SSH Tectia

Appendix A Server Configuration File Syntax

The DTD of the server configuration file is shown below:

<!--                                                                    -->
<!-- secsh-server.dtd                                                   -->
<!--                                                                    -->
<!-- Copyright (c) 2004-2009 SSH Communications Security, Finland	      -->
<!--       All rights reserved.                                         -->
<!--                                                                    -->
<!-- Document type definition for the SSH Tectia Server XML             -->
<!-- configuration files.                                               -->
<!--                                                                    -->

<!-- Tunable parameters used in the policy. -->

<!-- Default connection action. -->
<!ENTITY default-connection-action                          "allow">

<!-- Default terminal action. -->
<!ENTITY default-terminal-action                            "allow">

<!-- Default subsystem action. -->
<!ENTITY default-subsystem-action                           "allow">

<!-- Default subsystem audit value. -->
<!ENTITY default-subsystem-audit                            "yes">

<!-- Default subsystem direct execute value. -->
<!ENTITY default-subsystem-exec-directly                    "no">

<!-- Default for allowing undefined blackboard entries by selectors. -->
<!ENTITY default-allow-undefined-value                      "no">

<!-- Default user-privileged value. -->
<!ENTITY default-user-privileged-value                      "yes">

<!-- Default user-password-change-needed value. -->
<!ENTITY default-user-password-change-needed-value	        "yes">

<!-- Default tunnel action. -->
<!ENTITY default-tunnel-action                              "allow">

<!-- Default command action. -->
<!ENTITY default-command-action                             "allow">

<!-- Default interactive command action. -->
<!ENTITY default-interactive-command-action									"no">

<!-- Default rekey interval in seconds. -->
<!ENTITY default-rekey-interval-seconds                     "3600">

<!-- Default rekey interval in bytes (1GB). -->
<!ENTITY default-rekey-interval-bytes                       "1000000000">

<!-- Default login grace time in seconds. -->
<!ENTITY default-login-grace-time-seconds                   "600">

<!-- Default authentication action. -->
<!ENTITY default-authentication-action                      "allow">

<!-- Password authentication default failure delay in seconds. -->
<!ENTITY default-auth-password-failure-delay                "2">

<!-- Password authentication default maximum tries. -->
<!ENTITY default-auth-password-max-tries                    "3">

<!-- DNS match not required by default in host-based authentication. -->
<!ENTITY default-auth-hostbased-require-dns-match           "no">

<!-- Keyboard-interactive authentication default failure delay in seconds. -->
<!ENTITY default-auth-kbdint-failure-delay                  "2">

<!-- Keyboard-interactive authentication default maximum tries. -->
<!ENTITY default-auth-kbdint-max-tries                      "3">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-radius-server-port                         "1812">

<!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. -->
<!ENTITY default-radius-server-timeout                      "10">

<!-- GSSAPI default ticket forwarding policy. -->
<!ENTITY default-gssapi-ticket-forwarding-policy            "no">

<!-- Default time in seconds for using expired CRLs. -->
<!ENTITY default-use-expired-crls                           "0">

<!-- CRLs are not disabled by default. -->
<!ENTITY default-disable-crls                               "no">

<!-- DoD PKI compatibility is not required by default. -->
<!ENTITY default-dod-pki                                    "no">

<!-- LDAP server default port. -->
<!ENTITY default-ldap-server-port                           "389">

<!-- Default CRL update minimum interval. -->
<!ENTITY default-crl-update-min-interval                    "30">

<!-- Default interval for CRL prefetching. -->
<!ENTITY default-crl-prefetch-interval                      "3600">

<!-- Default crypto library mode ("fips" or "standard"). -->
<!ENTITY default-crypto-lib-mode                            "standard">

<!-- Default log event facility. -->
<!ENTITY default-log-event-facility                         "normal">

<!-- Default log event severity. -->
<!ENTITY default-log-event-severity                         "notice">

<!-- Default values for password caching. -->
<!ENTITY default-password-cache-max-passwords               "2000">
<!ENTITY default-password-cache-expiration-time             "0">
<!ENTITY default-password-cache-by-default                  "no">

<!ENTITY default-access-action                              "allow">

<!-- Default ignore AIX rlogin setting. -->
<!ENTITY default-ignore-aix-rlogin                          "no">

<!-- Default ignore AIX login setting. -->
<!ENTITY default-ignore-aix-login                           "no">

<!-- Default record sessions without PTYs. -->
<!ENTITY default-record-ptyless-sessions                    "yes">

<!-- Default Windows logon type. -->
<!ENTITY default-windows-logon-type                         "interactive">

<!-- Default Ignore nisplus no permission error. -->
<!ENTITY default-ignore-nisplus-no-permission               "no">

<!-- TCP keepalives are disabled by default. -->
<!ENTITY default-tcp-keepalive                              "no">

<!-- Whether a plugin is allowed to not initialize (due to e.g. -->
<!-- system configuration, missing shared libraries).           -->
<!ENTITY default-allow-missing                              "no">

<!-- Default connection idle timeout in seconds.  The value zero -->
<!-- disables idle timeout. -->
<!ENTITY default-idle-timeout                               "0">

<!-- Message of the day (MOTD) is printed on login by default. -->
<!ENTITY default-print-motd                                 "yes">

<!-- Authentication file permissions are checked by default. -->
<!ENTITY default-strict-modes                               "yes">

<!-- Default authentication file permission mask bits (octal). -->
<!ENTITY default-mask-bits                                  "022">

<!-- Service name used with PAM. -->
<!ENTITY default-pam-service-name                           "ssh-server-g3">

<!-- Whether to perform PAM Account and Session management when           -->
<!-- executing commands, i.e. shells, subsystems and remote commands.     -->
<!ENTITY default-pam-command-action                         "no">

<!-- Whether to bind x11 listeners to the localhost interface or to the   -->
<!-- 'any' interface. If the x11 listener is bound to the 'any' interface -->   
<!-- the SO_REUSEADDR socket option will not be set.                      --> 
<!ENTITY default-x11-listen-address                         "localhost">

<!-- Whether to only use PAM to check if the user is allowed to login.    -->
<!-- PAM can be used during authentication or via the                     -->
<!-- pam-calls-with-commands setting. If PAM is not used in either        -->
<!-- authentication or with pam-calls-with-commands the normal system     -->
<!-- checks will be used to determine whether the user is allowed to      -->
<!-- login i.e. account is not locked etc.                                -->
<!ENTITY default-pam-account-checking-only                  "no">

<!-- Whether the server tries to resolve the client hostname during       -->
<!-- connection setup                                                     -->
<!ENTITY default-resolve-client-hostname                    "yes">

<!-- Default certificate cache size in MBs. -->
<!ENTITY default-cert-cache-size                            "35">

<!-- Default CRL size limit (in MB). -->
<!ENTITY default-max-crl-size                               "11">

<!-- Default timeout for external searches (LDAP, HTTP, OCSP) (seconds).  -->
<!ENTITY default-external-search-timeout                    "60">

<!-- Default limit of LDAP responses (MBs). -->
<!ENTITY default-max-ldap-response-length                   "11">

<!-- Default LDAP connection idle timeout in seconds. -->
<!ENTITY default-ldap-idle-timeout                          "30">

<!-- Whether to enable AIX LAM password change by default. -->
<!ENTITY default-aix-lam-password-change                    "no">

<!-- Policy elements. -->

<!-- The top-level element. -->
<!ELEMENT secsh-server	(params?,connections?,authentication-methods?

<!-- Parameter element. Only "hostkey" and "listener" are allowed multiple -->
<!-- times.                                                                -->
<!ELEMENT params (crypto-lib|hostkey|listener|settings|domain-policy

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib  EMPTY>
<!ATTLIST crypto-lib
          mode (fips|standard) "&default-crypto-lib-mode;">

<!-- Settings - a block for stuff that is too minor to have its
     own element in the params block. -->
<!ELEMENT settings	EMPTY>
<!ATTLIST settings
        proxy-scheme              CDATA   #IMPLIED
        xauth-path                CDATA   #IMPLIED
        x11-listen-address       (localhost|any) 
        pam-account-checking-only(yes|no) "&pam-account-checking-only;"
        ignore-aix-rlogin        (yes|no) "&default-ignore-aix-rlogin;"
        ignore-aix-login         (yes|no) "&default-ignore-aix-login;"
        record-ptyless-sessions  (yes|no) "&default-record-ptyless-sessions;"
        user-config-dir           CDATA   #IMPLIED>
        default-path              CDATA   #IMPLIED
        windows-logon-type     (batch|interactive|network|network-cleartext)
        ignore-nisplus-no-permission (yes|no)
        resolve-client-hostname  (yes|no) "&default-resolve-client-hostname;">

<!ELEMENT pluggable-authentication-modules EMPTY>
<!ATTLIST pluggable-authentication-modules
          service-name            CDATA    "&default-pam-service-name;"
          dll-path                CDATA    #IMPLIED
          pam-calls-with-commands (yes|no) "&default-pam-command-action;">

<!ELEMENT protocol-parameters EMPTY>
<!ATTLIST protocol-parameters
				  threads CDATA #IMPLIED>

<!-- Hostkey specification. -->
<!ELEMENT hostkey    ((private,(public|x509-certificate)?)|externalkey)>

<!-- Private key specification. -->
<!ELEMENT private             (#PCDATA)>
<!ATTLIST private
          file        CDATA    #IMPLIED>

<!-- Public key. -->
<!ELEMENT public              (#PCDATA)>
<!ATTLIST public
          file        CDATA    #IMPLIED>

<!-- Certificate (host). -->
<!ELEMENT x509-certificate    (#PCDATA)>
<!ATTLIST x509-certificate
          file        CDATA    #IMPLIED>

<!-- External key. -->
<!ELEMENT externalkey          EMPTY>
<!ATTLIST externalkey
          type        CDATA    #REQUIRED
          init-info         CDATA    #IMPLIED>

<!-- CA certificate. -->
<!ELEMENT ca-certificate      (#PCDATA)>
<!ATTLIST ca-certificate
          file              CDATA    #IMPLIED
          name              CDATA    #REQUIRED
          disable-crls     (yes|no)  "&default-disable-crls;"
          use-expired-crls  CDATA    "&default-use-expired-crls;">

<!-- Certificate caching. -->
<!ELEMENT cert-cache-file   EMPTY>
<!ATTLIST cert-cache-file
          file              CDATA    #REQUIRED>

<!-- CRL automatic updating. -->
<!ELEMENT crl-auto-update   EMPTY>
<!ATTLIST crl-auto-update
          update-before     CDATA    #IMPLIED
          minimum-interval  CDATA    "&default-crl-update-min-interval;">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch      EMPTY>
<!ATTLIST crl-prefetch
          interval          CDATA    "&default-crl-prefetch-interval;"
          url               CDATA    #REQUIRED>

<!-- LDAP server. -->
<!ELEMENT ldap-server       EMPTY>
<!ATTLIST ldap-server
          address           CDATA    #REQUIRED
          port              CDATA    "&default-ldap-server-port;">

<!-- OCSP responder. -->
<!ELEMENT ocsp-responder    EMPTY>
<!ATTLIST ocsp-responder
          validity-period   CDATA    #IMPLIED
          url               CDATA    #REQUIRED>

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki           EMPTY>
<!ATTLIST dod-pki
          enable            (yes|no) "&default-dod-pki;">

<!-- Secure Shell server TCP listener address and port. -->
<!ELEMENT listener          EMPTY>
<!ATTLIST listener
          id                ID       #REQUIRED
          port              CDATA    "22"
          address           CDATA    #IMPLIED>
<!-- Server domain policy type -->
<!ELEMENT domain-policy     EMPTY>
<!ATTLIST domain-policy
          windows-domain-precedence  CDATA    #IMPLIED>

<!-- Logging. -->
<!ELEMENT logging           (log-events*)>

<!-- Log events. -->
<!ELEMENT log-events        (#PCDATA)>
<!ATTLIST log-events
          facility  (normal|daemon|user|auth|local0|local1|local2
          severity  (informational|notice|warning|error|critical

<!-- Certificate validation. -->
<!ELEMENT cert-validation (ldap-server*,ocsp-responder*,cert-cache-file?

<!ATTLIST cert-validation
        http-proxy-url           CDATA  #IMPLIED
        socks-server-url         CDATA  #IMPLIED>
        cache-size               CDATA  "&default-cert-cache-size;"
        max-crl-size             CDATA  "&default-max-crl-size;"
        external-search-timeout  CDATA  "&default-external-search-timeout;"
        max-ldap-response-length CDATA  "&default-max-ldap-response-length;"
        ldap-idle-timeout        CDATA  "&default-ldap-idle-timeout;">

<!-- Password caching. -->
<!ELEMENT password-cache   (access*)>

<!ATTLIST password-cache
         file              CDATA   #IMPLIED
         max-passwords     CDATA   "&default-password-cache-max-passwords;"
         expiration-time   CDATA   "&default-password-cache-expiration-time;"
         cache-by-default (yes|no) "&default-password-cache-by-default;">

<!ATTLIST access
          user            CDATA        #REQUIRED
          action         (allow|deny) "&default-access-action;">

<!-- Limits. -->
<!ELEMENT limits          EMPTY>
<!ATTLIST limits
          max-connections CDATA   #IMPLIED
          max-processes   CDATA   #IMPLIED>

<!-- Connections. -->
<!ELEMENT connections    (connection+)>

<!-- Connection. -->
<!ELEMENT connection     (selector*,rekey?,cipher*,mac*)>
<!ATTLIST connection
          name            ID            #IMPLIED
          action         (allow|deny)  "&default-connection-action;"
          tcp-keepalive  (yes|no)      "&default-tcp-keepalive;">

<!-- Rekey intervals. -->
<!ELEMENT rekey          EMPTY>
<!ATTLIST rekey
          seconds        CDATA    "&default-rekey-interval-seconds;"
          bytes          CDATA    "&default-rekey-interval-bytes;">

<!-- Cipher. -->
<!ELEMENT cipher         EMPTY>
<!ATTLIST cipher
          name           CDATA    #REQUIRED
          allow-missing  (yes|no) "&default-allow-missing;">

<!-- MAC. -->
<!ELEMENT mac            EMPTY>
          name           CDATA    #REQUIRED
          allow-missing  (yes|no) "&default-allow-missing;">

<!-- Selector element. -->
<!ELEMENT selector       ((interface|certificate|host-certificate|ip

<!-- Interface selector. At least one parameter must be given. If id is  -->
<!-- set, the others MUST NOT be set. If id is not set, either or both   -->
<!-- of address and port may be defined.                                 -->
<!ELEMENT interface       EMPTY>
<!ATTLIST interface
          id              IDREF    #IMPLIED
          address         CDATA    #IMPLIED
          port            CDATA    #IMPLIED
          allow-undefined (yes|no) "&default-allow-undefined-value;">

<!-- Public key (plain) passed selector. -->
<!ELEMENT publickey-passed         EMPTY>
<!ATTLIST publickey-passed
          length          CDATA    #IMPLIED
          allow-undefined (yes|no) "&default-allow-undefined-value;">

<!-- Certificate selector. -->
<!ELEMENT certificate     EMPTY>
<!ATTLIST certificate
          field        (ca-list|issuer-name|subject-name|serial-number
                        |extended-key-usage)    #REQUIRED
          pattern                CDATA    #IMPLIED
          pattern-case-sensitive CDATA    #IMPLIED
          regexp                 CDATA    #IMPLIED
          ignore-prefix         (yes|no)  #IMPLIED
          ignore-suffix         (yes|no)  #IMPLIED
          explicit              (yes|no)  #IMPLIED
          allow-undefined       (yes|no) "&default-allow-undefined-value;">

<!-- Host certificate selector. -->
<!ELEMENT host-certificate                EMPTY>
<!ATTLIST host-certificate
          field        (ca-list|issuer-name|subject-name|serial-number
                        |extended-key-usage)    #REQUIRED
          pattern                CDATA    #IMPLIED
          pattern-case-sensitive CDATA    #IMPLIED
          regexp                 CDATA    #IMPLIED
          ignore-prefix         (yes|no)  #IMPLIED
          ignore-suffix         (yes|no)  #IMPLIED
          explicit              (yes|no)  #IMPLIED         
          allow-undefined       (yes|no) "&default-allow-undefined-value;">

<!-- IP address selector. -->
<!-- The address will be one of the following:                        -->
<!--   - an IP range of the form x.x.x.x-y.y.y.y                      -->
<!--   - an IP mask of the form x.x.x.x/y                             -->
<!--   - a straight IP address x.x.x.x                                -->
<!--   - an FQDN pattern (form not checked, either it matches or not) -->
<!-- Exactly one of address or fqdn must be set. -->
<!ELEMENT ip               EMPTY>
          address          CDATA    #IMPLIED
          fqdn             CDATA    #IMPLIED
          fqdn-regexp      CDATA    #IMPLIED
          allow-undefined (yes|no)  "&default-allow-undefined-value;">

<!-- User name selector. -->
<!ELEMENT user                 EMPTY>
<!ATTLIST user
          name                 CDATA    #IMPLIED
          name-case-sensitive  CDATA    #IMPLIED
          name-regexp          CDATA    #IMPLIED
          id                   CDATA    #IMPLIED
          allow-undefined     (yes|no)  "&default-allow-undefined-value;">

<!-- User group selector. -->
<!ELEMENT user-group           EMPTY>
<!ATTLIST user-group
          name                 CDATA    #IMPLIED
          name-case-sensitive  CDATA    #IMPLIED
          name-regexp          CDATA    #IMPLIED
          id                   CDATA    #IMPLIED
          allow-undefined     (yes|no)  "&default-allow-undefined-value;">

<!-- User privileged (administrator) selector. -->
<!ELEMENT user-privileged      EMPTY>
<!ATTLIST user-privileged
          value            (yes|no)  "&default-user-privileged-value;"
          allow-undefined  (yes|no)  "&default-allow-undefined-value;">

<!-- Selector for the need of user password change. -->
<!ELEMENT user-password-change-needed   EMPTY>
<!ATTLIST user-password-change-needed
          value           (yes|no)
          allow-undefined (yes|no)

<!-- Blackboard selector. -->
<!ELEMENT blackboard             EMPTY>
<!ATTLIST blackboard
          field                  CDATA    #REQUIRED
          pattern                CDATA    #IMPLIED
          pattern-case-sensitive CDATA    #IMPLIED
          regexp                 CDATA    #IMPLIED
          allow-undefined       (yes|no)  "&default-allow-undefined-value;">

<!-- Authentication methods element. -->
<!ELEMENT authentication-methods    (banner-message?,auth-file-modes?
<!ATTLIST authentication-methods
          login-grace-time    CDATA    "&default-login-grace-time-seconds;">

<!-- Banner message element. -->
<!ELEMENT banner-message     (#PCDATA)>
<!ATTLIST banner-message
          file                CDATA    #IMPLIED>

<!-- Authentication file permission checks. -->
<!ELEMENT auth-file-modes    EMPTY>
<!ATTLIST auth-file-modes
          strict            (yes|no)    "&default-strict-modes;"
          mask-bits          CDATA      "&default-mask-bits;">
          dir-mask-bits      CDATA      #IMPLIED>

<!-- Authentication element.  In an authentication element, different -->
<!-- authentication methods are in OR-relation. User must pass one of -->
<!-- them. -->
<!ELEMENT authentication    (selector*, set-blackboard*
<!ATTLIST authentication
          name           ID           #IMPLIED
          action        (allow|deny)  "&default-authentication-action;"
          set-group      CDATA        #IMPLIED
<!ELEMENT set-user         EMPTY>
<!ATTLIST set-user
          name      CDATA  #REQUIRED>

<!ELEMENT mapper           EMPTY>
<!ATTLIST mapper
          command   CDATA  #REQUIRED>

<!ELEMENT set-blackboard   (#PCDATA)>
<!ATTLIST set-blackboard
          field     CDATA  #REQUIRED
          value     CDATA  #IMPLIED
          file      CDATA  #IMPLIED>

<!-- Public-key authentication. -->
<!ELEMENT auth-publickey               EMPTY>
<!ATTLIST auth-publickey
          authorization-file           CDATA    #IMPLIED
          authorized-keys-directory    CDATA    #IMPLIED
          openssh-authorized-keys-file CDATA    #IMPLIED
          allow-missing               (yes|no)  "&default-allow-missing;">

<!-- Host-based authentication. -->
<!ELEMENT auth-hostbased      EMPTY>
<!ATTLIST auth-hostbased
          require-dns-match     (yes|no)
          disable-authorization (yes|no) "no"
          allow-missing         (yes|no)  "&default-allow-missing;">
<!-- Password authentication. -->
<!ELEMENT auth-password      EMPTY>
<!ATTLIST auth-password
          failure-delay      CDATA   "&default-auth-password-failure-delay;"
          max-tries          CDATA   "&default-auth-password-max-tries;"
          allow-missing     (yes|no) "&default-allow-missing;">

<!-- Keyboard-interactive authentication. -->
<!ELEMENT auth-keyboard-interactive    ((submethod-pam

<!ATTLIST auth-keyboard-interactive
          failure-delay      CDATA   "&default-auth-kbdint-failure-delay;"
          max-tries          CDATA   "&default-auth-kbdint-max-tries;">

<!-- Keyboard-interactive submethods. -->

<!-- PAM service-name is #IMPLIED, as it will be by default -->
<!--whatever is set in "params" block -->
<!ELEMENT submethod-pam      EMPTY>
<!ATTLIST submethod-pam
          service-name       CDATA   #IMPLIED
          dll-path           CDATA   #IMPLIED>

<!-- Password. -->
<!ELEMENT submethod-password  EMPTY>

<!-- SecurID. -->
<!ELEMENT submethod-securid   EMPTY>
<!ATTLIST submethod-securid
          dll-path            CDATA   #IMPLIED>

<!-- RADIUS. -->
<!ELEMENT submethod-radius    (radius-server+)>

<!-- RADIUS server. -->
<!ELEMENT radius-server       (radius-shared-secret)>
<!ATTLIST radius-server
          address               CDATA    #REQUIRED
          port                  CDATA    "&default-radius-server-port;"
          timeout               CDATA    "&default-radius-server-timeout;"
          client-nas-identifier CDATA    #IMPLIED>

<!-- Secret. "file" has precedence over #PCDATA. -->
<!ELEMENT radius-shared-secret  (#PCDATA)>
<!ATTLIST radius-shared-secret
          file                  CDATA    #IMPLIED>

<!-- AIX LAM. -->
<!ELEMENT submethod-aix-lam     EMPTY>
<!ATTLIST submethod-aix-lam
          enable-password-change (yes|no) "&default-aix-lam-password-change;">

<!-- Generic submethod. -->
<!ELEMENT submethod-generic     EMPTY>
<!ATTLIST submethod-generic
          name                  CDATA    #REQUIRED
          params                CDATA    #IMPLIED>

<!-- GSSAPI authentication. -->
<!ELEMENT auth-gssapi           EMPTY>
<!ATTLIST auth-gssapi
          dll-path              CDATA    #IMPLIED
          allow-ticket-forwarding  (yes|no)
          allow-missing        (yes|no)  "&default-allow-missing;">

<!-- Services element. -->
<!ELEMENT services     (group*,rule+)>

<!-- Group element. -->
<!ELEMENT group        (selector+)>
<!ATTLIST group
          name    ID   #REQUIRED>

<!-- Rule element. Maximum one of each of "terminal", "tunnel-agent"    -->
<!-- or "tunnel-x11" can be present.                                    -->
<!ELEMENT rule         (environment|terminal|subsystem|command

<!-- "group", if defined, will be used to match the rule. -->
<!ATTLIST rule
          group          CDATA      #IMPLIED
          idle-timeout   CDATA      "&default-idle-timeout;"
          print-motd    (yes|no)    "&default-print-motd;">

<!-- Environment. -->
<!-- The default allowed environment variables are:           -->
<!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*"           -->
<!-- If neither allowed nor allowed-case-sensitive is set,     -->
<!-- the default is used.                       -->
<!ELEMENT environment             EMPTY>
<!ATTLIST environment
          allowed                 CDATA    #IMPLIED
          allowed-case-sensitive  CDATA    #IMPLIED>

<!-- Terminal. -->
<!ELEMENT terminal                    EMPTY>
<!ATTLIST terminal
          action        (allow|deny)  "&default-terminal-action;"
          chroot         CDATA        #IMPLIED>

<!-- Subsystem. -->
<!ELEMENT subsystem    (attribute*)>
<!ATTLIST subsystem
          type           CDATA        #REQUIRED
          action        (allow|deny)  "&default-subsystem-action;"
          audit         (yes|no)      "&default-subsystem-audit;"
          exec-directly (yes|no)      "&default-subsystem-exec-directly;"
          application    CDATA        #IMPLIED
          chroot         CDATA        #IMPLIED>

<!ELEMENT attribute      EMPTY>
<!ATTLIST attribute
          name           CDATA        #REQUIRED
          value          CDATA        #IMPLIED>

<!-- Tunnels. -->

<!ELEMENT tunnel-x11     EMPTY>
<!ATTLIST tunnel-x11
          action        (allow|deny)  "&default-tunnel-action;">

<!ELEMENT tunnel-agent   EMPTY>
<!ATTLIST tunnel-agent
          action        (allow|deny)  "&default-tunnel-action;">

<!ELEMENT tunnel-local  ((src|dst)*)>
<!ATTLIST tunnel-local
          action        (allow|deny)  "&default-tunnel-action;">

<!ELEMENT tunnel-remote ((src|listen)*)>
<!ATTLIST tunnel-remote
          action        (allow|deny)  "&default-tunnel-action;">

<!-- Tunnel selectors. These apply only to TCP local and remote tunnels.-->
<!-- src and dst are for local-tcp                                      -->
<!-- src and listen are for remote-tcp                                  -->

<!-- address or fqdn are not mandatory. If set, exactly one must be set -->
<!-- (not both).                                                        -->

<!-- Source. -->
<!ELEMENT src         EMPTY>
          address     CDATA    #IMPLIED
          fqdn        CDATA    #IMPLIED
          fqdn-regexp CDATA    #IMPLIED
          port        CDATA    #IMPLIED>

<!-- Destination. -->
<!ELEMENT dst         EMPTY>
          address     CDATA    #IMPLIED
          fqdn        CDATA    #IMPLIED
          fqdn-regexp CDATA    #IMPLIED
          port        CDATA    #IMPLIED>

<!-- Listener. -->
<!ELEMENT listen      EMPTY>
<!ATTLIST listen
          address     CDATA    #IMPLIED
          port        CDATA    #IMPLIED>

<!-- Command. -->
<!ELEMENT command     EMPTY>
<!ATTLIST command
          action     (allow|deny|forced)     "&default-command-action;"
          interactive(yes|no)								 "&default-interactive-command-action;"
          application                CDATA   #IMPLIED
          application-case-sensitive CDATA   #IMPLIED
          chroot                     CDATA   #IMPLIED>