Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Dividing the Configuration into Several Files

It is possible to divide the SSH Tectia Server configuration into several files. You can define external XML files containing sub-configurations for example with department-specific or user-group-specific settings. This can make the configuration easier to manage as it is in smaller parts, and the sub-configuration files can be used repeatedly in several places.

[Note]Note

Configuration files consisting of several XML-files must be maintained manually, because split configuration files cannot be edited with the SSH Tectia Server Configuration GUI.

The sub-configuration files must be declared as external SYSTEM entities within the DOCTYPE element of the ssh-server-config.xml file. For example the entity-name below:

<!DOCTYPE secsh-server SYSTEM
   "/etc/ssh2/ssh-tectia/auxdata/ssh-server-ng/ssh-server-ng-config-1.dtd" [

   <!ENTITY entity-name SYSTEM "sub-config-file.xml">

The defined entity can then be used in the main configuration file instead of defining all the settings there. The server configuration will read the contents of the sub-configuration file in the place of the entity. So the sub-configuration file contents must be designed so that they produce a valid XML structure in the ssh-server-config.xml file.

In this example we have a sub-configuration file named group-example-rules.xml, located in sub-directory subconfigs/, and with the following contents:

<terminal action="deny" />
<subsystem type="sftp" application="sft-server-g3" chroot="%homedir%" />
<tunnel-agent action="deny" />
<tunnel-x11 action="deny" />
<tunnel-local action="deny" />
<tunnel-remote action="deny" />

In the example below, we first declare the sub-configuration file (and its location) as an external entity in the beginning of the ssh-server-config.xml file, and then use the group-A-rules entity in the actual configuration as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE secsh-server SYSTEM
   "/etc/ssh2/ssh-tectia/auxdata/ssh-server-ng/ssh-server-ng-config-1.dtd" [
 
  <!ENTITY group-A-rules SYSTEM "subconfigs/group-example-rules.xml">
]>
<secsh-server>
  ...
  <services>
    <group name="example">
      <selector>
         <user-group name="example"/> 
      </selector>
    </group>
     ...
     <rule group="example">
      &group-A-rules;
    </rule>
     ...
  </services>
</secsh-server>


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more