Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Appendix B Server Configuration File Syntax

The DTD of the server configuration file is shown below:

<!--                                                                     -->
<!-- secsh-server.dtd                                                    -->
<!--                                                                     -->
<!-- Copyright (c) 2004-2006 SSH Communications Security, Finland        -->
<!--               All rights reserved.                                  -->
<!--                                                                     -->
<!-- Document type definition for the SSH Tectia Server XML              -->
<!-- configuration files.                                                -->
<!--                                                                     -->
<!--                                                                     -->

<!-- Tunable parameters used in the policy. -->

<!-- Default connection action. -->
<!ENTITY default-connection-action                      "allow">

<!-- Default terminal action. -->
<!ENTITY default-terminal-action                        "allow">

<!-- Default subsystem action. -->
<!ENTITY default-subsystem-action                       "allow">

<!-- Default for allowing undefined blackboard entries by selectors. -->
<!ENTITY default-allow-undefined-value                  "no">

<!-- Default user-privileged value. -->
<!ENTITY default-user-privileged-value                  "yes">

<!-- Default user-password-change-needed value. -->
<!ENTITY default-user-password-change-needed-value      "yes">

<!-- Default tunnel action. -->
<!ENTITY default-tunnel-action                          "allow">

<!-- Default command action. -->
<!ENTITY default-command-action                         "allow">

<!-- Default rekey interval in seconds. -->
<!ENTITY default-rekey-interval-seconds                 "3600">

<!-- Default rekey interval in bytes (1GB). -->
<!ENTITY default-rekey-interval-bytes                   "1000000000">

<!-- Default login grace time in seconds. -->
<!ENTITY default-login-grace-time-seconds               "600">

<!-- Default authentication action. -->
<!ENTITY default-authentication-action                  "allow">

<!-- Password authentication default failure delay in seconds. -->
<!ENTITY default-auth-password-failure-delay            "2">

<!-- Password authentication default maximum tries. -->
<!ENTITY default-auth-password-max-tries                "3">

<!-- DNS match not required by default in host-based authentication. -->
<!ENTITY default-auth-hostbased-require-dns-match       "no">

<!-- Keyboard-interactive authentication default failure delay in seconds. -->
<!ENTITY default-auth-kbdint-failure-delay              "2">

<!-- Keyboard-interactive authentication default maximum tries. -->
<!ENTITY default-auth-kbdint-max-tries                  "3">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-radius-server-port                     "1812">

<!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. -->
<!ENTITY default-radius-server-timeout                  "10">

<!-- GSSAPI default ticket forwarding policy. -->
<!ENTITY default-gssapi-ticket-forwarding-policy        "no">

<!-- Default time in seconds for using expired CRLs. -->
<!ENTITY default-use-expired-crls                       "0">

<!-- CRLs are not disabled by default. -->
<!ENTITY default-disable-crls                           "no">

<!-- DoD PKI compatibility is not required by default. -->
<!ENTITY default-dod-pki                                "no">

<!-- LDAP server default port. -->
<!ENTITY default-ldap-server-port                       "389">

<!-- Default CRL update minimum interval. -->
<!ENTITY default-crl-update-min-interval                "30">

<!-- Default interval for CRL prefetching. -->
<!ENTITY default-crl-prefetch-interval                  "3600">

<!-- Default crypto library mode ("fips" or "standard"). -->
<!ENTITY default-crypto-lib-mode                        "standard">

<!-- Default log event facility. -->
<!ENTITY default-log-event-facility                     "normal">

<!-- Default log event severity. -->
<!ENTITY default-log-event-severity                     "notice">

<!-- Default ignore AIX rlogin setting. -->
<!ENTITY default-aix-ignore-rlogin                      "no">

<!-- Default record sessions without PTYs. -->
<!ENTITY default-record-ptyless-sessions                "yes">

<!-- TCP keepalives are disabled by default. -->
<!ENTITY default-tcp-keepalive                          "no">

<!-- Missing Cipher/MAC is not allowed by default. -->
<!ENTITY default-allow-missing                          "no">

<!-- Default connection idle timeout in seconds.  The value zero -->
<!-- disables idle timeout. -->
<!ENTITY default-idle-timeout                           "0">

<!-- Message of the day (MOTD) is printed on login by default. -->
<!ENTITY default-print-motd                             "yes">

<!-- Authentication file permissions are checked by default. -->
<!ENTITY default-strict-modes                           "yes">

<!-- Default authentication file permission mask bits (octal). -->
<!ENTITY default-file-mask-bits                         "022">

<!-- Should an authentication block be repeated if authentication -->
<!-- succeeds but post-authentication selectors deny the authentication. -->
<!ENTITY default-repeat-block                           "no"> 

<!-- Policy elements. -->

<!-- The top-level element. -->
<!ELEMENT secsh-server  (params?,connections?,authentication-methods?

<!-- Parameter element. -->
<!ELEMENT params (crypto-lib?,settings?,hostkey*,listener*,logging?,

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib    EMPTY>
<!ATTLIST crypto-lib
          mode          (fips|standard) "&default-crypto-lib-mode;">

<!-- Settings - a block for stuff that is too minor to have its
     own element in the params block. -->
<!ELEMENT settings      EMPTY>
<!ATTLIST settings
         proxy-scheme            CDATA     #IMPLIED
         xauth-path              CDATA     #IMPLIED
         ignore-aix-rlogin       (yes|no)  "&default-aix-ignore-rlogin;"
         record-ptyless-sessions (yes|no)  "&default-record-ptyless-sessions;"
         user-config-dir         CDATA     #IMPLIED>

<!-- Hostkey specification. -->
<!ELEMENT hostkey        ((private,(public|x509-certificate)?)|externalkey)>

<!-- Private key specification. -->
<!ELEMENT private        (#PCDATA)>
<!ATTLIST private
          file           CDATA   #IMPLIED>

<!-- Public key. -->
<!ELEMENT public         (#PCDATA)>
<!ATTLIST public
          file           CDATA   #IMPLIED>

<!-- Certificate (host). -->
<!ELEMENT x509-certificate       (#PCDATA)>
<!ATTLIST x509-certificate
          file           CDATA   #IMPLIED>

<!-- External key. -->
<!ELEMENT externalkey    EMPTY>
<!ATTLIST externalkey
          type           CDATA   #REQUIRED
          init-info      CDATA   #IMPLIED>

<!-- CA certificate. -->
<!ELEMENT ca-certificate         (#PCDATA)>
<!ATTLIST ca-certificate
          file                   CDATA     #IMPLIED
          name                   CDATA     #REQUIRED
          disable-crls           (yes|no)  "&default-disable-crls;"
          use-expired-crls       CDATA     "&default-use-expired-crls;">

<!-- Certificate caching. -->
<!ELEMENT cert-cache-file        EMPTY>
<!ATTLIST cert-cache-file
          file                   CDATA   #REQUIRED>

<!-- CRL automatic updating. -->
<!ELEMENT crl-auto-update        EMPTY>
<!ATTLIST crl-auto-update
          update-before          CDATA   #IMPLIED
          minimum-interval       CDATA   "&default-crl-update-min-interval;">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch           EMPTY>
<!ATTLIST crl-prefetch
          interval               CDATA   "&default-crl-prefetch-interval;"
          url                    CDATA   #REQUIRED>

<!-- LDAP server. -->
<!ELEMENT ldap-server            EMPTY>
<!ATTLIST ldap-server
          address                CDATA   #REQUIRED
          port                   CDATA   "&default-ldap-server-port;">

<!-- OCSP responder. -->
<!ELEMENT ocsp-responder         EMPTY>
<!ATTLIST ocsp-responder
          validity-period        CDATA   #IMPLIED
          url                    CDATA   #REQUIRED>

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki                EMPTY>
<!ATTLIST dod-pki
          enable        (yes|no)         "&default-dod-pki;">

<!-- Secure Shell server TCP listener address and port. -->
<!ELEMENT listener      EMPTY>
<!ATTLIST listener
          id            ID       #REQUIRED
          port          CDATA    "22"
          address       CDATA    #IMPLIED>

<!-- Logging. -->
<!ELEMENT logging       (log-events*)>

<!-- Log events. -->
<!ELEMENT log-events    (#PCDATA)>
<!ATTLIST log-events
          facility      (normal|daemon|user|auth|local0|local1
          severity      (informational|notice|warning|error|critical

<!-- Certificate validation. -->
<!ELEMENT cert-validation (ldap-server*,ocsp-responder*,cert-cache-file?

<!ATTLIST cert-validation
          http-proxy-url         CDATA   #IMPLIED
          socks-server-url       CDATA   #IMPLIED>

<!-- Limits. -->
<!ELEMENT limits                 EMPTY>
<!ATTLIST limits
          max-connections        CDATA   #IMPLIED
          max-processes          CDATA   #IMPLIED>

<!-- Connections. -->
<!ELEMENT connections   (connection+)>

<!-- Connection. -->
<!ELEMENT connection    (selector*,rekey?,cipher*,mac*)>
<!ATTLIST connection
          name          ID              #IMPLIED
          action        (allow|deny)    "&default-connection-action;"
          tcp-keepalive (yes|no)        "&default-tcp-keepalive;">

<!-- Rekey intervals. -->
<!ELEMENT rekey         EMPTY>
<!ATTLIST rekey
          seconds       CDATA    "&default-rekey-interval-seconds;"
          bytes         CDATA    "&default-rekey-interval-bytes;">

<!-- Cipher. -->
<!ELEMENT cipher        EMPTY>
<!ATTLIST cipher
          name          CDATA           #REQUIRED
          allow-missing (yes|no)        "&default-allow-missing;">

<!-- MAC. -->
<!ELEMENT mac           EMPTY>
          name          CDATA           #REQUIRED
          allow-missing (yes|no)        "&default-allow-missing;">

<!-- Selector element. -->
<!ELEMENT selector      ((interface|certificate|host-certificate|ip

<!-- Interface selector. At least one parameter must be given. If id is -->
<!-- set, the others MUST NOT be set. If id is not set, either or both  -->
<!-- of address and port may be defined.                                -->
<!ELEMENT interface       EMPTY>
<!ATTLIST interface
          id              IDREF    #IMPLIED
          address         CDATA    #IMPLIED
          port            CDATA    #IMPLIED
          allow-undefined (yes|no) "&default-allow-undefined-value;">

<!-- Public key (plain) passed selector. -->
<!ELEMENT publickey-passed         EMPTY>
<!ATTLIST publickey-passed
          length                   CDATA        #IMPLIED
          allow-undefined         (yes|no)

<!-- Certificate selector. -->
<!ELEMENT certificate     EMPTY>
<!ATTLIST certificate
          field           (ca-list|issuer-name|subject-name|serial-number
                           |altname-ip|altname-fqdn)    #REQUIRED
          pattern                  CDATA        #IMPLIED
          pattern-case-sensitive   CDATA        #IMPLIED
          allow-undefined          (yes|no)

<!-- Host certificate selector. -->
<!ELEMENT host-certificate         EMPTY>
<!ATTLIST host-certificate
          field           (ca-list|issuer-name|subject-name|serial-number
                           |altname-ip|altname-fqdn)    #REQUIRED
          pattern                  CDATA        #IMPLIED
          pattern-case-sensitive   CDATA        #IMPLIED
          allow-undefined          (yes|no)

<!-- IP address selector.  -->
<!-- The address will be one of the following:                          -->
<!--   - an IP range of the form x.x.x.x-y.y.y.y                        -->
<!--   - an IP mask of the form x.x.x.x/y                               -->
<!--   - a straight IP address x.x.x.x                                  -->
<!--   - an FQDN pattern (form not checked, either it matches or not)   -->
<!-- Exactly one of address or fqdn must be set.                        -->

<!ELEMENT ip              EMPTY>
          address               CDATA   #IMPLIED
          fqdn                  CDATA   #IMPLIED
          allow-undefined       (yes|no)

<!-- User name selector. -->
<!ELEMENT user                  EMPTY>
<!ATTLIST user
          name                  CDATA   #IMPLIED
          name-case-sensitive   CDATA   #IMPLIED
          id                    CDATA   #IMPLIED
          allow-undefined       (yes|no)

<!-- User group selector. -->
<!ELEMENT user-group            EMPTY>
<!ATTLIST user-group
          name                  CDATA   #IMPLIED
          name-case-sensitive   CDATA   #IMPLIED
          id                    CDATA   #IMPLIED
          allow-undefined       (yes|no)

<!-- User privileged (administrator) selector. -->
<!ELEMENT user-privileged       EMPTY>
<!ATTLIST user-privileged
          value                 (yes|no)
          allow-undefined       (yes|no)

<!-- Selector for the need of user password change. -->
<!ELEMENT user-password-change-needed   EMPTY>
<!ATTLIST user-password-change-needed
          value                 (yes|no)
          allow-undefined       (yes|no)

<!-- Blackboard selector. -->
<!ELEMENT blackboard            EMPTY>
<!ATTLIST blackboard
          field                         CDATA   #REQUIRED
          pattern                       CDATA   #IMPLIED
          pattern-case-sensitive        CDATA   #IMPLIED
          allow-undefined               (yes|no)

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods        (banner-message?,auth-file-modes?

<!ATTLIST authentication-methods
          login-grace-time      CDATA   "&default-login-grace-time-seconds;">

<!-- Banner message element. -->
<!ELEMENT banner-message        (#PCDATA)>
<!ATTLIST banner-message
          file                  CDATA   #IMPLIED>

<!-- Authentication file permission checks. -->
<!ELEMENT auth-file-modes       EMPTY>
<!ATTLIST auth-file-modes
          strict                (yes|no)        "&default-strict-modes;"
          mask-bits             CDATA           "&default-file-mask-bits;">

<!-- Authentication element. In an authentication element, different       -->
<!-- authentication methods are in OR-relation. User must pass one of them -->
<!ELEMENT authentication        (selector*

<!ATTLIST authentication
          name          ID              #IMPLIED
          action        (allow|deny)    "&default-authentication-action;"
          set-group     CDATA           #IMPLIED
          repeat-block  (yes|no)        "&default-repeat-block;">

<!-- Public-key authentication. -->
<!ELEMENT auth-publickey        EMPTY>
<!ATTLIST auth-publickey
          authorization-file            CDATA   #IMPLIED
          authorized-keys-directory     CDATA   #IMPLIED
          openssh-authorized-keys-file  CDATA   #IMPLIED
          allow-missing                 (yes|no)

<!-- Host-based authentication. -->
<!ELEMENT auth-hostbased        EMPTY>
<!ATTLIST auth-hostbased
          require-dns-match     (yes|no)
          allow-missing         (yes|no)

<!-- Password authentication. -->
<!ELEMENT auth-password         EMPTY>
<!ATTLIST auth-password
          failure-delay         CDATA "&default-auth-password-failure-delay;"
          max-tries             CDATA "&default-auth-password-max-tries;"
          allow-missing         (yes|no)

<!-- Keyboard-interactive authentication. -->
<!ELEMENT auth-keyboard-interactive     ((submethod-pam

<!ATTLIST auth-keyboard-interactive
          failure-delay         CDATA "&default-auth-kbdint-failure-delay;"
          max-tries             CDATA "&default-auth-kbdint-max-tries;">

<!-- Keyboard-interactive submethods. -->
<!-- PAM. -->
<!ELEMENT submethod-pam         EMPTY>
<!ATTLIST submethod-pam
          dll-path              CDATA   #IMPLIED>

<!-- Password. -->
<!ELEMENT submethod-password    EMPTY>

<!-- SecurID. -->
<!ELEMENT submethod-securid     EMPTY>
<!ATTLIST submethod-securid
          dll-path              CDATA   #IMPLIED>

<!-- RADIUS. -->
<!ELEMENT submethod-radius      (radius-server+)>

<!-- RADIUS server. -->
<!ELEMENT radius-server         (radius-shared-secret)>
<!ATTLIST radius-server
          address               CDATA   #REQUIRED
          port                  CDATA   "&default-radius-server-port;"
          timeout               CDATA   "&default-radius-server-timeout;"
          client-nas-identifier CDATA   #IMPLIED>

<!-- Secret. "file" has precedence over #PCDATA. -->
<!ELEMENT radius-shared-secret  (#PCDATA)>
<!ATTLIST radius-shared-secret
          file                  CDATA   #IMPLIED>

<!-- Generic submethod. -->
<!ELEMENT submethod-generic     EMPTY>
<!ATTLIST submethod-generic
          name                  CDATA   #REQUIRED
          params                CDATA   #IMPLIED>

<!-- GSSAPI authentication. -->
<!ELEMENT auth-gssapi           EMPTY>
<!ATTLIST auth-gssapi
          dll-path                     CDATA     #IMPLIED
          allow-ticket-forwarding      (yes|no)
          allow-missing                (yes|no)

<!-- Services element. -->
<!ELEMENT services       (group*,rule+)>

<!-- Group element. -->
<!ELEMENT group          (selector+)>
<!ATTLIST group
          name  ID       #REQUIRED>

<!-- Rule element. -->
<!ELEMENT rule           (environment*,terminal?,subsystem*,command*

<!-- "group", if defined, will be used to match the rule. -->
<!ATTLIST rule
          group           CDATA        #IMPLIED
          idle-timeout    CDATA        "&default-idle-timeout;"
          print-motd      (yes|no)     "&default-print-motd;">

<!-- Environment. -->
<!-- The default allowed environment variables are:               -->
<!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*"              -->
<!-- If neither allowed nor allowed-case-sensitive is set,        -->
<!-- the default is used.                                         -->

<!ELEMENT environment   EMPTY>
<!ATTLIST environment
          allowed                       CDATA   #IMPLIED
          allowed-case-sensitive        CDATA   #IMPLIED>

<!-- Terminal. -->
<!ELEMENT terminal      EMPTY>
<!ATTLIST terminal
          action        (allow|deny)            "&default-terminal-action;"
          chroot        CDATA                   #IMPLIED>

<!-- Subsystem. -->
<!ELEMENT subsystem     (attribute*)>
<!ATTLIST subsystem
          type          CDATA           #REQUIRED
          action        (allow|deny)    "&default-subsystem-action;"
          application   CDATA           #IMPLIED
          chroot        CDATA           #IMPLIED>

<!ELEMENT attribute     EMPTY>
<!ATTLIST attribute
          name          CDATA   #REQUIRED
          value         CDATA   #IMPLIED>

<!-- Tunnels. -->
<!ELEMENT tunnel-x11    EMPTY>
<!ATTLIST tunnel-x11
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-agent  EMPTY>
<!ATTLIST tunnel-agent
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-local  ((src|dst)*)>
<!ATTLIST tunnel-local
          action        (allow|deny)            "&default-tunnel-action;">

<!ELEMENT tunnel-remote ((src|listen)*)>
<!ATTLIST tunnel-remote
          action        (allow|deny)            "&default-tunnel-action;">

<!-- Tunnel selectors. These apply only to TCP local and remote tunnels.-->
<!--  src and dst are for local-tcp                                     -->
<!--  src and listen are for remote-tcp                                 -->
<!--  address or fqdn are not mandatory. If set, exactly one must be set-->
<!--  (not both).                                                       -->

<!-- Source. -->
<!ELEMENT src           EMPTY>
          address       CDATA   #IMPLIED
          fqdn          CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Destination. -->
<!ELEMENT dst           EMPTY>
          address       CDATA   #IMPLIED
          fqdn          CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Listener. -->
<!ELEMENT listen        EMPTY>
<!ATTLIST listen
          address       CDATA   #IMPLIED
          port          CDATA   #IMPLIED>

<!-- Command. -->
<!ELEMENT command                       EMPTY>
<!ATTLIST command
          action                        (allow|deny|forced)
          application                   CDATA        #IMPLIED
          application-case-sensitive    CDATA        #IMPLIED
          chroot                        CDATA        #IMPLIED>


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more