

<!ATTLIST cert-validation
                   end-point-identity-check (yes|no|YES|NO) "yes"
                   default-domain            CDATA #IMPLIED
                   http-proxy-url            CDATA #IMPLIED
                   socks-server-url          CDATA #IMPLIED>

<!ELEMENT ldap-server     EMPTY>
<!ATTLIST ldap-server
                   address         CDATA #REQUIRED
                   port            CDATA "389">

<!ELEMENT ocsp-responder EMPTY>
<!ATTLIST ocsp-responder
                   url             CDATA #REQUIRED
                   validity-period CDATA "0">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch  EMPTY>
<!ATTLIST crl-prefetch
                   interval        CDATA "3600"
                   url             CDATA #REQUIRED>

<!-- CA certificates. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
                   name             CDATA #REQUIRED
                   file             CDATA #IMPLIED
                   disable-crls    (yes|no|YES|NO) "no"
                   use-expired-crls CDATA "0" >

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki          EMPTY>
<!ATTLIST dod-pki
                   enable   (yes|no|YES|NO) "no" >

<!ELEMENT key-stores ((key-store|user-keys|identification)*)>

<!ELEMENT key-store EMPTY>
<!ATTLIST key-store
                   type             CDATA #REQUIRED
                   init             CDATA #IMPLIED 
                   disable-crls    (yes|no|YES|NO) "no"
                   use-expired-crls CDATA "0" >
                   

<!ELEMENT user-keys EMPTY>
<!ATTLIST user-keys
                   directory               CDATA #IMPLIED
                   passphrase-timeout      CDATA "0"
                   passphrase-idle-timeout CDATA "0">

<!ELEMENT identification EMPTY>
<!ATTLIST identification
                   file                    CDATA #REQUIRED
                   base-path               CDATA #IMPLIED
                   passphrase-timeout      CDATA "0"
                   passphrase-idle-timeout CDATA "0">

<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
                   enable (yes|no|YES|NO) #REQUIRED>

<!ELEMENT host-key-always-ask EMPTY>
<!ATTLIST host-key-always-ask
                   enable (yes|no|YES|NO) #REQUIRED>

<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
                   enable (yes|no|YES|NO) #REQUIRED>
                   
<!ELEMENT exclusive-connection EMPTY>
<!ATTLIST exclusive-connection
                   enable (yes|no|YES|NO) #REQUIRED>

<!ELEMENT known-hosts (key-store*)>
<!ATTLIST known-hosts
                   path               CDATA #IMPLIED
                   filename-format   (hash|plain) "hash" >
                   
<!-- Extended plugin configuration -->
<!ELEMENT extended (ext)*>

<!ELEMENT ext (#PCDATA | EMPTY | ext)*>
<!ATTLIST ext
                   name CDATA #REQUIRED>
        
<!-- Default settings element. -->
<!ELEMENT default-settings   (ciphers?, macs?,
                             transport-distribution?, rekey?,
                             authentication-methods?,
                             hostbased-default-domain?,
                             compression?, proxy?, idle-timeout?,
                             tcp-connect-timeout?, keepalive-interval?,
                             exclusive-connection?, server-banners?, 
                             forwards?, extended?, remote-environment?,
                             server-authentication-methods?,
                             authentication-success-message?,
                             sftpg3-mode?)>

<!-- Server banners. -->
<!ELEMENT server-banners EMPTY>
<!ATTLIST server-banners
                   visible (yes|no|YES|NO) "yes">

<!-- Ciphers element. -->
<!ELEMENT ciphers   (cipher*)>

<!ELEMENT cipher EMPTY>
<!ATTLIST cipher
                   name CDATA #REQUIRED>

<!-- Macs element. -->
<!ELEMENT macs   (mac*)>

<!ELEMENT mac   EMPTY>
<!ATTLIST mac
                   name CDATA #REQUIRED>

<!ELEMENT rekey EMPTY>
<!ATTLIST rekey
                   bytes CDATA "0">

<!-- Hostbased default domain. -->
<!ELEMENT hostbased-default-domain EMPTY>
<!ATTLIST hostbased-default-domain
                   name CDATA #REQUIRED>

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods  (authentication-method|auth-hostbased
                                  |auth-password|auth-publickey|auth-gssapi
                                  |auth-keyboard-interactive)*>

<!ELEMENT server-authentication-methods (authentication-method*)>

<!ELEMENT remote-environment (environment*)>

<!ELEMENT environment EMPTY>
<!ATTLIST environment
                   name    CDATA #REQUIRED
                   value   CDATA #REQUIRED
                   format (yes|no|YES|NO) "no">

<!-- Transport distribution. -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
                   num-transports  CDATA #REQUIRED>

<!-- Authentication method. -->
<!ELEMENT authentication-method   EMPTY>
<!ATTLIST authentication-method
                   name   CDATA #REQUIRED>
                    
<!ELEMENT auth-hostbased   (local-hostname?)>
<!ELEMENT local-hostname EMPTY>
<!ATTLIST local-hostname 
                   name   CDATA #REQUIRED>

<!ELEMENT auth-password EMPTY>

<!ELEMENT auth-publickey EMPTY>

<!ELEMENT auth-keyboard-interactive EMPTY>

<!ELEMENT auth-gssapi EMPTY>

<!-- User identities. -->
<!ELEMENT user-identities (identity*)>

<!ELEMENT identity EMPTY>
<!ATTLIST identity
                   identity-file CDATA #IMPLIED
                   file          CDATA #IMPLIED
                   hash          CDATA #IMPLIED
                   id            CDATA #IMPLIED
                   data          CDATA #IMPLIED>

<!-- Proxy rules. -->
<!ELEMENT proxy   EMPTY>
<!ATTLIST proxy
                   ruleset   CDATA #REQUIRED>

<!-- Idle timeout. -->
<!ELEMENT idle-timeout EMPTY>
<!ATTLIST idle-timeout
                   type  (connection) "connection"
                   time   CDATA #IMPLIED>
                   
<!-- Connect timeout. -->
<!ELEMENT tcp-connect-timeout EMPTY>
<!ATTLIST tcp-connect-timeout
                   time   CDATA #IMPLIED>

<!-- Keepalive interval. -->
<!ELEMENT keepalive-interval EMPTY>
<!ATTLIST keepalive-interval
                   time   CDATA #IMPLIED>

<!-- Forwards element. -->
<!ELEMENT forwards   (forward*)>

<!ELEMENT forward   EMPTY>
<!ATTLIST forward
                   type  (x11|agent)     #REQUIRED
                   state (on|off|denied) #REQUIRED>


<!-- Compression. -->
<!ELEMENT compression   EMPTY>
<!ATTLIST compression
                   name   CDATA #IMPLIED
                   level  CDATA #IMPLIED>

<!ELEMENT authentication-success-message EMPTY>
<!ATTLIST authentication-success-message
                   enable (yes|no|YES|NO) "yes">

<!ELEMENT sftpg3-mode EMPTY>
<!ATTLIST sftpg3-mode
                   compatibility-mode CDATA "tectia">

<!-- Profiles element. -->
<!ELEMENT profiles   (profile*)>

<!-- Connection profile. -->
<!ELEMENT profile       (hostkey?, ciphers?, macs?,
                         transport-distribution?, rekey?,
                         authentication-methods?,
                         user-identities?,
                         compression?, proxy?, idle-timeout?,
                         tcp-connect-timeout?, keepalive-interval?,
                         exclusive-connection?, server-banners?, 
                         forwards?, tunnels?, extended?, 
                         remote-environment?,
                         server-authentication-methods?)>

<!ATTLIST profile
                   id        ID #REQUIRED
                   name      CDATA #IMPLIED
                   host      CDATA #REQUIRED
                   port      CDATA "22"
                   protocol  CDATA "secsh2"
                   connect-on-startup (yes|no|YES|NO) "no"
                   user                CDATA #IMPLIED
                   gateway-profile     CDATA #IMPLIED>

<!-- Hostkey. -->
<!ELEMENT hostkey   (#PCDATA)>
<!ATTLIST hostkey
                   file   CDATA #IMPLIED>

<!-- Tunnels element. -->
<!ELEMENT tunnels   (local-tunnel*,remote-tunnel*)>

<!-- Local tunnel. -->
<!ELEMENT local-tunnel   EMPTY>
<!ATTLIST local-tunnel
                   type            CDATA "tcp" 
                   listen-address  CDATA "127.0.0.1" 
                   listen-port     CDATA #REQUIRED 
                   dst-host        CDATA "127.0.0.1" 
                   dst-port        CDATA #REQUIRED
                   allow-relay    (yes|no|YES|NO) "no">

<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel   EMPTY>
<!ATTLIST remote-tunnel
                   type           CDATA "tcp" 
                   listen-address CDATA "127.0.0.1" 
                   listen-port    CDATA #REQUIRED 
                   dst-host       CDATA "127.0.0.1" 
                   dst-port       CDATA #REQUIRED 
                   allow-relay   (yes|no|YES|NO) "no">

<!-- Static tunnels element. -->
<!ELEMENT static-tunnels   (tunnel*)>

<!-- Static tunnel. -->
<!ELEMENT tunnel   EMPTY>
<!ATTLIST tunnel
                   type           CDATA "tcp"
                   listen-address CDATA "127.0.0.1"
                   listen-port    CDATA #REQUIRED
                   dst-host       CDATA "127.0.0.1"
                   dst-port       CDATA #REQUIRED
                   allow-relay   (yes|no|YES|NO) "no"
                   profile        CDATA #REQUIRED>

<!-- GUI. -->
<!ELEMENT gui EMPTY>
<!ATTLIST gui
                   hide-tray-icon    (yes|no|YES|NO) #IMPLIED
                   show-exit-button  (yes|no|YES|NO) #IMPLIED
                   show-admin        (yes|no|YES|NO) #IMPLIED
                   enable-connector  (yes|no|YES|NO) #IMPLIED
               show-security-notification (yes|no|YES|NO) #IMPLIED>

<!ELEMENT filter-engine (network|dns|filter|rule)*>
<!ATTLIST filter-engine
                   ip-generate-start    CDATA #IMPLIED
                   ftp-filter-at-signs (yes|no|YES|NO) "no">

<!ELEMENT network EMPTY>
<!ATTLIST network
                   id                ID    #REQUIRED
                   address           CDATA #IMPLIED
                   domain            CDATA #IMPLIED
                   ip-generate-start CDATA #IMPLIED>

<!ELEMENT dns EMPTY>
<!ATTLIST dns
                   id                ID    #REQUIRED
                   network-id        IDREF #IMPLIED
                   application       CDATA #IMPLIED
                   host              CDATA #IMPLIED
                   ip-address        CDATA #IMPLIED
                   pseudo-ip        (yes|no|YES|NO) "no">

<!ELEMENT filter EMPTY>
<!ATTLIST filter
                   dns-id             IDREF #REQUIRED
                   ports              CDATA #REQUIRED
                   action (block|direct|tunnel|ftp-tunnel|ftp-proxy|
                           BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)
                                            #REQUIRED
                   profile-id         CDATA #IMPLIED
                   destination        CDATA #IMPLIED
                   destination-port   CDATA #IMPLIED
                   fallback-to-plain (yes|no|YES|NO) "no">

<!ELEMENT rule EMPTY>
<!ATTLIST rule
                   application        CDATA #IMPLIED
                   host               CDATA #IMPLIED
                   ip-address         CDATA #IMPLIED
                   pseudo-ip         (yes|no|YES|NO) "no"
                   ports              CDATA #REQUIRED
                   action (block|direct|tunnel|ftp-tunnel|ftp-proxy|
                           BLOCK|DIRECT|TUNNEL|FTP-TUNNEL|FTP-PROXY)  
                                            #REQUIRED
                   profile-id         CDATA #IMPLIED
                   destination        CDATA #IMPLIED
                   destination-port   CDATA #IMPLIED
                   username           CDATA #IMPLIED
                   hostname-from-app (yes|no|YES|NO) "no"
                   username-from-app (yes|no|YES|NO) "no"
                   fallback-to-plain (yes|no|YES|NO) "no">


<!ELEMENT logging   (log-events*)>

<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility        "normal">

<!-- Log event severity. -->
<!ENTITY default-log-event-severity        "notice">

<!ELEMENT log-events   (#PCDATA)>
<!ATTLIST log-events
                 facility   (normal|daemon|user|auth|local0|local1|local2
                            |local3|local4|local5|local6|local7|discard)
                           "&default-log-event-facility;"
                 severity   (informational|notice|warning|error|critical
                            |security-success|security-failure)
                           "&default-log-event-severity;">

===AUTO_SCHEMA_MARKUP===