Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH

Appendix B Server Configuration File Syntax

The DTD of the server configuration file is shown below:

<!--                                                                    -->
<!--                                                                    -->
<!-- secsh-server.dtd                                                   -->
<!--                                                                    -->
<!-- Copyright (c) 2017 SSH Communications Security Corporation.        -->
<!-- This software is protected by international copyright laws.        -->
<!-- All rights reserved.                                               -->
<!--                                                                    -->
<!-- Document type definition for the Tectia Server XML                 -->
<!-- configuration files.                                               -->
<!--                                                                    -->
<!--                                                                    -->

<!-- Tunable parameters used in the policy.                             -->

<!-- Default connection action. -->
<!ENTITY default-connection-action                      "allow">

<!-- Default terminal action. -->
<!ENTITY default-terminal-action                        "allow">

<!-- Default subsystem action. -->
<!ENTITY default-subsystem-action                       "allow">

<!-- Default subsystem audit value. -->
<!ENTITY default-subsystem-audit                        "yes">

<!-- Default for allowing undefined blackboard entries by selectors. -->
<!ENTITY default-allow-undefined-value                  "no">

<!-- Default user-privileged value. -->
<!ENTITY default-user-privileged-value                  "yes">

<!-- Default user-password-change-needed value. -->
<!ENTITY default-user-password-change-needed-value      "yes">

<!-- Reverse mapping is not required by default in publickey authentication. -->
<!ENTITY default-auth-publickey-require-dns-match       "no">

<!-- Default tunnel action. -->
<!ENTITY default-tunnel-action                          "allow">

<!-- Default command action. -->
<!ENTITY default-command-action                         "allow">

<!-- Default interactive command action. -->
<!ENTITY default-interactive-command-action             "no">

<!-- Default rekey interval in seconds. -->
<!ENTITY default-rekey-interval-seconds                 "3600">

<!-- Default rekey interval in bytes (1GB). -->
<!ENTITY default-rekey-interval-bytes                   "1000000000">

<!-- Default login grace time in seconds. -->
<!ENTITY default-login-grace-time-seconds               "600">

<!-- Default authentication action. -->
<!ENTITY default-authentication-action                  "allow">

<!-- Password authentication default failure delay in seconds. -->
<!ENTITY default-auth-password-failure-delay            "2">

<!-- Password authentication default maximum tries. -->
<!ENTITY default-auth-password-max-tries                "3">

<!-- Password cache is disabled by default -->
<!ENTITY default-password-cache                         "no">

<!-- DNS match not required by default in host-based authentication. -->
<!ENTITY default-auth-hostbased-require-dns-match       "no">

<!-- Keyboard-interactive authentication default failure delay in seconds. -->
<!ENTITY default-auth-kbdint-failure-delay              "2">

<!-- Keyboard-interactive authentication default maximum tries. -->
<!ENTITY default-auth-kbdint-max-tries                  "3">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-radius-server-port                     "1812">

<!-- Keyboard-interactive RADIUS server default UDP recvfrom timeout. -->
<!ENTITY default-radius-server-timeout                  "10">

<!-- GSSAPI default ticket forwarding policy. -->
<!ENTITY default-gssapi-ticket-forwarding-policy        "no">

<!-- GSSAPI default library values. -->
<!ENTITY default-gssapi-dll-path "/usr/lib/libgssapi_krb5.so,
                                  /usr/lib64/libgssapi_krb5.so,
                                  /usr/lib/libkrb5.so,
                                  /usr/lib/libgss.so,
                                  /usr/local/gss/gl/mech_krb5.so,
                                  /usr/local/lib/libgssapi_krb5.so,
                                  /usr/local/lib/libkrb5.so,
                                  /usr/kerberos/lib/libgssapi_krb5.so,
                                  /usr/kerberos/lib/libkrb5.so,
                                  /usr/lib/gss/libgssapi_krb5.so,
                                  /usr/kerberos/lib/libgssapi_krb5.so.2,
                                  /usr/lib/libgssapi_krb5.so.2,
                                  /usr/lib/amd64/gss/mech_krb5.so,
                                  /usr/lib/amd64/libgss.so">

<!-- Default time in seconds for using expired CRLs. -->
<!ENTITY default-use-expired-crls                       "0">

<!-- CRLs are not disabled by default. -->
<!ENTITY default-disable-crls                           "no">

<!-- Digital signature in key usage is not enforced by default. -->
<!ENTITY default-dod-pki                                "no">

<!-- LDAP server default port. -->
<!ENTITY default-ldap-server-port                       "389">

<!-- Default CRL update minimum interval. -->
<!ENTITY default-crl-update-min-interval                "30">

<!-- Default interval for CRL prefetching. -->
<!ENTITY default-crl-prefetch-interval                  "3600">

<!-- Default crypto library mode ("fips" or "standard"). -->
<!ENTITY default-crypto-lib-mode                        "standard">

<!-- Both ipv4 and ipv6 are enabled by default -->
<!ENTITY default-address-family-type                    "inet">

<!-- Default terminate user started processes -->
<!ENTITY default-terminate-user-processes               "no">

<!ENTITY default-allow-configuration                    "no">

<!-- Default log event facility. -->
<!ENTITY default-log-event-facility                     "normal">

<!-- Default log event severity. -->
<!ENTITY default-log-event-severity                     "notice">

<!ENTITY default-access-action                          "allow">

<!-- Load control is enabled by default -->
<!ENTITY default-load-control-enable                    "yes">

<!-- Default white list size -->
<!ENTITY default-white-list-size                        "1000">

<!-- Default ignore AIX rlogin setting. -->
<!ENTITY default-ignore-aix-rlogin                      "no">

<!-- Default ignore AIX login setting. -->
<!ENTITY default-ignore-aix-login                       "no">

<!-- Default record sessions without PTYs. -->
<!ENTITY default-record-ptyless-sessions                "yes">

<!-- Default Windows logon type. -->
<!ENTITY default-windows-logon-type                     "interactive">

<!-- Default Windows terminal mode. -->
<!ENTITY default-windows-terminal-mode                  "console">

<!-- Default Ignore nisplus no permission error. -->
<!ENTITY default-ignore-nisplus-no-permission           "no">

<!-- TCP keepalives are disabled by default. -->
<!ENTITY default-tcp-keepalive                          "no">

<!-- Whether a plugin is allowed to not initialize (due to e.g.           -->
<!-- system configuration, missing shared libraries).                     -->
<!ENTITY default-allow-missing                          "no">

<!-- Default connection idle timeout in seconds.  The value zero -->
<!-- disables idle timeout. -->
<!ENTITY default-idle-timeout                           "0">

<!-- Message of the day (MOTD) is printed on login by default. -->
<!ENTITY default-print-motd                             "yes">

<!-- Authentication file permissions are checked by default. -->
<!ENTITY default-strict-modes                           "yes">

<!-- Default authentication file permission mask bits (octal). -->
<!ENTITY default-mask-bits                              "022">

<!-- Service name used with PAM. -->
<!ENTITY default-pam-service-name                       "ssh-server-g3">
<!-- Whether to perform PAM Account and Session management when executing -->
<!-- commands, i.e. shells, subsystems and remote commands.               -->
<!ENTITY default-pam-command-action                     "no">

<!-- Whether to bind x11 listeners to the localhost interface or to the   -->
<!-- 'any' interface. If the x11 listener is bound to the 'any' interface -->
<!-- the SO_REUSEADDR socket option will not be set.                      --> 
<!ENTITY default-x11-listen-address                     "localhost">

<!-- Whether to only use PAM to check if the user is allowed to login.    -->
<!-- PAM can be used during authentication or via the                     -->
<!-- pam-calls-with-commands setting. If PAM is not used in either        -->
<!-- authentication or with pam-calls-with-commands the normal system     -->
<!-- checks will be used to determine whether the user is allowed to      -->
<!-- login i.e. account is not locked etc.                                -->
<!ENTITY default-pam-account-checking-only              "no">

<!-- Whether the server tries to resolve the client hostname during       -->
<!-- connection setup                                                     -->
<!ENTITY default-resolve-client-hostname                "yes">

<!-- Whether to suppress last login, password expiry, motd etc. messages  -->
<!-- during login.                                                        -->
<!ENTITY default-quiet-login                            "no">

<!-- Default certificate cache size in MBs. -->
<!ENTITY default-cert-cache-size                        "35">

<!-- Default CRL size limit (in MB). -->
<!ENTITY default-max-crl-size                           "11">

<!-- The default maximum path length for certificate validation. -->
<!ENTITY default-max-path-length                        "10">

<!-- Default timeout for external searches (LDAP, HTTP, OCSP) (seconds). -->
<!ENTITY default-external-search-timeout                "60">

<!-- Default limit of LDAP responses (MBs). -->
<!ENTITY default-max-ldap-response-length               "11">

<!-- Default LDAP connection idle timeout in seconds. -->
<!ENTITY default-ldap-idle-timeout                      "30">

<!-- Whether to enable AIX LAM password change by default. -->
<!ENTITY default-aix-lam-password-change                "no">

<!-- Keyboard-interactive RADIUS server default port. -->
<!ENTITY default-tunnel-mapper-timeout                  "15">


<!-- Policy elements. -->

<!-- The top-level element. -->
<!ELEMENT secsh-server  (params?,connections?,authentication-methods?
                         ,services?)>

<!-- Parameter element. Only "hostkey" and "listener" are allowed multiple -->
<!-- times.                                                                -->
<!ELEMENT params        (crypto-lib|address-family|hostkey|listener|settings
                        |domain-policy|logging|limits|cert-validation
                        |pluggable-authentication-modules|protocol-parameters
                        |password-cache|load-control|password-change-rules)*>

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib            EMPTY>
<!ATTLIST crypto-lib
      mode                      (fips|standard) "&default-crypto-lib-mode;">

<!-- address-family mode setting ipv4 & ipv6-->
<!ELEMENT address-family        EMPTY>
<!ATTLIST address-family
      type                     (any|inet|inet6) "&default-address-family-type;">

<!-- Settings - a block for stuff that is too minor to have its
     own element in the params block. -->
<!ELEMENT settings              EMPTY>
<!-- Note that the signature-algorithms attribute is deprecated and 
     included in the DTD only for backwards compatibility -->
<!ATTLIST settings
      signature-algorithms      CDATA      #IMPLIED
      proxy-scheme              CDATA      #IMPLIED
      xauth-path                CDATA      #IMPLIED
      x11-listen-address        (localhost|any) 
                                           "&default-x11-listen-address;"
      pam-account-checking-only (yes|no)   "&default-pam-account-checking-only;"
      ignore-aix-rlogin         (yes|no)   "&default-ignore-aix-rlogin;"
      ignore-aix-login          (yes|no)   "&default-ignore-aix-login;"
      record-ptyless-sessions   (yes|no)   "&default-record-ptyless-sessions;"
      user-config-dir           CDATA      #IMPLIED
      default-path              CDATA      #IMPLIED
      windows-logon-type        (batch|interactive|network|network-cleartext)
                                           "&default-windows-logon-type;"
      windows-terminal-mode     (console|stream)
                                           "&default-windows-terminal-mode;"
      ignore-nisplus-no-permission (yes|no) 
                                        "&default-ignore-nisplus-no-permission;"
      resolve-client-hostname   (yes|no)   "&default-resolve-client-hostname;"
      quiet-login               (yes|no)   "&default-quiet-login;"
      default-domain            CDATA      #IMPLIED
      terminate-user-processes  (yes|no)   "&default-terminate-user-processes;">

<!ELEMENT pluggable-authentication-modules EMPTY>
<!ATTLIST pluggable-authentication-modules
      service-name              CDATA      "&default-pam-service-name;"
      dll-path                  CDATA      #IMPLIED
      pam-calls-with-commands   (yes|no)   "&default-pam-command-action;">

<!ELEMENT protocol-parameters   EMPTY>
<!ATTLIST protocol-parameters
      threads                   CDATA      #IMPLIED>

<!-- Hostkey specification. -->
<!ELEMENT hostkey           ((private,(public|x509-certificate)?)|externalkey)>

<!-- Private key specification. -->
<!ELEMENT private               (#PCDATA)>
<!ATTLIST private
      file                      CDATA       #IMPLIED>

<!-- Public key. -->
<!ELEMENT public                (#PCDATA)>
<!ATTLIST public
      file                      CDATA       #IMPLIED>

<!-- Certificate (host). -->
<!ELEMENT x509-certificate      (#PCDATA)>
<!ATTLIST x509-certificate
      file                      CDATA       #IMPLIED>

<!-- External key. -->
<!ELEMENT externalkey           EMPTY>
<!ATTLIST externalkey
      type                      CDATA       #REQUIRED
      init-info                 CDATA       #IMPLIED>

<!-- CA certificate. -->
<!ELEMENT ca-certificate        (#PCDATA)>
<!ATTLIST ca-certificate
      file                      CDATA       #IMPLIED
      name                      CDATA       #REQUIRED
      disable-crls              (yes|no)    "&default-disable-crls;"
      use-expired-crls          CDATA       "&default-use-expired-crls;"
      trusted                   (yes|no)    "yes">

<!-- Certificate caching. -->
<!ELEMENT cert-cache-file       EMPTY>
<!ATTLIST cert-cache-file
      file                      CDATA       #REQUIRED>

<!-- CRL automatic updating. -->
<!ELEMENT crl-auto-update       EMPTY>
<!ATTLIST crl-auto-update
      update-before             CDATA       #IMPLIED
      minimum-interval          CDATA       "&default-crl-update-min-interval;">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch          EMPTY>
<!ATTLIST crl-prefetch
      interval                  CDATA       "&default-crl-prefetch-interval;"
      url                       CDATA       #REQUIRED>

<!-- LDAP server. -->
<!ELEMENT ldap-server           EMPTY>
<!ATTLIST ldap-server
      address                   CDATA       #REQUIRED
      port                      CDATA       "&default-ldap-server-port;">

<!-- OCSP responder. -->
<!ELEMENT ocsp-responder        (#PCDATA)>
<!ATTLIST ocsp-responder
      validity-period           CDATA       #IMPLIED
      url                       CDATA       #REQUIRED>

<!-- Enforce digital signature in key usage. -->
<!ELEMENT dod-pki               EMPTY>
<!ATTLIST dod-pki
      enable                    (yes|no)    "&default-dod-pki;">

<!-- Secure Shell server TCP listener address and port. -->
<!ELEMENT listener              EMPTY>
<!ATTLIST listener
      id                        ID          #REQUIRED
      port                      CDATA       "22"
      address                   CDATA       #IMPLIED>

<!-- Server domain policy type -->
<!ELEMENT domain-policy         (windows-domain)*>
<!ATTLIST domain-policy
      windows-domain-precedence CDATA       #IMPLIED>

<!ELEMENT windows-domain        EMPTY>
<!ATTLIST windows-domain
      name                      CDATA       #REQUIRED
      user                      CDATA       #REQUIRED>

<!ELEMENT password-cache        EMPTY>
<!ATTLIST password-cache
      file                      CDATA       #REQUIRED>

<!-- Logging. -->
<!ELEMENT logging               (log-events*)>

<!-- Log events. -->
<!ELEMENT log-events            (#PCDATA)>
<!ATTLIST log-events
      facility            (normal|daemon|user|auth|local0|local1
                          |local2|local3|local4|local5|local6|local7|discard)
                                            "&default-log-event-facility;"
      severity            (informational|notice|warning|error|critical
                          |security-success|security-failure)
                                            "&default-log-event-severity;">

<!-- Certificate validation. Maximum one of each of "cert-cache-file",    -->
<!-- "crl-auto-update" and "dod-pki" can be present.                      -->
<!ELEMENT cert-validation (ldap-server|ocsp-responder|cert-cache-file
                          |crl-auto-update|crl-prefetch|dod-pki
                          |ca-certificate)*>

<!ATTLIST cert-validation
      http-proxy-url            CDATA       #IMPLIED
      socks-server-url          CDATA       #IMPLIED
      cache-size                CDATA       "&default-cert-cache-size;"
      max-crl-size              CDATA       "&default-max-crl-size;"
      external-search-timeout   CDATA       "&default-external-search-timeout;"
      max-ldap-response-length  CDATA       "&default-max-ldap-response-length;"
      ldap-idle-timeout         CDATA       "&default-ldap-idle-timeout;"
      max-path-length           CDATA       "&default-max-path-length;">

<!ELEMENT access                EMPTY>

<!ATTLIST access
      user                      CDATA         #REQUIRED
      action                    (allow|deny)  "&default-access-action;">


<!-- Limits. -->
<!-- max-connections is _per_servant_ .                                   -->
<!-- servant-lifetime - how many connections a servant will handle        -->
<!-- before it is retired.                                                -->

<!ELEMENT limits                (servant-lifetime)*>
<!ATTLIST limits
      max-connections           CDATA       #IMPLIED
      max-processes             CDATA       #IMPLIED>

<!ELEMENT servant-lifetime      EMPTY>
<!ATTLIST servant-lifetime
      total-connections         CDATA       #IMPLIED>

<!ELEMENT load-control          EMPTY>
<!ATTLIST load-control
      enable                    (yes|no)    "&default-load-control-enable;"
      discard-limit             CDATA       #IMPLIED
      white-list-size           CDATA       "&default-white-list-size;">

<!-- This element is deprecated and included for backwards compatibility only -->
<!ELEMENT password-change-rules EMPTY>
<!ATTLIST password-change-rules
      allow-configuration       (yes|no)    "&default-allow-configuration;">

<!-- Connections. -->
<!ELEMENT connections           (connection+)>

<!-- Connection. -->
<!ELEMENT connection  (selector*,rekey?,cipher*,mac*,kex*,hostkey-algorithm*)>
<!ATTLIST connection
      name                      ID          #IMPLIED
      action                    (allow|deny) "&default-connection-action;"
      tcp-keepalive             (yes|no)    "&default-tcp-keepalive;">

<!-- Rekey intervals. -->
<!ELEMENT rekey                 EMPTY>
<!ATTLIST rekey
      seconds                   CDATA       "&default-rekey-interval-seconds;"
      bytes                     CDATA       "&default-rekey-interval-bytes;">

<!-- Cipher. -->
<!ELEMENT cipher                EMPTY>
<!ATTLIST cipher
      name                      CDATA       #REQUIRED
      allow-missing             (yes|no)    "&default-allow-missing;">

<!-- MAC. -->
<!ELEMENT mac                   EMPTY>
<!ATTLIST mac
      name                      CDATA       #REQUIRED
      allow-missing             (yes|no)    "&default-allow-missing;">

<!-- KEX. -->
<!ELEMENT kex                   EMPTY>
<!ATTLIST kex
      name                      CDATA       #REQUIRED
      allow-missing             (yes|no)    "&default-allow-missing;">

<!-- Hostkey algorithm. -->
<!ELEMENT hostkey-algorithm     EMPTY>
<!ATTLIST hostkey-algorithm
      name                      CDATA       #REQUIRED
      allow-missing             (yes|no)    "&default-allow-missing;">

<!-- Selector element. -->
<!ELEMENT selector              (interface|certificate|host-certificate|ip
                                |user|user-group|user-privileged|blackboard
                                |publickey-passed|user-password-change-needed)*>

<!-- Interface selector. At least one parameter must be given. If id is   -->
<!-- set, the others MUST NOT be set. If id is not set, either or both    -->
<!-- of address and port may be defined.                                  -->
<!ELEMENT interface             EMPTY>
<!ATTLIST interface
      id                        IDREF       #IMPLIED
      address                   CDATA       #IMPLIED
      port                      CDATA       #IMPLIED
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">

<!-- Public key (plain) passed selector. -->
<!ELEMENT publickey-passed      EMPTY>
<!ATTLIST publickey-passed
      length                    CDATA       #IMPLIED
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">

<!-- Certificate selector. -->
<!ELEMENT certificate           EMPTY>
<!ATTLIST certificate
      field                     (ca-list|issuer-name|subject-name|serial-number
                                |altname-email|altname-upn
                                |altname-ip|altname-fqdn
                                |extended-key-usage)  
                                            #REQUIRED
      pattern                   CDATA       #IMPLIED
      pattern-case-sensitive    CDATA       #IMPLIED
      regexp                    CDATA       #IMPLIED
      ignore-prefix             (yes|no)    #IMPLIED
      ignore-suffix             (yes|no)    #IMPLIED
      explicit                  (yes|no)    #IMPLIED
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">

<!-- Host certificate selector. -->
<!ELEMENT host-certificate      EMPTY>
<!ATTLIST host-certificate
      field                     (ca-list|issuer-name|subject-name|serial-number
                                |altname-email|altname-upn
                                |altname-ip|altname-fqdn|
                                extended-key-usage) 
                                            #REQUIRED
      pattern                   CDATA       #IMPLIED
      pattern-case-sensitive    CDATA       #IMPLIED
      regexp                    CDATA       #IMPLIED
      ignore-prefix             (yes|no)    #IMPLIED
      ignore-suffix             (yes|no)    #IMPLIED
      explicit                  (yes|no)    #IMPLIED
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">

<!-- IP address selector. -->
<!-- The address will be one of the following:                            -->
<!--   - an IP range of the form x.x.x.x-y.y.y.y                          -->
<!--   - an IP mask of the form x.x.x.x/y                                 -->
<!--   - a straight IP address x.x.x.x                                    -->
<!--   - an FQDN pattern (form not checked, either it matches or not)     -->
<!-- Exactly one of address or fqdn must be set. -->
<!ELEMENT ip                    EMPTY>
<!ATTLIST ip
      address                   CDATA       #IMPLIED
      fqdn                      CDATA       #IMPLIED
      fqdn-regexp               CDATA       #IMPLIED
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">

<!-- User name selector. -->
<!ELEMENT user                  EMPTY>
<!ATTLIST user
      name                      CDATA       #IMPLIED
      name-case-sensitive       CDATA       #IMPLIED
      name-regexp               CDATA       #IMPLIED
      id                        CDATA       #IMPLIED
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">

<!-- User group selector. -->
<!ELEMENT user-group            EMPTY>
<!ATTLIST user-group
      name                      CDATA       #IMPLIED
      name-case-sensitive       CDATA       #IMPLIED
      name-regexp               CDATA       #IMPLIED
      id                        CDATA       #IMPLIED
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">

<!-- User privileged (administrator) selector. -->
<!ELEMENT user-privileged       EMPTY>
<!ATTLIST user-privileged
      value                     (yes|no)    "&default-user-privileged-value;"
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">

<!-- Selector for the need of user password change. -->
<!ELEMENT user-password-change-needed   EMPTY>
<!ATTLIST user-password-change-needed
      value                     (yes|no)
                                 "&default-user-password-change-needed-value;"
      allow-undefined           (yes|no)
                                 "&default-allow-undefined-value;">

<!-- Blackboard selector. -->
<!ELEMENT blackboard            EMPTY>
<!ATTLIST blackboard
      field                     CDATA       #REQUIRED
      pattern                   CDATA       #IMPLIED
      pattern-case-sensitive    CDATA       #IMPLIED
      regexp                    CDATA       #IMPLIED
      allow-undefined           (yes|no)    "&default-allow-undefined-value;">


<!-- Authentication methods element. -->
<!ELEMENT authentication-methods            (banner-message?,auth-file-modes?
                                            ,authentication*)>
<!ATTLIST authentication-methods
          login-grace-time      CDATA      "&default-login-grace-time-seconds;">

<!-- Banner message element. -->
<!ELEMENT banner-message        (#PCDATA)>
<!ATTLIST banner-message
      file                      CDATA       #IMPLIED>

<!-- Authentication file permission checks. -->
<!ELEMENT auth-file-modes       EMPTY>
<!ATTLIST auth-file-modes
      strict                    (yes|no)    "&default-strict-modes;"
      mask-bits                 CDATA       "&default-mask-bits;"
      dir-mask-bits             CDATA       #IMPLIED>

<!-- Authentication element.  In an authentication element, different -->
<!-- authentication methods are in OR-relation.  User must pass one of -->
<!-- them. -->
<!ELEMENT authentication        (selector*
                                 ,(set-blackboard|login-restrictions)*
                                 ,(auth-publickey|auth-hostbased|auth-password
                                  |auth-keyboard-interactive|auth-gssapi)*
                                 ,mapper?
                                 ,set-user?
                                 ,authentication*)>

<!-- Note that the repeat-block attribute is deprecated starting from the 6.1 
     release and included in the DTD only for backwards compatibility  -->
<!ATTLIST authentication
      name                      ID           #IMPLIED
      action                    (allow|deny) "&default-authentication-action;"
      set-group                 CDATA        #IMPLIED
      repeat-block              (yes|no)     "no"
      password-cache            (yes|no)     "&default-password-cache;" >

<!ELEMENT set-user              EMPTY>
<!ATTLIST set-user
      name                      CDATA       #REQUIRED>

<!ELEMENT mapper                EMPTY>
<!ATTLIST mapper
      command                   CDATA       #REQUIRED
      timeout                   CDATA       "&default-tunnel-mapper-timeout;">

<!ELEMENT login-restrictions        EMPTY>
<!ATTLIST login-restrictions
      ignore-password-expiration    CDATA       #IMPLIED
      ignore-aix-rlogin             CDATA       #IMPLIED
      ignore-aix-login              CDATA       #IMPLIED
      ignore-nisplus-no-permission  CDATA       #IMPLIED>

<!ELEMENT set-blackboard            (#PCDATA)>
<!ATTLIST set-blackboard
      field                         CDATA       #REQUIRED
      value                         CDATA       #IMPLIED
      file                          CDATA       #IMPLIED>

<!-- Public-key authentication. -->
<!ELEMENT auth-publickey             EMPTY>
<!ATTLIST auth-publickey
      require-dns-match             (yes|no)
                                    "&default-auth-publickey-require-dns-match;"
      signature-algorithms          CDATA       #IMPLIED
      authorization-file            CDATA       #IMPLIED
      authorized-keys-directory     CDATA       #IMPLIED
      openssh-authorized-keys-file  CDATA       #IMPLIED
      allow-missing                 (yes|no)    "&default-allow-missing;">

<!-- Host-based authentication. -->
<!ELEMENT auth-hostbased            EMPTY>
<!ATTLIST auth-hostbased
      require-dns-match             (yes|no)
                                    "&default-auth-hostbased-require-dns-match;"
      disable-authorization         (yes|no)    "no"
      allow-missing                 (yes|no)    "&default-allow-missing;">

<!-- Password authentication. -->
<!ELEMENT auth-password         EMPTY>
<!ATTLIST auth-password
      failure-delay             CDATA    "&default-auth-password-failure-delay;"
      max-tries                 CDATA    "&default-auth-password-max-tries;"
      allow-missing             (yes|no) "&default-allow-missing;" >

<!-- Keyboard-interactive authentication. -->
<!ELEMENT auth-keyboard-interactive     ((submethod-pam
                                         |submethod-password
                                         |submethod-securid
                                         |submethod-radius
                                         |submethod-aix-lam 
                                         |submethod-generic)*)>

<!ATTLIST auth-keyboard-interactive
      failure-delay             CDATA    "&default-auth-kbdint-failure-delay;"
      max-tries                 CDATA    "&default-auth-kbdint-max-tries;">

<!-- Keyboard-interactive submethods. -->

<!-- PAM. service-name is #IMPLIED, as it will be by default whatever is -->
<!-- set in "params" block.                                              -->
<!ELEMENT submethod-pam         EMPTY>
<!ATTLIST submethod-pam
      service-name              CDATA       #IMPLIED
      dll-path                  CDATA       #IMPLIED>

<!-- Password. -->
<!ELEMENT submethod-password    EMPTY>

<!-- SecurID. -->
<!ELEMENT submethod-securid     EMPTY>
<!ATTLIST submethod-securid
      dll-path                  CDATA       #IMPLIED>

<!-- RADIUS. -->
<!ELEMENT submethod-radius      (radius-server+)>

<!-- RADIUS server. -->
<!ELEMENT radius-server         (radius-shared-secret)>
<!ATTLIST radius-server
      address                   CDATA       #REQUIRED
      port                      CDATA       "&default-radius-server-port;"
      timeout                   CDATA       "&default-radius-server-timeout;"
      client-nas-identifier     CDATA       #IMPLIED>

<!-- Secret. "file" has precedence over #PCDATA. -->
<!ELEMENT radius-shared-secret  (#PCDATA)>
<!ATTLIST radius-shared-secret
      file                      CDATA       #IMPLIED>

<!-- AIX LAM. -->
<!ELEMENT submethod-aix-lam     EMPTY>
<!ATTLIST submethod-aix-lam
      enable-password-change    (yes|no)    "&default-aix-lam-password-change;">

<!-- Generic submethod. -->
<!ELEMENT submethod-generic     EMPTY>
<!ATTLIST submethod-generic
      name                      CDATA       #REQUIRED
      params                    CDATA       #IMPLIED>

<!-- GSSAPI authentication. -->
<!ELEMENT auth-gssapi           EMPTY>
<!ATTLIST auth-gssapi
      dll-path                  CDATA       "&default-gssapi-dll-path;"
      allow-ticket-forwarding   (yes|no)
                                   "&default-gssapi-ticket-forwarding-policy;"
      allow-missing             (yes|no)
                                   "&default-allow-missing;">

<!-- Services element. -->
<!ELEMENT services              (group*,rule+)>

<!-- Group element. -->
<!ELEMENT group                 (selector+)>
<!ATTLIST group
      name                      ID          #REQUIRED>

<!-- Rule element. Maximum one of each of "terminal", "tunnel-agent"    -->
<!-- or "tunnel-x11" can be present.                                    -->
<!ELEMENT rule                  (environment|terminal|subsystem|command
                                |tunnel-agent|tunnel-x11|tunnel-local
                                |tunnel-remote)*>

<!-- "group", if defined, will be used to match the rule. -->
<!ATTLIST rule
      group                     CDATA       #IMPLIED
      idle-timeout              CDATA       "&default-idle-timeout;"
      print-motd                (yes|no)    "&default-print-motd;">

<!-- Environment. -->
<!-- The default allowed environment variables are:                     -->
<!-- allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*"                    -->
<!-- If neither allowed nor allowed-case-sensitive is set,              -->
<!-- the default is used.                                               -->
<!ELEMENT environment           EMPTY>
<!ATTLIST environment
      allowed                   CDATA       #IMPLIED
      allowed-case-sensitive    CDATA       #IMPLIED>

<!-- Terminal. -->
<!ELEMENT terminal              EMPTY>
<!ATTLIST terminal
      action                    (allow|deny)    "&default-terminal-action;"
      chroot                    CDATA           #IMPLIED>

<!-- Subsystem. -->
<!ELEMENT subsystem             (attribute*)>
<!ATTLIST subsystem
      type                      CDATA           #REQUIRED
      action                    (allow|deny)    "&default-subsystem-action;"
      audit                     (yes|no)        "&default-subsystem-audit;"
      exec-directly             CDATA           #IMPLIED
      application               CDATA           #IMPLIED
      chroot                    CDATA           #IMPLIED>

<!ELEMENT attribute             EMPTY>
<!ATTLIST attribute
      name                      CDATA           #REQUIRED
      value                     CDATA           #IMPLIED>

<!-- Tunnels. -->

<!ELEMENT tunnel-x11            EMPTY>
<!ATTLIST tunnel-x11
      action                    (allow|deny)    "&default-tunnel-action;">

<!ELEMENT tunnel-agent          EMPTY>
<!ATTLIST tunnel-agent
      action                    (allow|deny)    "&default-tunnel-action;">

<!ELEMENT tunnel-local          (mapper|((src|dst)*))>
<!ATTLIST tunnel-local
      action                    (allow|deny)    "&default-tunnel-action;">

<!ELEMENT tunnel-remote         ((src|listen)*)>
<!ATTLIST tunnel-remote
      action                    (allow|deny)    "&default-tunnel-action;">

<!-- Tunnel selectors. These apply only to TCP local and remote tunnels.-->
<!-- src and dst are for local-tcp                                      -->
<!-- src and listen are for remote-tcp                                  -->

<!-- address or fqdn are not mandatory. If set, exactly one must be set -->
<!-- (not both).                                                        -->

<!-- Source. -->

<!ELEMENT src                   EMPTY>
<!ATTLIST src
      address                   CDATA       #IMPLIED
      fqdn                      CDATA       #IMPLIED
      fqdn-regexp               CDATA       #IMPLIED
      port                      CDATA       #IMPLIED>

<!-- Destination. -->
<!ELEMENT dst                   EMPTY>
<!ATTLIST dst
      address                   CDATA       #IMPLIED
      fqdn                      CDATA       #IMPLIED
      fqdn-regexp               CDATA       #IMPLIED
      port                      CDATA       #IMPLIED>

<!-- Listener. -->
<!ELEMENT listen                EMPTY>
<!ATTLIST listen
      address                   CDATA       #IMPLIED
      port                      CDATA       #IMPLIED>

<!-- Command. -->
<!ELEMENT command                   EMPTY>
<!ATTLIST command
      action                        (allow|deny|forced)
                                        "&default-command-action;"
      interactive                   (yes|no) 
                                        "&default-interactive-command-action;"
      application                   CDATA   #IMPLIED
      application-case-sensitive    CDATA   #IMPLIED
      chroot                        CDATA   #IMPLIED>

===AUTO_SCHEMA_MARKUP===