Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

SSH

Appendix A Tectia Server Configuration File Quick Reference

This Appendix contains a quick reference to the elements of the Tectia Server configuration file, ssh-server-config.xml. The quick reference is divided into four tables, one for each block of the configuration file:

  • Table A.1: The params block (General server parameters)

  • Table A.2: The connections block (Connection rules and encryption methods)

  • Table A.3: The authentication-methods block (Authentication rules and methods)

  • Table A.4: The services block (Service rules)

The tables list the available configuration file elements with their attributes, attribute values (with the default value, if available, marked in bold) and descriptions. The element names in the tables are links that take you to detailed descriptions of the elements in ssh-server-config(5).

The element hierarchy is expressed with slashes ('/') between parent and child elements. For example, in Table A.2 , "connection / selector / ip" means that a connection element can have a selector child element, which can have an ip child element.

Table A.1. ssh-server-config.xml Quick Reference - the params block

ElementAttributes and their valuesDescription
address-familytype = "inet|inet6|any"IP address type
crypto-libmode = "standard|fips"Cryptographic library mode
settingsproxy-scheme = semicolon-separated_sequenceHTTP and SOCKS proxy server rules for local tunneling
xauth-path = path(Unix only)Path to a supplementary XAuth binary used with X11 forwarding
x11-listen-address = "localhost|any"(Unix only)Type of address the x11 listener is created on
pam-account-checking-only = "yes|no"(Unix only)Only PAM will be used to check if the user is allowed to log in
resolve-clienthostname = "yes|no"Client host name is resolved from IP address during connection setup
ignore-aix-rlogin = "yes|no"Ignore remote login restriction on AIX
ignore-aix-login = "yes|no"Ignore local login restriction on AIX
record-ptyless-sessions = "yes|no"Record sessions without PTYs as user logins in the OS
user-config-dir = directory (default: "%D/.ssh2") Directory for user-specific configuration data (can include pattern strings)
default-path = path(Unix only)Default PATH value for the user environment
windows-logon-type = "batch|interactive|network|network-cleartext"(Windows only)Accepted user logon methods for the local host
windows-terminal-mode = "console|stream"(Windows only)Mode of operation of a terminal session on the server side
ignore-nisplus-no-permission = "yes|no"(Linux and Solaris only)If NIS+ gives no permission to the user during authentication, ignore it
quiet-login = "yes|no"Suppress messages about last login, password expiry, etc. during login
default-domain = domainAppend a domain to server host names that are not FQDNs
pluggable-authentication-modules
(Unix only)
pam-calls-with-commands = "yes|no"Enable PAM Account and Session Management when user executes shells, remote commands and subsystems
service-name = nameInstruct PAM about which configuration it should use
dll-path = pathLocation of the PAM library
protocol-parametersthreads = number (default: "0")Number of threads the protocol library uses
hostkey / privatefile = pathPath to the private key file
hostkey / publicfile = pathPath to the public key file
hostkey / x509-certificatefile = pathPath to the X.509 user certificate file
hostkey / externalkeytype = "none|software|mscapi|pkcs11|pkcs12"External host key type
init-info = keyword(value)_listInit info for the external host key
listenerid = IDUnique ID for the server listener
address = IP_addressThe address where the server listens for connections
port = port_numberThe port at which the server listens for connections
domain-policy
(Windows only)
windows-domain-precedence = comma-separated_listTrusted domains and special values %default% and %local%
domain-policy / windows-domain
(Windows only)
name = domain_nameDomain name for domain access with one-way trust
user = user_nameUser account for domain access with one-way trust
logging / log-eventsfacility = "normal|daemon|user|auth|local0|local1|local2
|local3|local4|local5|local6|local7|discard"
Facility of logging event
severity = "informational|notice|warning|error
|critical|security-success|security-failure"
Severity of logging event
limitsmax-processes = [1 to 2048] (default: "40")Maximum number of servant processes the master server will launch
max-connections = number (default: "256")Maximum number of client connections allowed per servant
limits / servant-lifetimetotal-connections = [1 to 4000000000] (recommended: "5000") Total number of connections the servant process will handle during its lifetime
cert-validationhttp-proxy-url = addressHTTP proxy address
socks-server-url = addressSOCKS proxy address
cache-size = [1 to 512] (default: "35")Maximum size (MB) of in-memory cache for certificates and CRLs
max-crl-size = [1 to 512] (default: "11")Maximum size (MB) of CRLs accepted
external-search-timeout = [1 to 3600] (default: "60")Time limit (seconds) for external HTTP and LDAP searches for CRLs and certificates
max-ldap-response-length = [1 to 512] (default: "11")Maximum size (MB) of LDAP responses accepted
ldap-idle-timeout = [1 to 3600] (default: "30")Idle timeout (seconds) for LDAP connections
max-path-length = numberMaximum length of the certification paths when validating certificates
cert-validation / ldap-serveraddress = LDAP-addressLDAP server address
port = port_number (default: "389")LDAP server port
cert-validation / ocsp-respondervalidity-period = secondsValidity period for OCSP data
url = addressOCSP responder service address
cert-validation / cert-cache-filefile = pathFile for storing certificates and CRLs
cert-validation / crl-auto-updateupdate-before = secondsTime before expiration for automatic updating of certificate revocation lists
minimum-interval = secondsLimit for maximum CRL update frequency
cert-validation / crl-prefetchurl = addressURL from which CRL is downloaded
interval = seconds (default: "3600") How often the CRL is downloaded
cert-validation / dod-pkienable = "yes|no"Enforce digital signature in key usage
cert-validation / ca-certificatename = CA_nameName of the CA
file = pathPath to X.509 CA certificate file
disable-crls = "yes|no"Disable CRL checking
use-expired-crls = seconds (default: "0") Time period for using expired CRLs
trusted = "yes|no"Set CA certificate as a trust anchor and trust it explicitly
password-cachefile = pathLocation of server password cache file
load-controlenable = "yes|no"Enable load control
discard-limit = [1 to max-connections-1]
(default: 90% of max-connections)
Limit for discarding new connections from outside the server's white list
white-list-size = [1 to 10000] (default: "1000") Number of IP addresses on the server's white list

Table A.2. ssh-server-config.xml Quick Reference - the connections block

ElementAttributes and their valuesDescription
connectionname = XML_nameIdentifier (valid XML name) for the connection rule
action = "allow|deny"Allow/deny connection
tcp-keepalive = "yes|no"Send keepalive messages to the other side
connection / selector / interfaceid = IDMatch the server listener interface ID
address = addressMatch the server listener interface address
port = port_numberMatch the server listener interface port
connection / selector / ipaddress = IP_address|IP_address_range|IP_sub-network_maskMatch the client's IP address
fqdn = FQDN_patternMatch the client's FQDN
connection / rekeyseconds = seconds (default: "3600")Number of seconds after which key exchange is done again
bytes = bytes (default: "1000000000")Number of transferred bytes after which key exchange is done again
connection / ciphername = cipher_nameCipher allowed for data encryption
allow-missing = "yes|no"Server restarts normally even if cipher not found during configuration reading
connection / macname = HMAC_nameMAC allowed for data integrity verification
allow-missing = "yes|no"Server restarts normally even if MAC not found during configuration reading
connection / kexname = KEX_nameKEX allowed for key exchange method
allow-missing = "yes|no"Server restarts normally even if KEX not found during configuration reading
connection / hostkey-algorithmname = algorithm_nameHost key signature algorithm used in server authentication with host keys or certificates
allow-missing = "yes|no"Server restarts normally even if host key algorithm not found during configuration reading

Table A.3. ssh-server-config.xml Quick Reference - the authentication-methods block

ElementAttributes and their valuesDescription
banner-messagefile = pathPath to the file that contains the message that is sent to the client before authentication
auth-file-modes(Unix only)strict = "yes|no"Check permissions and ownership of the user's key files or the directory they are stored in
mask-bits = octal_permissions (default: "022")Specify forbidden permission bits in octal format
dir-mask-bits = octal_permissionsSpecify the forbidden permission bits for the user key directory
authenticationaction = "allow|deny"Allow/deny access to/from users who match a selector
authentication / selector /
certificate
field = "ca-list|issuer-name|subject-name|serial-number
|altname-email|altname-upn|altname-ip|altname-fqdn|extended-key-usage"
The field of user certificates used in public-key authentication that has to be matched
patternThe information in the field to be matched
pattern-case-sensitiveThe information in the field to be matched case-sensitively
regexp = egrep_regexpRegular expression to match a range of values in the selected field
ignore-prefix = "yes|no"Match only the end of subject name
ignore-suffix = "yes|no"Match only the beginning of the subject name
explicit = "yes|no"(With extended-key-usage) Request that the certificate must include the key purpose ID specified with the pattern
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
host-certificate
field = "ca-list|issuer-name|subject-name|serial-number
|altname-email|altname-upn|altname-ip|altname-fqdn|extended-key-usage"
The field of host certificates used in public-key authentication that has to be matched
patternThe information in the field to be matched
pattern-case-sensitiveThe information in the field to be matched case-sensitively
regexp = egrep_regexpRegular expression to match a range of values in the selected field
ignore-prefix = "yes|no"Match only the end of subject name
ignore-suffix = "yes|no"Match only the beginning of the subject name
explicit = "yes|no"(With extended-key-usage) Request that the certificate must include the key purpose ID specified with the pattern
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
interface
id = IDMatch the listener interface ID
address = IP_addressMatch the listener address
port = port_numberMatch the listener port
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
ip
address = IP_address|IP_address_range|IP_sub-network_maskMatch client's IP address
fqdn = FQDN_patternMatch client's FQDN
fqdn-regexp = regexp_patternMatch a range of FQDNs specified with a regular expression
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
user
name = comma-separated_listMatch user names
name-case-sensitive = comma-separated_listMatch user names case-sensitively
name-regexp = regexp_patternMatch a range of names specified with a regular expression
id = comma-separated_listMatch user IDs
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
user-group
name = comma-separated_listMatch user group names
name-case-sensitive = comma-separated_listMatch user group names case-sensitively
name-regexp = regexp_patternMatch a range of user group names specified with a regular expression
id = comma-separated_listMatch user group IDs
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
user-privileged
value = "yes|no"Match a privileged user
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
blackboard
fieldMatch based on the information in this blackboard field
patternThe information in the field to be matched
pattern-case-sensitiveThe information to be matched case-sensitively
regexp = egrep_regexpRegular expression to match a range of values in the selected field
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
publickey-passed
length = [length_range]Public key length range
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / selector /
user-password-change-needed
(Unix only)
value = "yes|no"Matches if the user password has expired and should be changed
allow-undefined = "yes|no"Control behavior of selector when required data is not defined
authentication / set-blackboardfield = blackboard_keyDescribe an item that will be added to the blackboard when this authentication block is encountered
valueDesired value
file = pathPath to a file containing the desired value
authentication / set-username = user_nameSpecify user name that will be used from here on
authentication / auth-publickeyrequire-dns-match = "yes|no"Accept or deny a public key which has the allow/deny-from option set in the authorization file
signature-algorithms = comma-separated_listPublic-key signature algorithms used for user authentication
authorization-file = comma-separated_listPaths to files that contain the user public keys that are authorized for login
authorized-keys-directory = comma-separated_listDirectories that contain the user public keys that are authorized for login
openssh-authorized-keys-file = comma-separated_listPaths to OpenSSH-style authorized_keys files that contain the user public keys that are authorized for login
authentication / auth-hostbasedrequire-dns-match = "yes|no"Host-based authentication will require the host name given by the client to match the one found in DNS
disable-authorization = "yes|no"Host-based authentication ignores authorization requirements
allow-missing = "yes|no"Ignore missing element
authentication / auth-passwordfailure-delay = seconds (default: "2")Delay between failed password authentication attempts
max-tries = number (default: "3")Maximum number of password authentication attempts
allow-missing = "yes|no"Ignore missing element
authentication /
auth-keyboard-interactive
failure-delay = seconds (default: "2")Delay between failed keyboard-interactive authentication attempts
max-tries = number (default: "3")Maximum number of keyboard-interactive authentication attempts
authentication /
auth-keyboard-interactive /
submethod-pam(Unix only)
service-nameInstruct PAM about which configuration it should use
dll-path = path|comma-separated_listNon-standard location for the PAM library, or PAM DLLs
authentication /
auth-keyboard-interactive /
submethod-password
-Set the keyboard-interactive password submethod in use
authentication /
auth-keyboard-interactive /
submethod-securid
dll-path = pathPath to the SecurID DLL
authentication /
auth-keyboard-interactive /
submethod-radius
-Sets the keyboard-interactive RADIUS submethod in use
authentication /
auth-keyboard-interactive /
submethod-radius / radius-server
address = IP_addressRADIUS server's IP address
port = port_number (default: "1812")RADIUS server port
timeout = seconds (default: "10")Time after which the RADIUS query is terminated if no response is gained
client-nas-identifier = IDNetwork access server identifier to be used when talking to the RADIUS server
authentication /
auth-keyboard-interactive /
submethod-radius / radius-server /
radius-shared-secret
file = pathPath to the RADIUS shared secret file
authentication /
auth-keyboard-interactive /
submethod-aix-lam
enable-password-change = "yes|no"Enable LAM on AIX and allow users to change their expired passwords
authentication /
auth-keyboard-interactive /
submethod-generic
name = method_nameSet the named generic submethod in use
params = parametersOptional parameters for the submethod
authentication / auth-gssapidll-path = pathPath to required GSSAPI libraries
allow-ticket-forwarding = "yes|no"Allow forwarding the Kerberos ticket over several connections
allow-missing = "yes|no"Ignore Kerberos/GSSAPI unavailability
authentication / mappercommand = external_applicationExternal application used to supplement authentication
timeout = [1 to 3600] (default: "15")Time limit for the external application to exit

Table A.4. ssh-server-config.xml Quick Reference - the services block

ElementAttributes and their valuesDescription
groupname = XML_nameGroup name (a valid XML name)
group / selectorThis element has the same child elements as authentication-methods / authentication / selector (see Table A.3)
rulegroup = group_nameMatch user's group
idle-timeout = seconds (default: "0")Idle timeout limit
print-motd = "yes|no"Print message of the day at interactive login to a Unix server
rule / environmentallowed = comma-separated_listEnvironment variables the user group is allowed to set at the client side
allowed-case-sensitive = comma-separated_listSpecify case-sensitive variables
rule / terminalaction = "allow|deny"Allow/deny terminal access for the user group
chroot = directory(Unix only) Directory where user is chrooted during the terminal session
rule / subsystemtype = subsystemSubsystem for which the settings are made
action = "allow|deny"Allow/deny use of the subsystem
audit = "yes|no"Record audit messages of the subsystem in the system log
exec-directly = "yes|no" (Unix only) Server will launch sft-server-g3 directly without invoking the user's shell
application = executableThe executable of the subsystem
chroot = directoryDirectory where the user is chrooted when running the subsystem
rule / subsystem / attributename = attribute_nameName for the subsystem attribute
value = attribute_valueValue of the subsystem attribute
rule / commandaction = "allow|deny|forced"Allow/deny/force shell command
interactive = "yes|no"(Windows only)For forced action: the application requires user interaction
application = application_nameThe application that is allowed/forced to run
application-case-sensitive = application_name(Alternative to application:) The application is matched case-sensitively
chroot = directoryDirectory where user is chrooted when running the command
rule / tunnel-agentaction = "allow|deny"Allow/deny agent forwarding
rule / tunnel-x11action = "allow|deny"Allow/deny X11 forwarding
rule / tunnel-localaction = "allow|deny"Allow/deny local tunnels
rule / tunnel-local / srcaddress = IP_address |IP_address_range|IP_sub-network_maskSource address for local tunnel
fqdn = FQDN_patternSource FQDN for local tunnel (matches case-insensitively)
fqdn-regexp = regexp_patternRegular expression (egrep) to match a range of FQDNs
rule / tunnel-local / dstaddress = IP_address |IP_address_range|IP_sub-network_maskDestination address for local tunnel
fqdn = FQDN_patternDestination FQDN for local tunnel (matches case-insensitively)
fqdn-regexp = regexp_patternRegular expression (egrep) to match a range of FQDNs
port = port_numberDestination port or port range for local tunnel
rule / tunnel-local / mappercommand = external_applicationExternal application which is the executable of the subsystem
timeout = [1 to 3600] (default: "15")Time limit for the external application to exit
rule / tunnel-remoteaction = "allow|deny"Allow/deny remote tunnels
rule / tunnel-remote / srcaddress = IP_address |IP_address_range|IP_sub-network_maskSource address for remote tunnel
fqdn = FQDN_patternSource FQDN for remote tunnel (matches case-insensitively)
fqdn-regexp = regexp_patternRegular expression (egrep) to match a range of FQDNs
rule / tunnel-remote / listenaddress = IP_address |IP_address_range|IP_sub-network_maskListen address for remote tunnel
port = port_numberListen port or port range for remote tunnel

===AUTO_SCHEMA_MARKUP===