#
+# silcd.conf
+#
# Example configuration file. Note that this attempts to present various
-# configuration possibilities and may not actually give any sensible
+# configuration possibilities and may not actually give any sensible
# configuration. For real life example see the examples/ directory.
#
-
-#
-# Configured ciphers.
+# Most of the settings in this file are optional. If some setting is
+# mandatory it is mentioned separately. If some setting is omitted it means
+# that its builtin default value will be used. Boolean values, that is
+# setting something on or off, is done by setting either "true" or "false"
+# value, respectively.
#
-# Format: <name>:<module path>:<key length>:<block length>
+# The ServerInfo section is mandatory section. Other sections are optional.
+# However, if General section is defined it must be defined before the
+# ConnectionParams sections. On the other hand, the ConnectionParams section
+# must be defined before Client, ServerConnection or RouterConnection
+# sections. Other sections can be in free order.
#
-# If the cipher is builtin the <module path> maybe omitted.
-#
-[Cipher]
-aes-256-cbc:@MODULESDIR@/aes.sim.so:32:16
-aes-192-cbc:@MODULESDIR@/aes.sim.so:24:16
-aes-128-cbc:@MODULESDIR@/aes.sim.so:16:16
-twofish-256-cbc:@MODULESDIR@/twofish.sim.so:32:16
-twofish-192-cbc:@MODULESDIR@/twofish.sim.so:24:16
-twofish-128-cbc:@MODULESDIR@/twofish.sim.so:16:16
-mars-256-cbc:@MODULESDIR@/mars.sim.so:32:16
-mars-192-cbc:@MODULESDIR@/mars.sim.so:24:16
-mars-128-cbc:@MODULESDIR@/mars.sim.so:16:16
-none:@MODULESDIR@/none.sim.so:0:0
#
-# Configured hash functions.
-#
-# Format: <name>:<module path>:<block length>:<digest length>
+# Include global algorithms from the "silcalgs.conf" file. This file defines
+# ciphers, hash functions, HMACs and PKCS algorithms that can be used.
#
-# If the hash function is builtin the <module path> maybe omitted.
-#
-[Hash]
-sha1::64:20
-md5::64:16
+Include "@ETCDIR@/silcalgs.conf";
#
-# Configured HMAC functions. The hash function used in the HMAC must
-# configured to the [hash] section.
+# General configuration options
#
-# Format: <name>:<hash name>:<mac length>
+# These defines the default behaviour of the server. Most of these values
+# can be overridden with ConnectionParams, which can be defined independently
+# for different connections.
#
-[hmac]
-hmac-sha1-96:sha1:12
-hmac-md5-96:md5:12
-hmac-sha1:sha1:20
-hmac-md5:md5:16
+General {
+ # This is the default path where to search modules. If omitted
+ # built-in modules will be used. Built-in modules will also be
+ # used if a module file cannot be located.
+ module_path = "@MODULESDIR@";
-#
-# Configured PKCS.
-#
-# Format: <name>
-#
-[PKCS]
-rsa
+ # If both passphrase and public key authentication is set for a
+ # connection the public key authentication is the preferred one
+ # to use. Set this to `true' to prefer passphrase authentication
+ # over public key authentication in these cases.
+ #prefer_passphrase_auth = true;
-#
-# Run SILC server as specific user and group. The server must be initially
-# run as root.
-#
-# Format: <user>:<group>
-#
-[Identity]
-nobody:nobody
+ # Set this to true if the server should require fully qualified
+ # domain names (FQDN) for incoming connections. If true, a host
+ # without FQDN cannot connect to the server.
+ #require_reverse_lookup = true;
-#
-# Server's administrative information.
-#
-# Format: <location>:<server type>:<admin's name>:<admin's email address>
-#
-[AdminInfo]
-Kuopio, Finland:Test Server:Pekka Riikonen:priikone@poseidon.pspt.fi
+ # Maximum number of incoming connections allowed to this server.
+ # If more attempt to connect they will be refused.
+ connections_max = 1000;
-#
-# Server information.
-#
-# Format: +<server FQDN>:<server IP>:<geographic location>:<port>
-#
-[ServerInfo]
-lassi.kuo.fi.ssh.com:10.2.1.6:Kuopio, Finland:706
+ # Maximum number of incoming connections allowed per single host.
+ # For example, if this is one (1) it means a host can link only
+ # once to the server. Attempting to connect more than once would
+ # be refused. This can be overridden with ConnectionParams.
+ #connections_max_per_host = 10;
-#
-# Server keys
-#
-# Format: +<public key>:<private key>
-#
-[ServerKeys]
-@ETCDIR@/silcd.pub:@ETCDIR@/silcd.prv
+ # Required version of the remote side. If these are specified then
+ # the remote must be of at least this version, or newer. If older
+ # then the connection will not be allowed.
+ #
+ # version_protocol - SILC protocol version ("major.minor")
+ # version_software - software version ("major.minor")
+ # version_software_vendor - vendor specific version extension
+ #
+ # The version_software_vendor may be for example a string or a build
+ # number of the software. The string can be a regex string to match
+ # more widely. Usually the vendor version checking is not necessary
+ # and can be omitted. These can be overridden with ConnectionParams.
+ #version_protocol = "1.1";
+ #version_software = "1.3";
+ #version_software_vendor = "SomeVendor";
+
+ # Default keepalive frequency (seconds). This can be overridden with
+ # with ConnectionParams.
+ keepalive_secs = 300;
+
+ # Default reconnection parameters defines how the server reconnect
+ # to the remote if the connection was lost. The reconnection phase
+ # use so called exponential backoff algorithm; The reconnect
+ # interval grows when reconnect count grows. Next example will
+ # attempt to reconnect after 10 seconds of disconnect, and the
+ # interval grows up to 600 seconds or until 7 times was attempted
+ # to reconnect. These settings has effect only when connecting
+ # as initiator.
+ #
+ # reconnect_count - how many times reconnect is attempted
+ # reconnect_interval - how often reconnect it performed (seconds)
+ # reconnect_interval_max - maximum interval for reconnect, the
+ # server never waits longer than this to
+ # reconnect (seconds).
+ # reconnect_keep_trying - whether to keep trying even after
+ # reconnect_count is reached (the interval
+ # will be reconnect_interval_max).
+ #
+ # These can be overridden with ConnectionParams.
+ reconnect_count = 7;
+ reconnect_interval = 10;
+ reconnect_interval_max = 600;
+ reconnect_keep_trying = true;
+
+ # Key exchange protocol rekey interval (seconds). How often to
+ # regenerate the session key with the remote. Initiator will perform
+ # the rekey and this setting affects only when connecting as initiator.
+ # This can be overridden with ConnectionParams.
+ #key_exchange_rekey = 3600;
+
+ # Key exchange with Perfect Forward Secrecy (PFS). This will perform
+ # the rekey process with PFS, making the new key more secure since it
+ # is not dependent in any way of the old key. This will make the rekey
+ # process somewhat slower, than without PFS. This can be overridden
+ # with ConnectionParams.
+ #key_exchange_pfs = true;
+
+ # Key exchange timeout (seconds). If the key exchange protocol is not
+ # finished in this time period the remote connection will be closed.
+ #key_exchange_timeout = 60;
+
+ # Connection authentication timeout (seconds). If the connection
+ # authentication protocol is not finished in this time period the
+ # remote connection will be closed.
+ #conn_auth_timeout = 60;
+
+ # Channel key rekey interval (seconds). How often channel key is
+ # regenerated. Note that channel key is regenerated also always when
+ # someone joins or leaves the channel.
+ #channel_rekey_secs = 3600;
+
+ # SILC session detachment disabling and limiting. By default clients
+ # can detach their sessions from server. If you set detach_disabled
+ # to true the DETACH command cannot be used by clients. If you want
+ # to limit for how long the server keeps detached sessions you can
+ # set the time (minutes) in detach_timeout. After that timeout the
+ # detached session is closed if it is not resumed. By default
+ # sessions are persistent as long as server is running.
+ #detach_disabled = true;
+ #detach_timeout = 1440;
+};
#
-# Listenning ports.
-#
-# Format: <local IP>:<Listener IP>:<port>
+# Server information
#
-[ListenPort]
-10.2.1.6:10.2.1.6:706
+ServerInfo {
+ #
+ # Server name (FQDN)
+ #
+ hostname = "lassi.kuo.fi.ssh.com";
+
+ #
+ # Primary listener. Specify the IP address and the port to bind
+ # the server.
+ #
+ Primary {
+ ip = "10.2.1.6";
+ port = 706;
+ };
+
+ #
+ # Secondary listener(s). If you need to bind your server into
+ # several interfaces use the Secondary to specify the listener(s).
+ #
+ #Secondary { ip = "10.2.1.60"; port = 706; };
+ #Secondary { ip = "10.2.1.160"; port = 706; };
+
+ #
+ # ServerType field specifies the purpose of this server
+ # This is only a descriptive field.
+ #
+ ServerType = "Test Server";
+
+ #
+ # Geographic location
+ #
+ Location = "Kuopio, Finland";
+
+ #
+ # Full admin name
+ #
+ Admin = "Foo T. Bar";
+
+ #
+ # Admin's email address
+ #
+ AdminEmail = "foo-admin@bar.com";
+
+ #
+ # Run SILC server as specific user and group. The server must be
+ # initially run as root.
+ #
+ User = "nobody";
+ Group = "nobody";
+
+ #
+ # Public and private keys
+ #
+ PublicKey = "@ETCDIR@/silcd.pub";
+ PrivateKey = "@ETCDIR@/silcd.prv";
+
+ #
+ # Motd file
+ #
+ # Specifies the text file displayed on client connection
+ #
+ #MotdFile = "@ETCDIR@/motd.txt";
+
+ #
+ # Pid file
+ #
+ PidFile = "@PIDFILE@";
+};
#
# Log files.
#
-# This section is used to set various logging files, their paths
-# and maximum sizes. All the other directives except those defined
-# below are ignored in this section. Log files are purged after they
-# reach the maximum set byte size.
-#
-# Format: infologfile:<path>:<max byte size>
-# warninglogile:<path>:<max byte size>
-# errorlogile:<path>:<max byte size>
-# fatallogile:<path>:<max byte size>
-#
-[Logging]
-infologfile:@LOGSDIR@/silcd.log:10000
-#warninglogfile:@LOGSDIR@/silcd_warning.log:10000
-#errorlogfile:@LOGSDIR@/error.log:10000
-#fatallogfile:@LOGSDIR@/silcd_error.log:
+# This section is used to set various logging files, their paths, maximum
+# sizes and logging options.
+#
+# There are only four defined channels allowed for defining (see below).
+# The log channels have an importance value, and most important channels
+# are redirected on the less important ones, thus setting a valid logging
+# file for "Info" will ensure logging for all channels, while setting
+# logging file for "Errors" will ensure logging for channels "Errors"
+# and "Fatals"
+#
+Logging {
+ # Use timestamp in the logging files? (Usually it is a good idea,
+ # but you may want to disable this if you run silcd under some
+ # daemontool).
+ Timestamp = true;
+
+ # If QuickLogs is true, then the logging files will be updated
+ # real-time. This causes a bit more CPU and HDD activity, but
+ # reduces memory usage. By default it is false and log files are
+ # written with FlushDelay timeout.
+ #
+ #QuickLogs = true;
+
+ # FlushDelay tells log files update delay (seconds) in case you
+ # have chosen buffering output. This setting has effect only if
+ # the QuickLogs is false.
+ #
+ FlushDelay = 180;
+
+ # Informational messages
+ Info {
+ File = "@LOGSDIR@/silcd.log";
+ Size = "50k";
+ };
+
+ # Warning messages
+ Warnings {
+ File = "@LOGSDIR@/silcd_warnings.log";
+ Size = "50k";
+ };
+
+ # Error messages
+ Errors {
+ File = "@LOGSDIR@/silcd_errors.log";
+ Size = "50k";
+ };
+
+ # Fatal messages
+ Fatals {
+ File = "@LOGSDIR@/silcd_fatals.log";
+ Size = "50k";
+ };
+};
#
-# Connection classes.
-#
-# This section is used to define connection classes. These can be
-# used to optimize the server and the connections.#
+# Connection Parameters
#
-# Format: <class number>:<ping freq>:<connect freq>:<max links>
+# This section defined connection parameters. It is possible to use
+# specific parameters in different connections, and to define different
+# parameters to different connections. The parameters can define how the
+# connection is handled and how the session is managed. If connection
+# parameters are not used in connections the default values will apply
+# (or values defined in General section). You can have multiple
+# ConnectionParams blocks defined.
#
-[ConnectionClass]
-1:100:100:100
-2:200:300:400
+ConnectionParams {
+ # unique name. The name is used to reference to this parameter
+ # block from the connections. This field is mandatory.
+ name = "normal";
+
+ # Maximum number of connections allowed. More connections will be
+ # refused. This can be used for example to limit number of clients.
+ # Note that this never can be larger than the connections_max
+ # specified in General section.
+ connections_max = 200;
+
+ # Maximum number of connections allowed per host. For example, if
+ # this is one (1) it means a host can link only once to the server.
+ # Attempting to link more than once would be refused.
+ #
+ # If this connection parameters block is used with incoming server
+ # connections it is recommended that this value is set to one (1).
+ connections_max_per_host = 10;
+
+ # Required version of the remote side. If these are specified then
+ # the remote must be of at least this version, or newer. If older
+ # then the connection will not be allowed.
+ #
+ # version_protocol - SILC protocol version ("major.minor")
+ # version_software - software version ("major.minor")
+ # version_software_vendor - vendor specific version extension
+ #
+ # The version_software_vendor may be for example a string or a build
+ # number of the software. The string can be a regex string to match
+ # more widely. Usually the vendor version checking is not necessary
+ # and can be omitted. These can be overridden with ConnectionParams.
+ #version_protocol = "1.1";
+ #version_software = "1.3";
+ #version_software_vendor = "SomeVendor";
+
+ # Keepalive frequency (seconds).
+ keepalive_secs = 300;
+
+ # Reconnection parameters defines how the server reconnects to
+ # the remote if the connection was lost. The reconnection phase
+ # use so called exponential backoff algorithm; The reconnect
+ # interval grows when reconnect count grows. Next example will
+ # attempt to reconnect after 10 seconds of disconnect, and the
+ # interval grows up to 600 seconds or until 7 times was attempted
+ # to reconnect. These settings has effect only when connecting
+ # as initiator.
+ #
+ # reconnect_count - how many times reconnect is attempted
+ # reconnect_interval - how often reconnect it performed (seconds)
+ # reconnect_interval_max - maximum interval for reconnect, the
+ # server never waits longer than this to
+ # reconnect (seconds).
+ # reconnect_keep_trying - whether to keep trying even after
+ # reconnect_count is reached (the interval
+ # will be reconnect_interval_max).
+ reconnect_count = 7;
+ reconnect_interval = 10;
+ reconnect_interval_max = 600;
+ reconnect_keep_trying = true;
+
+ # Key exchange protocol rekey interval (seconds). How often to
+ # regenerate the session key with the remote. Initiator will perform
+ # the rekey and this setting affects only when connecting as initiator.
+ #key_exchange_rekey = 3600;
+
+ # Key exchange with Perfect Forward Secrecy (PFS). This will perform
+ # the rekey process with PFS, making the new key more secure since it
+ # is not dependent in any way of the old key. This will make the rekey
+ # process somewhat slower, than without PFS.
+ #key_exchange_pfs = true;
+
+ # Anonymous connection. This setting has effect only when this
+ # this is used with client connections. If set to true then clients
+ # using this connection parameter will be anonymous connections.
+ # This means that the client's username and hostname information
+ # is scrambled and anonymous mode is set for the user.
+ #anonymous = true;
+
+ #TODO:
+ #connections_interval - incoming connection interval limit ?
+};
#
# Configured client connections.
#
-# Format: <remote host>:<auth method>:<auth data>:<port>:<class>
-#
-# The <auth data> is either passphrase or file path to the public key
-# file.
-#
-[ClientConnection]
-:::706:1
+# The "Host" defines the incoming IP address or hostname of the client.
+# If it is omitted all hosts will match this client connection. The
+# "Params" is optional and can be used to set specific connection parameters
+# for this connection.
+#
+# The authentication data is specified by Passphrase and/or PublicKey.
+# If both are provided then both password and public key based authentication
+# is allowed. If the Publickey is used it includes the file path to the
+# public key file. If none of them is provided then authentication is not
+# required. The PublicKey can be set multiple times to set multiple
+# public keys for one connection.
+#
+# Next example connection will match to all incoming client connections,
+# and no authentication is required.
+#
+Client {
+ #Host = "10.1.*";
+ #Passphrase = "secret";
+ #PublicKey = "/path/to/the/user_my.key";
+ #PublicKey = "/path/to/the/user_221.key";
+ #PublicKey = "/path/to/the/user_313.key";
+ Params = "normal";
+};
#
# Configured server administrator connections
#
-# Format: <host>:<username>:<nickname>:<auth method>:<auth data>
-#
-# The <auth data> is either passphrase or file path to the public key
-# file.
-#
-[AdminConnection]
-10.2.1.199:priikone:pekka:passwd:veryscret
+# The fields "Host", "User", and "Nick", are optional but you are encouraged
+# in using them to better identify your admins.
+#
+# The authentication data is specified by Passphrase and/or PublicKey.
+# If both are provided then both password and public key based authentication
+# is allowed. If the PublicKey is used it includes the file path to the
+# public key file. If none of them is provided then authentication is not
+# required.
+#
+Admin {
+ Host = "10.2.1.199";
+ User = "priikone";
+ Nick = "pekka";
+ Passphrase = "verysecret";
+ # PublicKey = "/path/to/the/public.key";
+};
#
# Configured server connections.
#
-# If server connections are configured it means that our server is
-# router server. Normal server must not configure server connections.
-# Thus, if your server is not router do not configure this section. If
+# If server connections are configured it means that this server is
+# router server. Normal servers must not configure server connections.
+# Thus, if this server is not router do not configure this section. If
# your server is router, this must be configured.
#
-# Format: <remote host>:<auth method>:<auth data>:<port>:
-# <version ID>:<class>:<backup connection>
-#
-# The <auth data> is either passphrase or file path to the public key
-# file. If the connection is backup connection then set the <backup
-# connection> to value 1. For normal connections set it 0. If it is
-# set to value 1 then this server will be backup router.
-#
-[ServerConnection]
-10.2.1.7:passwd:veryscret:706:1:1:0
-10.2.1.17:passwd:veryscret13:706:1:1:1 # backup connection, that host
- # will use this server as backup
- # router.
+# The authentication data is specified by Passphrase and/or PublicKey.
+# If both are provided then both password and public key based authentication
+# is allowed. If the PublicKey is used it includes the file path to the
+# public key file. If none of them is provided then authentication is not
+# required.
+#
+# If the connection is backup connection then set the "Backup" option
+# to true. For normal connections set it false. If it is set to true then
+# your server will be backup router.
+#
+ServerConnection {
+ Host = "10.2.1.7";
+ Passphrase = "verysecret";
+ #PublicKey = "/path/to/the/public.key";
+ Params = "normal";
+ Backup = false;
+};
#
-# Configured router connections.
+# Configured router connections
#
-# For normal server only one entry maybe configured to this section. It
-# must be the router this server will be connected to. For router server,
-# this sections includes all configured router connections. The first
-# configured connection is the primary route.
+# For normal servers only one entry maybe configured to this section. It
+# must be the router this server will be connected to. For router servers,
+# this section includes all configured router connections. The first
+# configured connection is the primary route. The Host specifies the
+# remote hostname or IP address. The Port specifies the remote port to
+# connect when Initiator is true. When Initiator is false the Port
+# specifies the local port (listener port).
#
-# Format: <remote host>:<auth method>:<auth data>:<port>:<version ID>:
-# <class>:<initiator>:<backup replace IP>:<backup replace port>:
-# <local backup>
+# The authentication data is specified by Passphrase and/or PublicKey.
+# If both are provided then both password and public key based authentication
+# is allowed. If the PublicKey is used it includes the file path to the
+# public key file. If none of them is provided then authentication is not
+# required.
#
-# The <auth data> is either passphrase or file path to the public key
-# file. If you are the initiator of the connection then set the <initiator>
-# to value 1. If you are the responder of the connection (waiting for
-# incoming connection) then set it to 0.
+# If you are the initiator of the connection then set the "Initiator"
+# option to true. If you are the responder of the connection (waiting for
+# incoming connection) then set it to false.
#
-# If the connection is backup router connection then set the <backup
-# replace IP> to the IP address of the router that the backup router will
+# If the connection is backup router connection then set the "BackupHost"
+# option to the IP address of the router that the backup router will
# replace if it becomes unavailable. Set also the router's port to the
-# <backup replace port>. For normal connection leave both empty. If this
-# backup router is in our cell then set the <local backup> to value 1.
-# If the backup router is in other cell then set it to value 0.
-#
-[RouterConnection]
-#10.2.1.100:passwd:veryverysecret:706:1:1:1
-#10.2.100.131:pubkey:/path/to/the/publickey:706:1:1:1
-#10.2.100.100:pubkey:/path/to/the/publickey:706:1:1:0:10.2.1.6:706:1
+# "BackupPort" option. For normal connection leave both commented. If this
+# backup router is in our cell then set the "BackupLocal" option to true.
+# If the backup router is in other cell then set it to false.
+#
+RouterConnection {
+ Host = "10.2.1.100";
+ Port = 706;
+ Passphrase = "verysecret";
+ #PublicKey = "/path/to/the/public.key";
+ Params = "normal";
+ Initiator = true;
+ #BackupHost = "10.2.1.6";
+ #BackupPort = 706;
+ #BackupLocal = true;
+};
#
-# Denied connections.
+# Denied connections
#
-# These connections are denied to connect our server.
+# These connections are denied to connect to our server.
#
-# Format: <remote host>:<port>:<comment>
+# The "Reason" field is mandatory, while the "Host" field can be omitted to
+# match everything.
#
-[DenyConnection]
-#10.2.1.99:0:Your connection has been denied
+#Deny {
+# Host = "10.2.1.99";
+# Reason = "Go away spammer";
+#};
+#Deny {
+# Host = "10.3.*";
+# Reason = "You are not welcome.";
+#};