Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH Tectia

Appendix A Server Configuration File Syntax

The DTD of the server configuration file is shown below:

<!--                                                                    -->
<!-- secsh-server.dtd                                                   -->
<!--                                                                    -->
<!-- Copyright (c) 2004-2009 SSH Communications Security, Finland	      -->
<!--       All rights reserved.                                         -->
<!--                                                                    -->
<!-- Document type definition for the SSH Tectia Server XML             -->
<!-- configuration files.                                               -->
<!--                                                                    -->

<!-- Tunable parameters used in the policy. -->

<!-- Default connection action. -->
<!ENTITY default-connection-action                          "allow">

<!-- Default terminal action. -->
<!ENTITY default-terminal-action                            "allow">

<!-- Default subsystem action. -->
<!ENTITY default-subsystem-action                           "allow">

<!-- Default subsystem audit value. -->
<!ENTITY default-subsystem-audit                            "yes">

<!-- Default subsystem direct execute value. -->
<!ENTITY default-subsystem-exec-directly                    "no">

<!-- Default for allowing undefined blackboard entries by selectors. -->
<!ENTITY default-allow-undefined-value                      "no">

<!-- Default user-privileged value. -->
<!ENTITY default-user-privileged-value                      "yes">

<!-- Default user-password-change-needed value. -->
<!ENTITY default-user-password-change-needed-value	        "yes">

<!-- Default tunnel action. -->
<!ENTITY default-tunnel-action                              "allow">

<!-- Default command action. -->
<!ENTITY default-command-action                             "allow">

<!-- Default interactive command action. -->
<!ENTITY default-interactive-command-action									"no">

<!-- Default rekey interval in seconds. -->
<!ENTITY default-rekey-interval-seconds                     "3600">

<!-- Default rekey interval in bytes (1GB). -->
<!ENTITY default-rekey-interval-bytes                       "1000000000">

<!-- Default login grace time in seconds. -->
<!ENTITY default-login-grace-time-seconds                   "600">

<!-- Default authentication action. -->
<!ENTITY default-authentication-action                      "allow">

<!-- Password authentication default failure delay in seconds. -->
<!ENTITY default-auth-password-failure-delay                "2">

<!-- Password authentication default maximum tries. -->
<!ENTITY default-auth-password-max-tries                    "3">

<!-- DNS match not required by default in host-based authentication. -->
<!ENTITY default-auth-hostbased-require-dns-match           "no">

<!-- Keyboard-interactive authentication default failure delay in seconds. -->
<!ENTITY default-auth-kbdint-failure-delay                  "2">

<!-- Keyboard-interactive authentication default maximum tries. -->
<!ENTITY default-auth-kbdint-max-tries                      "3">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-radius-server-port                         "1812">

<!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. -->
<!ENTITY default-radius-server-timeout                      "10">

<!-- GSSAPI default ticket forwarding policy. -->
<!ENTITY default-gssapi-ticket-forwarding-policy            "no">

<!-- Default time in seconds for using expired CRLs. -->
<!ENTITY default-use-expired-crls                           "0">

<!-- CRLs are not disabled by default. -->
<!ENTITY default-disable-crls                               "no">

<!-- DoD PKI compatibility is not required by default. -->
<!ENTITY default-dod-pki                                    "no">

<!-- LDAP server default port. -->
<!ENTITY default-ldap-server-port                           "389">

<!-- Default CRL update minimum interval. -->
<!ENTITY default-crl-update-min-interval                    "30">

<!-- Default interval for CRL prefetching. -->
<!ENTITY default-crl-prefetch-interval                      "3600">

<!-- Default crypto library mode ("fips" or "standard"). -->
<!ENTITY default-crypto-lib-mode                            "standard">

<!-- Default log event facility. -->
<!ENTITY default-log-event-facility                         "normal">

<!-- Default log event severity. -->
<!ENTITY default-log-event-severity                         "notice">

<!-- Default values for password caching. -->
<!ENTITY default-password-cache-max-passwords               "2000">
<!ENTITY default-password-cache-expiration-time             "0">
<!ENTITY default-password-cache-by-default                  "no">

<!ENTITY default-access-action                              "allow">

<!-- Default ignore AIX rlogin setting. -->
<!ENTITY default-ignore-aix-rlogin                          "no">

<!-- Default ignore AIX login setting. -->
<!ENTITY default-ignore-aix-login                           "no">

<!-- Default record sessions without PTYs. -->
<!ENTITY default-record-ptyless-sessions                    "yes">

<!-- Default Windows logon type. -->
<!ENTITY default-windows-logon-type                         "interactive">

<!-- Default Ignore nisplus no permission error. -->
<!ENTITY default-ignore-nisplus-no-permission               "no">

<!-- TCP keepalives are disabled by default. -->
<!ENTITY default-tcp-keepalive                              "no">

<!-- Whether a plugin is allowed to not initialize (due to e.g. -->
<!-- system configuration, missing shared libraries).           -->
<!ENTITY default-allow-missing                              "no">

<!-- Default connection idle timeout in seconds.  The value zero -->
<!-- disables idle timeout. -->
<!ENTITY default-idle-timeout                               "0">

<!-- Message of the day (MOTD) is printed on login by default. -->
<!ENTITY default-print-motd                                 "yes">

<!-- Authentication file permissions are checked by default. -->
<!ENTITY default-strict-modes                               "yes">

<!-- Default authentication file permission mask bits (octal). -->
<!ENTITY default-mask-bits                                  "022">

<!-- Service name used with PAM. -->
<!ENTITY default-pam-service-name                           "ssh-server-g3">

<!-- Whether to perform PAM Account and Session management when           -->
<!-- executing commands, i.e. shells, subsystems and remote commands.     -->
<!ENTITY default-pam-command-action                         "no">

<!-- Whether to bind x11 listeners to the localhost interface or to the   -->
<!-- 'any' interface. If the x11 listener is bound to the 'any' interface -->   
<!-- the SO_REUSEADDR socket option will not be set.                      --> 
<!ENTITY default-x11-listen-address                         "localhost">

<!-- Whether to only use PAM to check if the user is allowed to login.    -->
<!-- PAM can be used during authentication or via the                     -->
<!-- pam-calls-with-commands setting. If PAM is not used in either        -->
<!-- authentication or with pam-calls-with-commands the normal system     -->
<!-- checks will be used to determine whether the user is allowed to      -->
<!-- login i.e. account is not locked etc.                                -->
<!ENTITY default-pam-account-checking-only                  "no">

<!-- Whether the server tries to resolve the client hostname during       -->
<!-- connection setup                                                     -->
<!ENTITY default-resolve-client-hostname                    "yes">

<!-- Default certificate cache size in MBs. -->
<!ENTITY default-cert-cache-size                            "35">

<!-- Default CRL size limit (in MB). -->
<!ENTITY default-max-crl-size                               "11">

<!-- Default timeout for external searches (LDAP, HTTP, OCSP) (seconds).  -->
<!ENTITY default-external-search-timeout                    "60">

<!-- Default limit of LDAP responses (MBs). -->
<!ENTITY default-max-ldap-response-length                   "11">

<!-- Default LDAP connection idle timeout in seconds. -->
<!ENTITY default-ldap-idle-timeout                          "30">

<!-- Whether to enable AIX LAM password change by default. -->
<!ENTITY default-aix-lam-password-change                    "no">

<!-- Policy elements. -->

<!-- The top-level element. -->
<!ELEMENT secsh-server	(params?,connections?,authentication-methods?

<!-- Parameter element. Only "hostkey" and "listener" are allowed multiple -->
<!-- times.                                                                -->
<!ELEMENT params (crypto-lib|hostkey|listener|settings|domain-policy

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib  EMPTY>
<!ATTLIST crypto-lib
          mode (fips|standard) "&default-crypto-lib-mode;">

<!-- Settings - a block for stuff that is too minor to have its
     own element in the params block. -->
<!ELEMENT settings	EMPTY>
<!ATTLIST settings
        proxy-scheme              CDATA   #IMPLIED
        xauth-path                CDATA   #IMPLIED
        x11-listen-address       (localhost|any) 
        pam-account-checking-only(yes|no) "&pam-account-checking-only;"
        ignore-aix-rlogin        (yes|no) "&default-ignore-aix-rlogin;"
        ignore-aix-login         (yes|no) "&default-ignore-aix-login;"
        record-ptyless-sessions  (yes|no) "&default-record-ptyless-sessions;"
        user-config-dir           CDATA   #IMPLIED>
        default-path              CDATA   #IMPLIED
        windows-logon-type     (batch|interactive|network|network-cleartext)
        ignore-nisplus-no-permission (yes|no)
        resolve-client-hostname  (yes|no) "&default-resolve-client-hostname;">

<!ELEMENT pluggable-authentication-modules EMPTY>
<!ATTLIST pluggable-authentication-modules
          service-name            CDATA    "&default-pam-service-name;"
          dll-path                CDATA    #IMPLIED
          pam-calls-with-commands (yes|no) "&default-pam-command-action;">

<!ELEMENT protocol-parameters EMPTY>
<!ATTLIST protocol-parameters
				  threads CDATA #IMPLIED>

<!-- Hostkey specification. -->
<!ELEMENT hostkey    ((private,(public|x509-certificate)?)|externalkey)>

<!-- Private key specification. -->
<!ELEMENT private             (#PCDATA)>
<!ATTLIST private
          file        CDATA    #IMPLIED>

<!-- Public key. -->
<!ELEMENT public              (#PCDATA)>
<!ATTLIST public
          file        CDATA    #IMPLIED>

<!-- Certificate (host). -->
<!ELEMENT x509-certificate    (#PCDATA)>
<!ATTLIST x509-certificate
          file        CDATA    #IMPLIED>

<!-- External key. -->
<!ELEMENT externalkey          EMPTY>
<!ATTLIST externalkey
          type        CDATA    #REQUIRED
          init-info         CDATA    #IMPLIED>

<!-- CA certificate. -->
<!ELEMENT ca-certificate      (#PCDATA)>
<!ATTLIST ca-certificate
          file              CDATA    #IMPLIED
          name              CDATA    #REQUIRED
          disable-crls     (yes|no)  "&default-disable-crls;"
          use-expired-crls  CDATA    "&default-use-expired-crls;">

<!-- Certificate caching. -->
<!ELEMENT cert-cache-file   EMPTY>
<!ATTLIST cert-cache-file
          file              CDATA    #REQUIRED>

<!-- CRL automatic updating. -->
<!ELEMENT crl-auto-update   EMPTY>
<!ATTLIST crl-auto-update
          update-before     CDATA    #IMPLIED
          minimum-interval  CDATA    "&default-crl-update-min-interval;">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch      EMPTY>
<!ATTLIST crl-prefetch
          interval          CDATA    "&default-crl-prefetch-interval;"
          url               CDATA    #REQUIRED>

<!-- LDAP server. -->
<!ELEMENT ldap-server       EMPTY>
<!ATTLIST ldap-server
          address           CDATA    #REQUIRED
          port              CDATA    "&default-ldap-server-port;">

<!-- OCSP responder. -->
<!ELEMENT ocsp-responder    EMPTY>
<!ATTLIST ocsp-responder
          validity-period   CDATA    #IMPLIED
          url               CDATA    #REQUIRED>

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki           EMPTY>
<!ATTLIST dod-pki
          enable            (yes|no) "&default-dod-pki;">

<!-- Secure Shell server TCP listener address and port. -->
<!ELEMENT listener          EMPTY>
<!ATTLIST listener
          id                ID       #REQUIRED
          port              CDATA    "22"
          address           CDATA    #IMPLIED>
<!-- Server domain policy type -->
<!ELEMENT domain-policy     EMPTY>
<!ATTLIST domain-policy
          windows-domain-precedence  CDATA    #IMPLIED>

<!-- Logging. -->
<!ELEMENT logging           (log-events*)>

<!-- Log events. -->
<!ELEMENT log-events        (#PCDATA)>
<!ATTLIST log-events
          facility  (normal|daemon|user|auth|local0|local1|local2
          severity  (informational|notice|warning|error|critical

<!-- Certificate validation. -->
<!ELEMENT cert-validation (ldap-server*,ocsp-responder*,cert-cache-file?

<!ATTLIST cert-validation
        http-proxy-url           CDATA  #IMPLIED
        socks-server-url         CDATA  #IMPLIED>
        cache-size               CDATA  "&default-cert-cache-size;"
        max-crl-size             CDATA  "&default-max-crl-size;"
        external-search-timeout  CDATA  "&default-external-search-timeout;"
        max-ldap-response-length CDATA  "&default-max-ldap-response-length;"
        ldap-idle-timeout        CDATA  "&default-ldap-idle-timeout;">

<!-- Password caching. -->
<!ELEMENT password-cache   (access*)>

<!ATTLIST password-cache
         file              CDATA   #IMPLIED
         max-passwords     CDATA   "&default-password-cache-max-passwords;"
         expiration-time   CDATA   "&default-password-cache-expiration-time;"
         cache-by-default (yes|no) "&default-password-cache-by-default;">

<!ATTLIST access
          user            CDATA        #REQUIRED
          action         (allow|deny) "&default-access-action;">

<!-- Limits. -->
<!ELEMENT limits          EMPTY>
<!ATTLIST limits
          max-connections CDATA   #IMPLIED
          max-processes   CDATA   #IMPLIED>

<!-- Connections. -->
<!ELEMENT connections    (connection+)>

<!-- Connection. -->
<!ELEMENT connection     (selector*,rekey?,cipher*,mac*)>
<!ATTLIST connection
          name            ID            #IMPLIED
          action         (allow|deny)  "&default-connection-action;"
          tcp-keepalive  (yes|no)      "&default-tcp-keepalive;">

<!-- Rekey intervals. -->
<!ELEMENT rekey          EMPTY>
<!ATTLIST rekey
          seconds        CDATA    "&default-rekey-interval-seconds;"
          bytes          CDATA    "&default-rekey-interval-bytes;">

<!-- Cipher. -->
<!ELEMENT cipher         EMPTY>
<!ATTLIST cipher
          name           CDATA    #REQUIRED
          allow-missing  (yes|no) "&default-allow-missing;">

<!-- MAC. -->
<!ELEMENT mac            EMPTY>
          name           CDATA    #REQUIRED
          allow-missing  (yes|no) "&default-allow-missing;">

<!-- Selector element. -->
<!ELEMENT selector       ((interface|certificate|host-certificate|ip

<!-- Interface selector. At least one parameter must be given. If id is  -->
<!-- set, the others MUST NOT be set. If id is not set, either or both   -->
<!-- of address and port may be defined.                                 -->
<!ELEMENT interface       EMPTY>
<!ATTLIST interface
          id              IDREF    #IMPLIED
          address         CDATA    #IMPLIED
          port            CDATA    #IMPLIED
          allow-undefined (yes|no) "&default-allow-undefined-value;">

<!-- Public key (plain) passed selector. -->
<!ELEMENT publickey-passed         EMPTY>
<!ATTLIST publickey-passed
          length          CDATA    #IMPLIED
          allow-undefined (yes|no) "&default-allow-undefined-value;">

<!-- Certificate selector. -->
<!ELEMENT certificate     EMPTY>
<!ATTLIST certificate
          field        (ca-list|issuer-name|subject-name|serial-number
                        |extended-key-usage)    #REQUIRED
          pattern                CDATA    #IMPLIED
          pattern-case-sensitive CDATA    #IMPLIED
          regexp                 CDATA    #IMPLIED
          ignore-prefix         (yes|no)  #IMPLIED
          ignore-suffix         (yes|no)  #IMPLIED
          explicit              (yes|no)  #IMPLIED
          allow-undefined       (yes|no) "&default-allow-undefined-value;">

<!-- Host certificate selector. -->
<!ELEMENT host-certificate                EMPTY>
<!ATTLIST host-certificate
          field        (ca-list|issuer-name|subject-name|serial-number
                        |extended-key-usage)    #REQUIRED
          pattern                CDATA    #IMPLIED
          pattern-case-sensitive CDATA    #IMPLIED
          regexp                 CDATA    #IMPLIED
          ignore-prefix         (yes|no)  #IMPLIED
          ignore-suffix         (yes|no)  #IMPLIED
          explicit              (yes|no)  #IMPLIED         
          allow-undefined       (yes|no) "&default-allow-undefined-value;">

<!-- IP address selector. -->
<!-- The address will be one of the following:                        -->
<!--   - an IP range of the form x.x.x.x-y.y.y.y                      -->
<!--   - an IP mask of the form x.x.x.x/y                             -->
<!--   - a straight IP address x.x.x.x                                -->
<!--   - an FQDN pattern (form not checked, either it matches or not) -->
<!-- Exactly one of address or fqdn must be set. -->
<!ELEMENT ip               EMPTY>
          address          CDATA    #IMPLIED
          fqdn             CDATA    #IMPLIED
          fqdn-regexp      CDATA    #IMPLIED
          allow-undefined (yes|no)  "&default-allow-undefined-value;">

<!-- User name selector. -->
<!ELEMENT user                 EMPTY>
<!ATTLIST user
          name                 CDATA    #IMPLIED
          name-case-sensitive  CDATA    #IMPLIED
          name-regexp          CDATA    #IMPLIED
          id                   CDATA    #IMPLIED
          allow-undefined     (yes|no)  "&default-allow-undefined-value;">

<!-- User group selector. -->
<!ELEMENT user-group           EMPTY>
<!ATTLIST user-group
          name                 CDATA    #IMPLIED
          name-case-sensitive  CDATA    #IMPLIED
          name-regexp          CDATA    #IMPLIED
          id                   CDATA    #IMPLIED
          allow-undefined     (yes|no)  "&default-allow-undefined-value;">

<!-- User privileged (administrator) selector. -->
<!ELEMENT user-privileged      EMPTY>
<!ATTLIST user-privileged
          value            (yes|no)  "&default-user-privileged-value;"
          allow-undefined  (yes|no)  "&default-allow-undefined-value;">

<!-- Selector for the need of user password change. -->
<!ELEMENT user-password-change-needed   EMPTY>
<!ATTLIST user-password-change-needed
          value           (yes|no)
          allow-undefined (yes|no)

<!-- Blackboard selector. -->
<!ELEMENT blackboard             EMPTY>
<!ATTLIST blackboard
          field                  CDATA    #REQUIRED
          pattern                CDATA    #IMPLIED
          pattern-case-sensitive CDATA    #IMPLIED
          regexp                 CDATA    #IMPLIED
          allow-undefined       (yes|no)  "&default-allow-undefined-value;">

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods    (banner-message?,auth-file-modes?
<!ATTLIST authentication-methods
          login-grace-time    CDATA    "&default-login-grace-time-seconds;">

<!-- Banner message element. -->
<!ELEMENT banner-message     (#PCDATA)>
<!ATTLIST banner-message
          file                CDATA    #IMPLIED>

<!-- Authentication file permission checks. -->
<!ELEMENT auth-file-modes    EMPTY>
<!ATTLIST auth-file-modes
          strict            (yes|no)    "&default-strict-modes;"
          mask-bits          CDATA      "&default-mask-bits;">
          dir-mask-bits      CDATA      #IMPLIED>

<!-- Authentication element.  In an authentication element, different -->
<!-- authentication methods are in OR-relation. User must pass one of -->
<!-- them. -->
<!ELEMENT authentication    (selector*, set-blackboard*
<!ATTLIST authentication
          name           ID           #IMPLIED
          action        (allow|deny)  "&default-authentication-action;"
          set-group      CDATA        #IMPLIED
<!ELEMENT set-user         EMPTY>
<!ATTLIST set-user
          name      CDATA  #REQUIRED>

<!ELEMENT mapper           EMPTY>
<!ATTLIST mapper
          command   CDATA  #REQUIRED>

<!ELEMENT set-blackboard   (#PCDATA)>
<!ATTLIST set-blackboard
          field     CDATA  #REQUIRED
          value     CDATA  #IMPLIED
          file      CDATA  #IMPLIED>

<!-- Public-key authentication. -->
<!ELEMENT auth-publickey               EMPTY>
<!ATTLIST auth-publickey
          authorization-file           CDATA    #IMPLIED
          authorized-keys-directory    CDATA    #IMPLIED
          openssh-authorized-keys-file CDATA    #IMPLIED
          allow-missing               (yes|no)  "&default-allow-missing;">

<!-- Host-based authentication. -->
<!ELEMENT auth-hostbased      EMPTY>
<!ATTLIST auth-hostbased
          require-dns-match     (yes|no)
          disable-authorization (yes|no) "no"
          allow-missing         (yes|no)  "&default-allow-missing;">
<!-- Password authentication. -->
<!ELEMENT auth-password      EMPTY>
<!ATTLIST auth-password
          failure-delay      CDATA   "&default-auth-password-failure-delay;"
          max-tries          CDATA   "&default-auth-password-max-tries;"
          allow-missing     (yes|no) "&default-allow-missing;">

<!-- Keyboard-interactive authentication. -->
<!ELEMENT auth-keyboard-interactive    ((submethod-pam

<!ATTLIST auth-keyboard-interactive
          failure-delay      CDATA   "&default-auth-kbdint-failure-delay;"
          max-tries          CDATA   "&default-auth-kbdint-max-tries;">

<!-- Keyboard-interactive submethods. -->

<!-- PAM service-name is #IMPLIED, as it will be by default -->
<!--whatever is set in "params" block -->
<!ELEMENT submethod-pam      EMPTY>
<!ATTLIST submethod-pam
          service-name       CDATA   #IMPLIED
          dll-path           CDATA   #IMPLIED>

<!-- Password. -->
<!ELEMENT submethod-password  EMPTY>

<!-- SecurID. -->
<!ELEMENT submethod-securid   EMPTY>
<!ATTLIST submethod-securid
          dll-path            CDATA   #IMPLIED>

<!-- RADIUS. -->
<!ELEMENT submethod-radius    (radius-server+)>

<!-- RADIUS server. -->
<!ELEMENT radius-server       (radius-shared-secret)>
<!ATTLIST radius-server
          address               CDATA    #REQUIRED
          port                  CDATA    "&default-radius-server-port;"
          timeout               CDATA    "&default-radius-server-timeout;"
          client-nas-identifier CDATA    #IMPLIED>

<!-- Secret. "file" has precedence over #PCDATA. -->
<!ELEMENT radius-shared-secret  (#PCDATA)>
<!ATTLIST radius-shared-secret
          file                  CDATA    #IMPLIED>

<!-- AIX LAM. -->
<!ELEMENT submethod-aix-lam     EMPTY>
<!ATTLIST submethod-aix-lam
          enable-password-change (yes|no) "&default-aix-lam-password-change;">

<!-- Generic submethod. -->
<!ELEMENT submethod-generic     EMPTY>
<!ATTLIST submethod-generic
          name                  CDATA    #REQUIRED
          params                CDATA    #IMPLIED>

<!-- GSSAPI authentication. -->
<!ELEMENT auth-gssapi           EMPTY>
<!ATTLIST auth-gssapi
          dll-path              CDATA    #IMPLIED
          allow-ticket-forwarding  (yes|no)
          allow-missing        (yes|no)  "&default-allow-missing;">

<!-- Services element. -->
<!ELEMENT services     (group*,rule+)>

<!-- Group element. -->
<!ELEMENT group        (selector+)>
<!ATTLIST group
          name    ID   #REQUIRED>

<!-- Rule element. Maximum one of each of "terminal", "tunnel-agent"    -->
<!-- or "tunnel-x11" can be present.                                    -->
<!ELEMENT rule         (environment|terminal|subsystem|command

<!-- "group", if defined, will be used to match the rule. -->
<!ATTLIST rule
          group          CDATA      #IMPLIED
          idle-timeout   CDATA      "&default-idle-timeout;"
          print-motd    (yes|no)    "&default-print-motd;">

<!-- Environment. -->
<!-- The default allowed environment variables are:           -->
<!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*"           -->
<!-- If neither allowed nor allowed-case-sensitive is set,     -->
<!-- the default is used.                       -->
<!ELEMENT environment             EMPTY>
<!ATTLIST environment
          allowed                 CDATA    #IMPLIED
          allowed-case-sensitive  CDATA    #IMPLIED>

<!-- Terminal. -->
<!ELEMENT terminal                    EMPTY>
<!ATTLIST terminal
          action        (allow|deny)  "&default-terminal-action;"
          chroot         CDATA        #IMPLIED>

<!-- Subsystem. -->
<!ELEMENT subsystem    (attribute*)>
<!ATTLIST subsystem
          type           CDATA        #REQUIRED
          action        (allow|deny)  "&default-subsystem-action;"
          audit         (yes|no)      "&default-subsystem-audit;"
          exec-directly (yes|no)      "&default-subsystem-exec-directly;"
          application    CDATA        #IMPLIED
          chroot         CDATA        #IMPLIED>

<!ELEMENT attribute      EMPTY>
<!ATTLIST attribute
          name           CDATA        #REQUIRED
          value          CDATA        #IMPLIED>

<!-- Tunnels. -->

<!ELEMENT tunnel-x11     EMPTY>
<!ATTLIST tunnel-x11
          action        (allow|deny)  "&default-tunnel-action;">

<!ELEMENT tunnel-agent   EMPTY>
<!ATTLIST tunnel-agent
          action        (allow|deny)  "&default-tunnel-action;">

<!ELEMENT tunnel-local  ((src|dst)*)>
<!ATTLIST tunnel-local
          action        (allow|deny)  "&default-tunnel-action;">

<!ELEMENT tunnel-remote ((src|listen)*)>
<!ATTLIST tunnel-remote
          action        (allow|deny)  "&default-tunnel-action;">

<!-- Tunnel selectors. These apply only to TCP local and remote tunnels.-->
<!-- src and dst are for local-tcp                                      -->
<!-- src and listen are for remote-tcp                                  -->

<!-- address or fqdn are not mandatory. If set, exactly one must be set -->
<!-- (not both).                                                        -->

<!-- Source. -->
<!ELEMENT src         EMPTY>
          address     CDATA    #IMPLIED
          fqdn        CDATA    #IMPLIED
          fqdn-regexp CDATA    #IMPLIED
          port        CDATA    #IMPLIED>

<!-- Destination. -->
<!ELEMENT dst         EMPTY>
          address     CDATA    #IMPLIED
          fqdn        CDATA    #IMPLIED
          fqdn-regexp CDATA    #IMPLIED
          port        CDATA    #IMPLIED>

<!-- Listener. -->
<!ELEMENT listen      EMPTY>
<!ATTLIST listen
          address     CDATA    #IMPLIED
          port        CDATA    #IMPLIED>

<!-- Command. -->
<!ELEMENT command     EMPTY>
<!ATTLIST command
          action     (allow|deny|forced)     "&default-command-action;"
          interactive(yes|no)								 "&default-interactive-command-action;"
          application                CDATA   #IMPLIED
          application-case-sensitive CDATA   #IMPLIED
          chroot                     CDATA   #IMPLIED>