Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

Tectia

Appendix A Server Configuration File Syntax

The DTD of the server configuration file is shown below:

<!--									-->
<!--									-->
<!-- secsh-server.dtd							-->
<!--									-->
<!-- Copyright (c) Tectia Corporation.                             -->
<!-- This software is protected by international copyright laws.   -->
<!-- All rights reserved.                                          -->
<!--									-->
<!-- Document type definition for the Tectia Server XML		-->
<!-- configuration files.						-->
<!--									-->
<!--									-->

<!-- Tunable parameters used in the policy. -->

<!-- Default connection action. -->
<!ENTITY default-connection-action			"allow">

<!-- Default terminal action. -->
<!ENTITY default-terminal-action			"allow">

<!-- Default subsystem action. -->
<!ENTITY default-subsystem-action			"allow">

<!-- Default subsystem audit value. -->
<!ENTITY default-subsystem-audit			"yes">

<!-- Default for allowing undefined blackboard entries by selectors. -->
<!ENTITY default-allow-undefined-value			"no">

<!-- Default user-privileged value. -->
<!ENTITY default-user-privileged-value			"yes">

<!-- Default user-password-change-needed value. -->
<!ENTITY default-user-password-change-needed-value	"yes">

<!-- Reverse mapping is not required by default in 
     publickey authentication. -->
<!ENTITY default-auth-publickey-require-dns-match       "no">

<!-- Default tunnel action. -->
<!ENTITY default-tunnel-action				"allow">

<!-- Default command action. -->
<!ENTITY default-command-action				"allow">

<!-- Default interactive command action. -->
<!ENTITY default-interactive-command-action		"no">

<!-- Default rekey interval in seconds. -->
<!ENTITY default-rekey-interval-seconds			"3600">

<!-- Default rekey interval in bytes (1GB). -->
<!ENTITY default-rekey-interval-bytes			"1000000000">

<!-- Default login grace time in seconds. -->
<!ENTITY default-login-grace-time-seconds		"600">

<!-- Default authentication action. -->
<!ENTITY default-authentication-action			"allow">

<!-- Password authentication default failure delay in seconds. -->
<!ENTITY default-auth-password-failure-delay		"2">

<!-- Password authentication default maximum tries. -->
<!ENTITY default-auth-password-max-tries		"3">

<!-- DNS match not required by default in host-based authentication. -->
<!ENTITY default-auth-hostbased-require-dns-match	"no">

<!-- Keyboard-interactive authentication default failure delay in seconds. -->
<!ENTITY default-auth-kbdint-failure-delay		"2">

<!-- Keyboard-interactive authentication default maximum tries. -->
<!ENTITY default-auth-kbdint-max-tries			"3">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-radius-server-port			"1812">

<!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. -->
<!ENTITY default-radius-server-timeout			"10">

<!-- GSSAPI default ticket forwarding policy. -->
<!ENTITY default-gssapi-ticket-forwarding-policy	"no">

<!-- Default time in seconds for using expired CRLs. -->
<!ENTITY default-use-expired-crls			"0">

<!-- CRLs are not disabled by default. -->
<!ENTITY default-disable-crls				"no">

<!-- DoD PKI compatibility is not required by default. -->
<!ENTITY default-dod-pki				"no">

<!-- LDAP server default port. -->
<!ENTITY default-ldap-server-port			"389">

<!-- Default CRL update minimum interval. -->
<!ENTITY default-crl-update-min-interval		"30">

<!-- Default interval for CRL prefetching. -->
<!ENTITY default-crl-prefetch-interval			"3600">

<!-- Default crypto library mode ("fips" or "standard"). -->
<!ENTITY default-crypto-lib-mode			"standard">

<!-- Both ipv4 and ipv6 are enabled by default -->
<!ENTITY default-address-family-type			"any">

<!-- Default log event facility. -->
<!ENTITY default-log-event-facility			"normal">

<!-- Default log event severity. -->
<!ENTITY default-log-event-severity			"notice">

<!-- Default values for password caching. -->
<!ENTITY default-password-cache-max-passwords		"2000">
<!ENTITY default-password-cache-expiration-time		"0">
<!ENTITY default-password-cache-by-default		"no">

<!ENTITY default-access-action				"allow">

<!-- Default ignore AIX rlogin setting. -->
<!ENTITY default-ignore-aix-rlogin              	"no">

<!-- Default ignore AIX login setting. -->
<!ENTITY default-ignore-aix-login                   	"no">

<!-- Default record sessions without PTYs. -->
<!ENTITY default-record-ptyless-sessions              	"yes">

<!-- Default Windows logon type. -->
<!ENTITY default-windows-logon-type              	"interactive">

<!-- Default Windows terminal mode. -->
<!ENTITY default-windows-terminal-mode			"console">

<!-- Default Ignore nisplus no permission error. -->
<!ENTITY default-ignore-nisplus-no-permission           "no">

<!-- TCP keepalives are disabled by default. -->
<!ENTITY default-tcp-keepalive				"no">

<!-- Whether a plugin is allowed to not initialize (due to e.g. -->
<!-- system configuration, missing shared libraries).           -->
<!ENTITY default-allow-missing				"no">

<!-- Default connection idle timeout in seconds.  The value zero -->
<!-- disables idle timeout. -->
<!ENTITY default-idle-timeout				"0">

<!-- Message of the day (MOTD) is printed on login by default. -->
<!ENTITY default-print-motd				"yes">

<!-- Authentication file permissions are checked by default. -->
<!ENTITY default-strict-modes				"yes">

<!-- Default authentication file permission mask bits (octal). -->
<!ENTITY default-mask-bits				"022">

<!-- Service name used with PAM. -->
<!ENTITY default-pam-service-name			"ssh-server-g3">
<!-- Whether to perform PAM Account and Session management when executing -->
<!-- commands, i.e. shells, subsystems and remote commands.               -->
<!ENTITY default-pam-command-action			"no">

<!-- Whether to bind x11 listeners to the localhost interface or to the   -->
<!-- 'any' interface. If the x11 listener is bound to the 'any' interface -->
<!-- the SO_REUSEADDR socket option will not be set.                      --> 
<!ENTITY default-x11-listen-address                     "localhost">

<!-- Whether to only use PAM to check if the user is allowed to login.    -->
<!-- PAM can be used during authentication or via the                     -->
<!-- pam-calls-with-commands setting. If PAM is not used in either        -->
<!-- authentication or with pam-calls-with-commands the normal system     -->
<!-- checks will be used to determine whether the user is allowed to      -->
<!-- login i.e. account is not locked etc.                                -->
<!ENTITY default-pam-account-checking-only              "no">

<!-- Whether the server tries to resolve the client hostname during       -->
<!-- connection setup                                                     -->
<!ENTITY default-resolve-client-hostname                "yes">

<!-- Whether to suppress last login, password expiry, motd etc. messages  -->
<!-- during login.                                                        -->
<!ENTITY default-quiet-login                            "no">

<!-- Default certificate cache size in MBs. -->
<!ENTITY default-cert-cache-size                        "35">

<!-- Default CRL size limit (in MB). -->
<!ENTITY default-max-crl-size                           "11">

<!-- The default maximum path length for certificate validation. -->
<!ENTITY default-max-path-length                        "10">

<!-- Default timeout for external searches (LDAP, HTTP, OCSP) (seconds). -->
<!ENTITY default-external-search-timeout                "60">

<!-- Default limit of LDAP responses (MBs). -->
<!ENTITY default-max-ldap-response-length               "11">

<!-- Default LDAP connection idle timeout in seconds. -->
<!ENTITY default-ldap-idle-timeout                      "30">

<!-- Whether to enable AIX LAM password change by default. -->
<!ENTITY default-aix-lam-password-change                "no">



<!-- Policy elements. -->

<!-- The top-level element. -->
<!ELEMENT secsh-server	(params?,connections?,authentication-methods?
			 ,services?)>

<!-- Parameter element. Only "hostkey" and "listener" are allowed multiple -->
<!-- times.                                                                -->
<!ELEMENT params (crypto-lib|address-family|hostkey|listener|settings|domain-policy
		  |logging|limits|cert-validation
		  |pluggable-authentication-modules|protocol-parameters)*>

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib	EMPTY>
<!ATTLIST crypto-lib
	  mode		(fips|standard) "&default-crypto-lib-mode;">

<!-- address-family mode setting ipv4 & ipv6-->
<!ELEMENT address-family	EMPTY>
<!ATTLIST address-family
	  type		(any|inet|inet6) "&default-address-family-type;">

<!-- Settings - a block for stuff that is too minor to have its
     own element in the params block. -->
<!ELEMENT settings	EMPTY>
<!ATTLIST settings
	  signature-algorithms    CDATA    #IMPLIED
	  proxy-scheme		  CDATA	   #IMPLIED
	  xauth-path		  CDATA	   #IMPLIED
	  x11-listen-address      (localhost|any) 
	                                   "&default-x11-listen-address;"
	  pam-account-checking-only (yes|no) 
                                           "&default-pam-account-checking-only;"
	  ignore-aix-rlogin	  (yes|no) "&default-ignore-aix-rlogin;"
	  ignore-aix-login	  (yes|no) "&default-ignore-aix-login;"
	  record-ptyless-sessions (yes|no) "&default-record-ptyless-sessions;"
          user-config-dir	  CDATA	   #IMPLIED
          default-path		  CDATA	   #IMPLIED
	  windows-logon-type      (batch|interactive|network|network-cleartext)
				           "&default-windows-logon-type;"
	  windows-terminal-mode	  (console|stream)
					   "&default-windows-terminal-mode;"
          ignore-nisplus-no-permission (yes|no) 
                                      "&default-ignore-nisplus-no-permission;"
          resolve-client-hostname (yes|no) "&default-resolve-client-hostname;"
	  quiet-login             (yes|no) "&default-quiet-login;"
          default-domain	  CDATA	   #IMPLIED>

<!ELEMENT pluggable-authentication-modules EMPTY>
<!ATTLIST pluggable-authentication-modules
	  service-name		  CDATA		"&default-pam-service-name;"
	  dll-path                CDATA		#IMPLIED
	  pam-calls-with-commands (yes|no)	"&default-pam-command-action;">

<!ELEMENT protocol-parameters EMPTY>
<!ATTLIST protocol-parameters
	  threads CDATA #IMPLIED>

<!-- Hostkey specification. -->
<!ELEMENT hostkey	((private,(public|x509-certificate)?)|externalkey)>

<!-- Private key specification. -->
<!ELEMENT private	(#PCDATA)>
<!ATTLIST private
	  file		CDATA	#IMPLIED>

<!-- Public key. -->
<!ELEMENT public	(#PCDATA)>
<!ATTLIST public
	  file		CDATA	#IMPLIED>

<!-- Certificate (host). -->
<!ELEMENT x509-certificate	(#PCDATA)>
<!ATTLIST x509-certificate
	  file		CDATA	#IMPLIED>

<!-- External key. -->
<!ELEMENT externalkey	EMPTY>
<!ATTLIST externalkey
	  type		CDATA	#REQUIRED
	  init-info	CDATA	#IMPLIED>

<!-- CA certificate. -->
<!ELEMENT ca-certificate	(#PCDATA)>
<!ATTLIST ca-certificate
	  file			CDATA		#IMPLIED
	  name			CDATA		#REQUIRED
	  disable-crls		(yes|no)	"&default-disable-crls;"
	  use-expired-crls	CDATA		"&default-use-expired-crls;"
	  trusted		(yes|no)	"yes">

<!-- Certificate caching. -->
<!ELEMENT cert-cache-file	EMPTY>
<!ATTLIST cert-cache-file
	  file			CDATA	#REQUIRED>

<!-- CRL automatic updating. -->
<!ELEMENT crl-auto-update	EMPTY>
<!ATTLIST crl-auto-update
	  update-before		CDATA	#IMPLIED
	  minimum-interval	CDATA	"&default-crl-update-min-interval;">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch		EMPTY>
<!ATTLIST crl-prefetch
	  interval		CDATA	"&default-crl-prefetch-interval;"
	  url			CDATA	#REQUIRED>

<!-- LDAP server. -->
<!ELEMENT ldap-server		EMPTY>
<!ATTLIST ldap-server
	  address		CDATA	#REQUIRED
	  port			CDATA	"&default-ldap-server-port;">

<!-- OCSP responder. -->
<!ELEMENT ocsp-responder	(#PCDATA)>
<!ATTLIST ocsp-responder
	  validity-period	CDATA	#IMPLIED
	  url			CDATA	#REQUIRED>

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki		EMPTY>
<!ATTLIST dod-pki
	  enable	(yes|no)	"&default-dod-pki;">

<!-- Secure Shell server TCP listener address and port. -->
<!ELEMENT listener	EMPTY>
<!ATTLIST listener
	  id		ID	#REQUIRED
	  port		CDATA	"22"
	  address	CDATA	#IMPLIED>


<!-- Server domain policy type -->
<!ELEMENT domain-policy			EMPTY>
<!ATTLIST domain-policy
	  windows-domain-precedence	CDATA	#IMPLIED>

<!-- Logging. -->
<!ELEMENT logging	(log-events*)>

<!-- Log events. -->
<!ELEMENT log-events	(#PCDATA)>
<!ATTLIST log-events
	  facility	(normal|daemon|user|auth|local0|local1
			 |local2|local3|local4|local5|local6|local7|discard)
			"&default-log-event-facility;"
	  severity	(informational|notice|warning|error|critical
			 |security-success|security-failure)
			"&default-log-event-severity;">

<!-- Certificate validation. Maximum one of each of "cert-cache-file", -->
<!-- "crl-auto-update" and "dod-pki" can be present.                   -->
<!ELEMENT cert-validation (ldap-server|ocsp-responder|cert-cache-file
			   |crl-auto-update|crl-prefetch|dod-pki
			   |ca-certificate)*>

<!ATTLIST cert-validation
	  http-proxy-url	CDATA	#IMPLIED
	  socks-server-url	CDATA	#IMPLIED
	  cache-size            CDATA   "&default-cert-cache-size;"
	  max-crl-size          CDATA   "&default-max-crl-size;"
	  external-search-timeout CDATA   "&default-external-search-timeout;"
	  max-ldap-response-length CDATA   "&default-max-ldap-response-length;"
	  ldap-idle-timeout     CDATA   "&default-ldap-idle-timeout;"
	  max-path-length       CDATA   "&default-max-path-length;">

<!-- Password caching. -->
<!ELEMENT password-cache (access*)>

<!ATTLIST password-cache
          file                CDATA   #IMPLIED
	  max-passwords       CDATA   "&default-password-cache-max-passwords;"
	  expiration-time     CDATA
			      "&default-password-cache-expiration-time;"
          cache-by-default    (yes|no)
			      "&default-password-cache-by-default;">

<!ELEMENT access EMPTY>

<!ATTLIST access
          user                CDATA   #REQUIRED
          action              (allow|deny)	"&default-access-action;">


<!-- Limits. -->
<!-- max-connections is _per_servant_ .-->
<!-- servant-lifetime    - how many connections a servant will handle -->
<!-- before it is retired. -->

<!ELEMENT limits		(servant-lifetime)*>
<!ATTLIST limits
	  max-connections	CDATA	#IMPLIED
	  max-processes		CDATA	#IMPLIED>

<!ELEMENT servant-lifetime	EMPTY>
<!ATTLIST servant-lifetime
	  total-connections	CDATA	#IMPLIED>

<!-- Connections. -->
<!ELEMENT connections	(connection+)>

<!-- Connection. -->
<!ELEMENT connection	(selector*,rekey?,cipher*,mac*,kex*,hostkey-algorithm*)>
<!ATTLIST connection
	  name		ID			#IMPLIED
	  action	(allow|deny)		"&default-connection-action;"
	  tcp-keepalive (yes|no)		"&default-tcp-keepalive;">

<!-- Rekey intervals. -->
<!ELEMENT rekey		EMPTY>
<!ATTLIST rekey
	  seconds	CDATA	"&default-rekey-interval-seconds;"
	  bytes		CDATA	"&default-rekey-interval-bytes;">

<!-- Cipher. -->
<!ELEMENT cipher	EMPTY>
<!ATTLIST cipher
	  name	        CDATA	                #REQUIRED
          allow-missing (yes|no)                "&default-allow-missing;">

<!-- MAC. -->
<!ELEMENT mac		EMPTY>
<!ATTLIST mac
	  name	        CDATA	                #REQUIRED
          allow-missing (yes|no)                "&default-allow-missing;">

<!-- KEX. -->
<!ELEMENT kex		EMPTY>
<!ATTLIST kex
	  name	        CDATA	                #REQUIRED
          allow-missing (yes|no)                "&default-allow-missing;">

<!-- Hostkey algorithm. -->
<!ELEMENT hostkey-algorithm  EMPTY>
<!ATTLIST hostkey-algorithm
	  name          CDATA                   #REQUIRED
	  allow-missing (yes|no)                "&default-allow-missing;">

<!-- Selector element. -->
<!ELEMENT selector	(interface|certificate|host-certificate|ip
			 |user|user-group|user-privileged|blackboard
			 |publickey-passed|user-password-change-needed)*>

<!-- Interface selector. At least one parameter must be given. If id is -->
<!-- set, the others MUST NOT be set. If id is not set, either or both	-->
<!-- of address and port may be defined.				-->
<!ELEMENT interface	  EMPTY>
<!ATTLIST interface
	  id		  IDREF	   #IMPLIED
	  address	  CDATA	   #IMPLIED
	  port		  CDATA    #IMPLIED
	  allow-undefined (yes|no) "&default-allow-undefined-value;">

<!-- Public key (plain) passed selector. -->
<!ELEMENT publickey-passed	EMPTY>
<!ATTLIST publickey-passed
	  length		CDATA	 #IMPLIED
	  allow-undefined 	(yes|no)
				"&default-allow-undefined-value;">

<!-- Certificate selector. -->
<!ELEMENT certificate	EMPTY>
<!ATTLIST certificate
	  field		  (ca-list|issuer-name|subject-name|serial-number
			   |altname-email|altname-upn
			   |altname-ip|altname-fqdn
			   |extended-key-usage)	#REQUIRED
	  pattern		 CDATA	#IMPLIED
	  pattern-case-sensitive CDATA	#IMPLIED
	  regexp		 CDATA	#IMPLIED
	  ignore-prefix          (yes|no) #IMPLIED
	  ignore-suffix          (yes|no) #IMPLIED
	  explicit		 (yes|no) #IMPLIED
	  allow-undefined 	 (yes|no)
				 "&default-allow-undefined-value;">

<!-- Host certificate selector. -->
<!ELEMENT host-certificate	EMPTY>
<!ATTLIST host-certificate
	  field		  (ca-list|issuer-name|subject-name|serial-number
			   |altname-email|altname-upn
			   |altname-ip|altname-fqdn
			   |extended-key-usage)	#REQUIRED
	  pattern		 CDATA	#IMPLIED
	  pattern-case-sensitive CDATA	#IMPLIED
	  regexp		 CDATA	#IMPLIED
	  ignore-prefix          (yes|no) #IMPLIED
	  ignore-suffix          (yes|no) #IMPLIED
	  explicit		 (yes|no) #IMPLIED
	  allow-undefined 	 (yes|no)
				 "&default-allow-undefined-value;">

<!-- IP address selector. -->
<!-- The address will be one of the following:				-->
<!--   - an IP range of the form x.x.x.x-y.y.y.y			-->
<!--   - an IP mask of the form x.x.x.x/y				-->
<!--   - a straight IP address x.x.x.x					-->
<!--   - an FQDN pattern (form not checked, either it matches or not) 	-->
<!-- Exactly one of address or fqdn must be set. -->
<!ELEMENT ip		EMPTY>
<!ATTLIST ip
	  address		CDATA	#IMPLIED
	  fqdn			CDATA	#IMPLIED
	  fqdn-regexp		CDATA	#IMPLIED
	  allow-undefined 	(yes|no)
				"&default-allow-undefined-value;">

<!-- User name selector. -->
<!ELEMENT user			EMPTY>
<!ATTLIST user
	  name			CDATA	#IMPLIED
	  name-case-sensitive	CDATA	#IMPLIED
	  name-regexp		CDATA	#IMPLIED
	  id			CDATA	#IMPLIED
	  allow-undefined 	(yes|no)
				"&default-allow-undefined-value;">

<!-- User group selector. -->
<!ELEMENT user-group		EMPTY>
<!ATTLIST user-group
	  name			CDATA	#IMPLIED
	  name-case-sensitive	CDATA	#IMPLIED
	  name-regexp		CDATA	#IMPLIED
	  id			CDATA	#IMPLIED
	  allow-undefined 	(yes|no)
				"&default-allow-undefined-value;">

<!-- User privileged (administrator) selector. -->
<!ELEMENT user-privileged	EMPTY>
<!ATTLIST user-privileged
	  value 		(yes|no)
				"&default-user-privileged-value;"
	  allow-undefined 	(yes|no)
				"&default-allow-undefined-value;">

<!-- Selector for the need of user password change. -->
<!ELEMENT user-password-change-needed	EMPTY>
<!ATTLIST user-password-change-needed
	  value 		(yes|no)
				"&default-user-password-change-needed-value;"
	  allow-undefined 	(yes|no)
				"&default-allow-undefined-value;">

<!-- Blackboard selector. -->
<!ELEMENT blackboard		EMPTY>
<!ATTLIST blackboard
	  field				CDATA	#REQUIRED
	  pattern			CDATA	#IMPLIED
	  pattern-case-sensitive	CDATA	#IMPLIED
	  regexp		 	CDATA	#IMPLIED
	  allow-undefined 		(yes|no)
					"&default-allow-undefined-value;">


<!-- Authentication methods element. -->
<!ELEMENT authentication-methods	(banner-message?,auth-file-modes?
					 ,authentication*)>
<!ATTLIST authentication-methods
	  login-grace-time	CDATA	"&default-login-grace-time-seconds;">

<!-- Banner message element. -->
<!ELEMENT banner-message	(#PCDATA)>
<!ATTLIST banner-message
	  file		CDATA	#IMPLIED>

<!-- Authentication file permission checks. -->
<!ELEMENT auth-file-modes	EMPTY>
<!ATTLIST auth-file-modes
	  strict		(yes|no)	"&default-strict-modes;"
	  mask-bits		CDATA		"&default-mask-bits;"
          dir-mask-bits         CDATA           #IMPLIED>

<!-- Authentication element.  In an authentication element, different -->
<!-- authentication methods are in OR-relation.	 User must pass one of -->
<!-- them. -->
<!ELEMENT authentication	(selector*
				 ,(set-blackboard|login-restrictions)*
				 ,(auth-publickey|auth-hostbased|auth-password
				   |auth-keyboard-interactive|auth-gssapi
	                           |auth-none)*
                                 ,mapper?
				 ,set-user?
				 ,authentication*)>
<!ATTLIST authentication
	  name		ID		#IMPLIED
	  action	(allow|deny)	"&default-authentication-action;"
	  set-group	CDATA		#IMPLIED
          repeat-block  (yes|no)        "no">


<!ELEMENT set-user	EMPTY>
<!ATTLIST set-user
	  name		CDATA		#REQUIRED>

<!ELEMENT mapper	EMPTY>
<!ATTLIST mapper
          command	CDATA		#REQUIRED>

<!ELEMENT login-restrictions EMPTY>
<!ATTLIST login-restrictions
	  ignore-password-expiration    CDATA #IMPLIED
	  ignore-aix-rlogin	        CDATA #IMPLIED
	  ignore-aix-login	        CDATA #IMPLIED
	  ignore-nisplus-no-permission  CDATA #IMPLIED>

<!ELEMENT set-blackboard	(#PCDATA)>
<!ATTLIST set-blackboard
	  field		CDATA		#REQUIRED
          value         CDATA           #IMPLIED
          file          CDATA           #IMPLIED>

<!-- Public-key authentication. -->
<!ELEMENT auth-publickey	EMPTY>
<!ATTLIST auth-publickey
          require-dns-match             (yes|no)
			          	"&default-auth-publickey-require-dns-match;"
	  signature-algorithms           CDATA   #IMPLIED
          authorization-file             CDATA   #IMPLIED
          authorized-keys-directory      CDATA   #IMPLIED
          openssh-authorized-keys-file   CDATA   #IMPLIED
	  allow-missing 		 (yes|no)
					 "&default-allow-missing;">

<!-- Host-based authentication. -->
<!ELEMENT auth-hostbased	EMPTY>
<!ATTLIST auth-hostbased
	  require-dns-match	(yes|no)
				"&default-auth-hostbased-require-dns-match;"
	  disable-authorization	(yes|no) "no"
	  allow-missing 	(yes|no)
				"&default-allow-missing;">

<!-- Password authentication. -->
<!ELEMENT auth-password		EMPTY>
<!ATTLIST auth-password
	  failure-delay		CDATA "&default-auth-password-failure-delay;"
	  max-tries		CDATA "&default-auth-password-max-tries;"
	  allow-missing 	(yes|no)
				"&default-allow-missing;">

<!-- Keyboard-interactive authentication. -->
<!ELEMENT auth-keyboard-interactive	((submethod-pam
					  |submethod-password
					  |submethod-securid
					  |submethod-radius
	                                  |submethod-aix-lam 
					  |submethod-generic)*)>

<!ATTLIST auth-keyboard-interactive
	  failure-delay		CDATA "&default-auth-kbdint-failure-delay;"
	  max-tries		CDATA "&default-auth-kbdint-max-tries;">

<!-- Keyboard-interactive submethods. -->

<!-- PAM. service-name is #IMPLIED, as it will be by default whatever is -->
<!-- set in "params" block.                                              -->
<!ELEMENT submethod-pam		EMPTY>
<!ATTLIST submethod-pam
	  service-name		CDATA	#IMPLIED
	  dll-path		CDATA	#IMPLIED>

<!-- Password. -->
<!ELEMENT submethod-password	EMPTY>

<!-- SecurID. -->
<!ELEMENT submethod-securid	EMPTY>
<!ATTLIST submethod-securid
	  dll-path		CDATA	#IMPLIED>

<!-- RADIUS. -->
<!ELEMENT submethod-radius	(radius-server+)>

<!-- RADIUS server. -->
<!ELEMENT radius-server		(radius-shared-secret)>
<!ATTLIST radius-server
	  address		CDATA	#REQUIRED
	  port			CDATA	"&default-radius-server-port;"
	  timeout		CDATA	"&default-radius-server-timeout;"
	  client-nas-identifier CDATA	#IMPLIED>

<!-- Secret. "file" has precedence over #PCDATA. -->
<!ELEMENT radius-shared-secret	(#PCDATA)>
<!ATTLIST radius-shared-secret
	  file			CDATA	#IMPLIED>

<!-- AIX LAM. -->
<!ELEMENT submethod-aix-lam	 EMPTY>
<!ATTLIST submethod-aix-lam
	  enable-password-change (yes|no) "&default-aix-lam-password-change;">

<!-- Generic submethod. -->
<!ELEMENT submethod-generic	EMPTY>
<!ATTLIST submethod-generic
	  name			CDATA	#REQUIRED
	  params		CDATA	#IMPLIED>

<!-- GSSAPI authentication. -->
<!ELEMENT auth-gssapi	EMPTY>
<!ATTLIST auth-gssapi
	  dll-path		      CDATA	#IMPLIED
	  allow-ticket-forwarding     (yes|no)
		                 "&default-gssapi-ticket-forwarding-policy;"
	  allow-missing 	      (yes|no)
				      "&default-allow-missing;">

<!ELEMENT auth-none	EMPTY>
<!ATTLIST auth-none
	  allow-missing 	      (yes|no)
				      "&default-allow-missing;">

<!-- Services element. -->
<!ELEMENT services	(group*,rule+)>

<!-- Group element. -->
<!ELEMENT group		(selector+)>
<!ATTLIST group
	  name	ID	#REQUIRED>

<!-- Rule element. Maximum one of each of "terminal", "tunnel-agent"    -->
<!-- or "tunnel-x11" can be present.                                    -->
<!ELEMENT rule		(environment|terminal|subsystem|command
                         |tunnel-agent|tunnel-x11|tunnel-local
			 |tunnel-remote)*>

<!-- "group", if defined, will be used to match the rule. -->
<!ATTLIST rule
	  group		CDATA		#IMPLIED
	  idle-timeout	CDATA		"&default-idle-timeout;"
	  print-motd	(yes|no)	"&default-print-motd;">

<!-- Environment. -->
<!-- The default allowed environment variables are:	       -->
<!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*"	       -->
<!-- If neither allowed nor allowed-case-sensitive is set,     -->
<!-- the default is used.				       -->
<!ELEMENT environment	EMPTY>
<!ATTLIST environment
	  allowed			CDATA	#IMPLIED
	  allowed-case-sensitive	CDATA	#IMPLIED>

<!-- Terminal. -->
<!ELEMENT terminal	EMPTY>
<!ATTLIST terminal
	  action	(allow|deny)		"&default-terminal-action;"
	  chroot	CDATA			#IMPLIED>

<!-- Subsystem. -->
<!ELEMENT subsystem	(attribute*)>
<!ATTLIST subsystem
	  type		CDATA		#REQUIRED
	  action	(allow|deny)	"&default-subsystem-action;"
	  audit	        (yes|no)	"&default-subsystem-audit;"
	  exec-directly CDATA   #IMPLIED
	  application	CDATA		#IMPLIED
	  chroot	CDATA		#IMPLIED>

<!ELEMENT attribute	EMPTY>
<!ATTLIST attribute
	  name		CDATA	#REQUIRED
	  value		CDATA	#IMPLIED>

<!-- Tunnels. -->

<!ELEMENT tunnel-x11	EMPTY>
<!ATTLIST tunnel-x11
	  action	(allow|deny)		"&default-tunnel-action;">

<!ELEMENT tunnel-agent	EMPTY>
<!ATTLIST tunnel-agent
	  action	(allow|deny)		"&default-tunnel-action;">

<!ELEMENT tunnel-local	((src|dst)*)>
<!ATTLIST tunnel-local
	  action	(allow|deny)		"&default-tunnel-action;">

<!ELEMENT tunnel-remote ((src|listen)*)>
<!ATTLIST tunnel-remote
	  action	(allow|deny)		"&default-tunnel-action;">

<!-- Tunnel selectors. These apply only to TCP local and remote tunnels.-->
<!-- src and dst are for local-tcp 					-->
<!-- src and listen are for remote-tcp 					-->

<!-- address or fqdn are not mandatory. If set, exactly one must be set -->
<!-- (not both).							-->

<!-- Source. -->
<!ELEMENT src		EMPTY>
<!ATTLIST src
	  address	CDATA	#IMPLIED
	  fqdn		CDATA	#IMPLIED
	  fqdn-regexp	CDATA	#IMPLIED
	  port		CDATA	#IMPLIED>

<!-- Destination. -->
<!ELEMENT dst		EMPTY>
<!ATTLIST dst
	  address	CDATA	#IMPLIED
	  fqdn		CDATA	#IMPLIED
	  fqdn-regexp	CDATA	#IMPLIED
	  port		CDATA	#IMPLIED>

<!-- Listener. -->
<!ELEMENT listen	EMPTY>
<!ATTLIST listen
	  address	CDATA	#IMPLIED
	  port		CDATA	#IMPLIED>

<!-- Command. -->
<!ELEMENT command			EMPTY>
<!ATTLIST command
	  action			(allow|deny|forced)
						"&default-command-action;"
	  interactive           (yes|no) 
						"&default-interactive-command-action;"
	  application			CDATA	#IMPLIED
	  application-case-sensitive	CDATA	#IMPLIED
	  chroot			CDATA	#IMPLIED>

===AUTO_SCHEMA_MARKUP===