SSH

Connection Broker Configuration File Quick Reference

This Appendix contains a quick reference to the elements of the Connection Broker configuration file, ssh-broker-config.xml. The quick reference is divided into four tables:

The tables list the available configuration file elements with their attributes, attribute values (with the default value, if available, marked in bold) and descriptions. The element names in the tables are links that take you to detailed descriptions of the elements in ssh-broker-config(5).

The element hierarchy is expressed with slashes ('/') between parent and child elements.

Table A.3. ssh-broker-config.xml Quick Reference - the general element

ElementAttributes and their valuesDescription
crypto-libmode = "standard|fips"Cryptographic library mode: standard or FIPS 140-2 certified.
cert-validationend-point-identity-check = "yes|no|ask"Client will verify server's host name or IP address against the server host certificate
default-domain = domain_nameDefault domain part of the remote system name
http-proxy-url = HTTP_proxyHTTP proxy for making queries for certificate validity
socks-server-url = SOCKS_serverSOCKS server for making queries for certificate validity
cache-size = [1 to 512] (default: "35")Maximum size (MB) of in-memory cache for certificates and CRLs
max-crl-size = [1 to 512] (default: "11")Maximum size (MB) of CRLs accepted
external-search-timeout = [1 to 3600] (default: "60")Time limit (seconds) for external HTTP and LDAP searches for CRLs and certificates
max-ldap-response-length = [1 to 512] (default: "11")Maximum size (MB) of LDAP responses accepted
ldap-idle-timeout = [1 to 3600] (default: "30")Idle timeout (seconds) for LDAP connections
max-path-length = number (default: "10") Maximum length of certification paths when validating certificates
cert-validation / ldap-serveraddress = LDAP_server_addressLDAP server address for fetching CRLs and/or subordinate CA certificates
port = port_number (default: "389") LDAP server port for fetching CRLs and/or subordinate CA certificates
cert-validation / ocsp-responderurl = URL_addressOCSP (Online Certificate Status Protocol) responder service address
validity-period = seconds (default: "0") Time period during which new OCSP queries for the same certificate are not made (the old result is used)
cert-validation / crl-prefetchurl = LDAP_URL|HTTP_URL|file_URLTectia ConnectSecure periodically downloads a CRL from this URL
interval = seconds (default: "3600") How often the CRL is downloaded
cert-validation / dod-pkienable = "yes|no"Enforce digital signature in key usage
cert-validation / ca-certificatename = CA_nameName of the certification authority (CA) used in server authentication
file = pathPath to the X.509 CA certificate file
disable-crls = "yes|no"Disable CRL checking
use-expired-crls = seconds (default: "0") Time period for using expired CRLs
key-stores / key-storetype = "mscapi|pkcs11|software|zos-saf"Key store type
init = init_infoKey-store-provider-specific initialization info
key-stores / user-keysdirectory = pathDirectory where the user private keys are stored
passphrase-timeout = seconds (default: "0") Time after which the passphrase-protected private key will time out
passphrase-idle-timeout = seconds (default: "0") Time after which the passphrase-protected private key will time out unless the user accesses or uses the key
key-stores / identificationfile = pathLocation of the identification file that defines the user keys
base-path = pathDirectory where the identification file expects the user private keys to be stored
passphrase-timeout = seconds (default: "0") Time after which the user must enter the passphrase again
passphrase-idle-timeout = seconds (default: "0") Time after which the passphrase times out if there are no user actions
user-config-directorypath = path (default: "%USER_CONFIG_DIRECTORY%") Non-default location of user-specific configuration files
file-access-control
(Unix only)
enable = "yes|no"Enable checking of file access permissions defined for global and user-specific configuration files and private keys files
protocol-parametersthreads = number (if set to 0, default value is used) The number of threads the protocol library uses (fast path dispatcher threads)
known-hostspath = pathNon-default location of known hosts file or directory
file = pathLocation of OpenSSH-style known_hosts file
directory = pathNon-default directory for storing known host keys
filename-format = "hash|plain|default"
("default" = "hash")
The format in which new host key files will be stored

Table A.4. ssh-broker-config.xml Quick Reference - the default-settings element

ElementAttributes and their valuesDescription
user = user_nameDefault user name to be used when connecting to remote servers
ciphers / ciphername = cipher_nameA cipher that the client requests for data encryption
macs / macname = MAC_nameA MAC that the client requests for data integrity verification
kexs /kexname = KEX_nameA KEX that the client requests for the key exchange method
hostkey-algorithms /
hostkey-algorithm
name = hostkey-algorithm_nameA host key signature algorithm to be used in server authentication with host keys or certificates
rekeybytes = number (default: "1000000000" (1 GB)) Number of transferred bytes after which key exchange is done again
authentication-methods / auth-hostbased-Host-based authentication will be used
authentication-methods / auth-hostbased /
local-hostname
name = host_nameLocal host name that is advertised to the remote server during host-based authentication
authentication-methods / auth-password-Password authentication will be used
authentication-methods / auth-publickey-Public-key authentication will be used
signature-algorithms = comma-separated_listPublic-key signature algorithms used for client authentication
authentication-methods / auth-publickey /
key-selection
policy = "automatic|interactive-shy"Key selection policy used by the client when proposing user public keys to the server
authentication-methods / auth-publickey /
key-selection / public-key
type = "plain|certificate"
(by default, both are tried)
Only plain public keys or only certificates are tried during public-key authentication
authentication-methods / auth-publickey /
key-selection / issuer-name
name = certificate_issuer_nameClient-side user certificates can be filtered by comparing this name to the certificate issuers requested or accepted by the server
match-server-certificate = "yes|no"The Connection Broker tries matching the user certificate issuer name to the server certificate issuer name
authentication-methods / auth-gssapi-GSSAPI will be used in authentication
dll-path = path
(ignored on Windows)
Location of the necessary GSSAPI libraries
allow-ticket-forwarding = "yes|no"Allow forwarding the Kerberos ticket over several connections
authentication-methods / auth-keyboard-interactive-Keyboard-interactive methods will be used in authentication
hostbased-default-domainname = domain_nameHost's default domain name that is appended to the short host name before transmitting it to the server
compressionname = "none|zlib"Compress the data that the client sends
level = [0 to 9] (default: "0" ( = level 6)) For zlib, compression level.
proxyruleset = rule_sequenceRules for HTTP proxy or SOCKS servers the client will use for connections
idle-timeouttype = "connection"Idle timeout is always defined for connections
time = seconds (default: "5") Idle time (after all connection channels are closed) allowed for a connection before automatically closing the connection
tcp-connect-timeouttime = seconds (default: "5") Timeout for TCP connections (after which connection attempts to a Secure Shell server are stopped if the remote host is down or unreachable)
keepalive-intervaltime = seconds (default: "0") Time interval for sending keepalive messages to the Secure Shell server
exclusive-connectionenable = "yes|no"A new connection is opened for each new channel
server-bannersvisible = "yes|no"Show server banner message file (if it exists) to the user before login
forwards / forwardtype = "x11|agent"Forwarding type
state = "on|off|denied"Set forwarding on or off, or deny it
remote-environment / environmentname = env_var_nameName of an environment variable that is to be passed to the server from the client side
value = stringValue of the environment variable
format = "yes|no"The Connection Broker processes Tectia-specific special variables in value (e.g. %U%)
server-authentication-methods /
auth-server-certificate
-Use certificates for server authentication
server-authentication-methods /
auth-server-publickey
-Use public host keys for server authentication
policy = "strict|ask|tofu|advisory"Policy for handling unknown server host keys
authentication-success-messageenable = "yes|no"Output and log the AuthenticationSuccessMsg messages
sftpg3-modecompatibility-mode = "tectia|ftp|openssh"Behavior of sftpg3 when transferring files
terminal-selectionselection-type = "select-words|select-paths"Behavior of the Tectia terminal when the user selects text with double-clicks
terminal-bellbell-style = "none|pc-speaker|system-default"Tectia terminal repeats audible notifications from destination (Unix) server
close-window-on-disconnectenable = "yes|no"Tectia terminal window is to be closed while disconnecting from a server session by pressing CTRL+D
quiet-modeenable = "yes|no"Make scpg3, sshg3, and sftpg3 suppress warnings, error messages and authentication success messages
checksumtype = "yes|no|md5|sha1|md5-force|sha1-force|checkpoint"Default setting for comparing checksums
address-familytype = "any|inet|inet6"IP address family: both, IPv4, or IPv6

Table A.5. ssh-broker-config.xml Quick Reference - the profiles element

ElementAttributes and their valuesDescription
profileid = IDUnique identifier that does not change during the lifetime of the profile
name = stringUnique name (free-form text string) that can be used for connecting with the profile on the command line
host = IP_address|FQDN|short_hostnameSecure Shell server host address
port = port_number (default: "22") Secure Shell server listener port number
protocol = "secsh2"The communications protocol used by the profile
host-type = "default|windows|unix"Server type for ASCII (text) file transfer
connect-on-startup = "yes|no"Connect automatically with the profile when the Connection Broker is started
user = user_nameUser name for opening the connection
gateway-profile = profile_nameCreate nested tunnels
profile / hostkeyfile = pathPath to the remote server host public key file
profile / ciphers / ciphername = cipher_nameA cipher used with this profile
profile / macs / macname = MAC_nameA MAC used with this profile
profile / kexs / kexname = KEX_nameA KEX used with this profile
profile / hostkey-algorithms /
hostkey-algorithm
name = hostkey-algorithm_nameHost key signature algorithm used with this profile
profile / rekeybytes = number (default: "1000000000" (1 GB)) Number of transferred bytes after which key exchange is done again when using this profile
profile / authentication-methods Define the authentication methods for this profile using the same child elements as with default-settings / authentication-methods (see Table A.4)
profile / user-identities /
identity
identity-file = pathThe user identity is read in the identification file used with public-key authentication
file = pathPath to the public-key file (primarily) or to a certificate
hash = hashHash of the public key that will be used to identify the related private key
profile / compressionname = "none|zlib"Compression settings (for the data that the client sends) used with this profile
level = [0 to 9] (default: "0" ( = level 6)) For zlib, compression level.
profile / proxyruleset = rule_sequenceRules for HTTP proxy or SOCKS servers the client will use for connections with this profile
profile / idle-timeouttype = "connection"Idle timeout is always defined for connections
time = seconds (default: "5") Idle time (after all connection channels are closed) allowed for a connection before automatically closing the connection opened with this profile
profile / tcp-connect-timeouttime = seconds (default: "5") Timeout for TCP connections with this profile: Connection attempts to a Secure Shell server are stopped after the defined time if the remote host is down or unreachable
profile / keepalive-intervaltime = seconds (default: "0") Time interval for sending keepalive messages to the Secure Shell server with this profile
profile / exclusive-connectionenable = "yes|no"A new connection is opened for each new channel with this profile
profile / server-bannersvisible = "yes|no"Show server banner message file (if it exists) to the user before login with this profile
profile / forwards / forwardtype = "x11|agent"Forwarding type for this profile
state = "on|off|denied"Set forwarding on, off, or deny it (i.e. the user cannot enable it on the command-line) with this profile
profile / tunnels /
local-tunnel
type = "tcp|ftp|socks"Type of the local tunnel that is opened automatically when a connection is made with this profile
listen-address = IP_address (default: 127.0.0.1) The network interfaces that should be listened on the client
listen-port = port_numberListener port number on the local client
dst-host = IP_address|domain_name (default: 127.0.0.1) Destination host address
dst-port = port_numberDestination port
allow-relay = "yes|no"Allow connections to the listened port from outside the client host
profile / tunnels /
remote-tunnel
type = "tcp|ftp"Type of the remote tunnel that is opened automatically when a connection is made with this profile
listen-address = IP_address (default: 127.0.0.1) The network interfaces that should be listened on the server
listen-port = port_numberListener port number on the remote server
dst-host = IP_address|domain_name (default: 127.0.0.1) Destination host address
dst-port = port_numberDestination port
allow-relay = "yes|no"Allow connections to the listener port from outside the server host
profile / remote-environment /
environment
name = env_var_nameName of an environment variable that is to be passed to the server from the client side
value = stringValue of the environment variable
format = "yes|no"The Connection Broker processes Tectia-specific special variables in value (e.g. %U%)
profile / server-authentication-methods Define the server authentication methods allowed with this profile using the same child elements as with default-settings / server-authentication-methods (see Table A.4)
profile / passwordstring = passwordUser password that the client will send as a response to password authentication
file = password_fileFile containing the password
command = pathPath to a program or script that outputs the password

Table A.6. ssh-broker-config.xml Quick Reference - the static-tunnels, gui,filter-engine, and logging elements

ElementAttributes and their valuesDescription
static-tunnels / tunneltype = "tcp|ftp"Type of the static tunnel
listen-address = IP_address (default: 127.0.0.1) The network interfaces that should be listened on the client
listen-port = port_numberListener port number on the local client
dst-host = IP_address|domain_name (default: 127.0.0.1) Destination host address
dst-port = port_numberDestination port
allow-relay = "yes|no"Allow connections to the listened port from outside the client host
profile = IDConnection profile ID that is used for the tunnel
guihide-tray-icon = "yes|no"Hide the Tectia icon in the Windows taskbar notification area
show-exit-button = "yes|no"Show the Exit command in the Tectia icon's shortcut menu
show-admin = "yes|no"Show the Configuration command in the Tectia icon's shortcut menu
enable-connector = "yes|no"Transparent TCP tunneling is active and capturing application connections for tunneling
show-security-notification = "yes|no"Tectia security notifications are shown upon establishing or closing transparent TCP or FTP tunnels
filter-engineip-generate-start = IPv4_addressStart address of the pseudo IPv4 address space
ip6-generate-start = IPv6_addressStart address of the pseudo IPv6 address space
ftp-filter-at-signs = "yes|no"Can be used with FTP-SFTP conversion when scripts are used to open a connection directly from the FTP/SFTP client to the SFTP server, bypassing any proxies. This attribute defines that Tectia ConnectSecure uses the FTP user name, FTP server name, and FTP server password specified in the FTP script.
filter-engine / networkid = IDUnique identifier for the element
address = network_address(Optional) network address
domain = domain_nameDomain name of the computer
ip-generate-start = IPv4_addressStart address of the pseudo IPv4 address space
ip6-generate-start = IPv6_addressStart address of the pseudo IPv6 address space
filter-engine / ruleapplication = applicationOne or more applications to which the rule is applied. Regular expressions (egrep) can be used.
host = host_nameFiltered connection's target host name. Regular expressions (egrep) can be used.
ip-address = IP_addressFiltered connection's target host IP address. Regular expressions (egrep) can be used.
pseudo-ip = "yes|no"The Connection Broker assigns a pseudo IP address for the target host and Tectia Server resolves the real IP address.
ports = port_number|port_rangeFiltered connection's target ports
action = "direct|block |tunnel|ftp-tunnel|ftp-proxy"The action to be done when a filter matches
profile-id = IDThe connection profile that defines the connection settings
destination = addressStatic destination address that will be used as the end point of the connection
destination-port = port_numberStatic destination port that will be used as the end point of the connection
username = user_name|pathUser name used for connecting to the Secure Shell server, or the path from where the user name should be retrieved
hostname-from-app = "yes|no"The Connection Broker should either extract the Secure Shell server's host name from data sent by the application, or use a Secure Shell server defined by the connection profile in profile-id.
username-from-app = "yes|no"FTP tunneling or FTP-SFTP conversion extracts the user name from data sent by the FTP application
fallback-to-plain = "yes|no"Direct (unsecured) connection is used if creating the tunnel fails or the connection to the Secure Shell server fails
show-sftp-server-banner = yes|noIn FTP-SFTP conversion, make the Connection Broker forward the SFTP server banner to the FTP client
logging / log-targetfile = pathFile where the audit data is written to
type = "file|syslog|discard"Logging facility to which audit data is output
logging / log-eventsfacility = "normal|daemon|user|auth|local0|local1|local2
|local3|local4|local5|local6|local7|discard"

(On Windows: facility = "normal|discard")
Facility of logging event
severity = "informational|notice|warning|error|
critical|security-success|security-failure"
Severity of logging event
logging / log-events / log-targetThe same as logging / log-target