1 manpage(SILCD_CONF) (5) (November 2 2002) (silc-server-0.9.7.1) (silc-server)
4 manpagename(silcd.conf) (format of configuration file for silcd)
6 manpagesection(CONFIGURATION FILE)
7 bf(Silcd) reads its configuration from /etc/silc/silcd.conf (or the file
8 specified with bf(-f)). The file contains sections, subsections and key-value
9 pairs. Each section or subsection is bound with a starting em({) and ending
10 em(}). Keys and values are of the format 'em(KEY)=em(VALUE);'. All statements
11 as well as sections must be terminated with a ';'.
13 Mandatory section in configuration file is em(ServerInfo). Other sections
14 are optional but recommended. If em(General) section is defined it must
15 be defined before the em(ConnectionParams) section. On the other hand,
16 the em(ConnectionParams) section must be defined before em(Client),
17 em(ServerConnection) and/or em(RouterConnection) sections. Other sections
18 can be in a free order in the configuration file.
20 nsect(SECTION: General)
22 em(General) section contains global settings for the silcd.
25 quote(Defines where SIM modules are located. If definition is omitted,
26 built-in modules will be used. Also, if a module can not be located, a built-in
27 module will be used in its place. The argument is a path to the directory the
28 modules are in, for example bf("/usr/local/silc/modules").)
30 bf(prefer_passphrase_auth)
31 quote(If both public key and passphrase authentication are set for a
32 connection, public key authentication is by default preferred. Setting this
33 value to em(true) causes silcd to prefer passphrase authentication in these
36 bf(require_reverse_lookup)
37 quote(Set this value to em(true) if all connecting hosts must have a fully
38 qualified domain name (FQDN). If set to true, a host without FQDN is not
39 allowed to connect to server.)
42 quote(Maximum number of incoming connections to this server. Any further
43 connections are refused.)
45 bf(connections_max_per_host)
46 quote(Maximum number of incoming connections from any single host. This
47 setting can be overridden on a connection-specific basis with
48 em(ConnectionParams).)
51 quote(Defines the minimum required version of protocol to allow connecting
52 to server. A client or server using this version of protocol or newer is
53 allowed to connect, one using anything older will be rejected. Leaving unset
54 allows all versions to connect. This can be overridden with
55 em(ConnectionParams).)
58 quote(Defines the minimum required version of software to allow connecting
59 to server. A client or server that is of this version or newer is allowed
60 to connect, one using anything older will be rejected. Leaving unset allows
61 all versions to connect. This can be overridden with em(ConnectionParams).)
63 bf(version_software_vendor)
64 quote(Defines the allowed software vendor string that is required to connect.
65 Usually this is either a build number or special client tag. Using this
66 requirement is not encouraged unless the server is in very limited use.
67 Leaving unset allows all versions regardless of their vendor to connect.
68 Can be overridden with em(ConnectionParams).)
70 bf(key_exchange_rekey)
71 quote(Defines the interval, in seconds, how often the session key will be
72 regenerated. This setting only applies to the connection initiator, as rekey
73 is always performed by the initiating party. Setting has effect only when
74 the server acts as an initiator, and can be overridden with
75 em(ConnectionParams).)
78 quote(Boolean value to determine, whether key-exchange is performed with
79 Perfect Forward Secrecy (PFS) or without. If set to em(true), the rekey
80 process will be somewhat slower, but more secure since the key is
81 entirely regenerated. Can be overridden with em(ConnectionParams).)
83 bf(key_exchange_timeout)
84 quote(Key exchange timeout in seconds. If the key exchange is not completed
85 within this time, the remote connection will be closed.)
88 quote(Connection authentication timeout in seconds. If the connection
89 authentication is not completed within this time, the remote connection
92 bf(channel_rekey_secs)
93 quote(Seconds, how often channel key will be regenerated. Note that channel
94 key is regenerated each time someone joins or leaves the channel. This is
95 the maximum time any channel can have the same key.)
98 quote(Boolean value controlling, whether clients are denied the use of DETACH
99 command. Default value is false (DETACH is allowed).)
102 quote(Time in seconds how long detached sessions will be available. By
103 default, detached sessions do not expire and as such, are persistent as long
104 as the server is running. If DETACH command is allowed, this value should
108 quote(Boolean value controlling, whether Quality of Service settings are
109 enabled. Default setting is false. NOTE: If you enable QoS in general section,
110 it applies to every connection the server has, including server connections.
111 This setting can be overridden with em(ConnectionParams) and in case of
112 server connections, it SHOULD BE overridden (server connections should not
116 quote(Limits read operations per second to given amount. Do note that one read
117 operation may read several SILC packets, so this setting does not
118 automatically correspond to amount of messages transmitted or accepted.)
121 quote(Limits incoming SILC data to the specified number of bytes per second.)
124 quote(This value defines the timeout, in seconds, for the delay of received
125 data in case it was left in a QoS queue.)
128 quote(This value defines the timeout, in microseconds, for the delay of
129 received data for received data in case it was left in a QoS queue.)
131 nsect(SECTION: ServerInfo)
133 em(ServerInfo) contains values for bound interfaces and administrative info.
136 quote(Server's name (FQDN).)
139 quote(This is a descriptive text field, usually telling what the server and
143 quote(Descriptive field of server's geographic location.)
146 quote(Administrator's full name.)
149 quote(Administrator's email address.)
152 quote(The name of the user account silcd will be running on. This must be an
153 existing user. Silcd needs to executed as root; after binding the port it
154 will drop root privileges and use the account given here.)
157 quote(The name of the group silcd will be running on. This must be an existing
158 group. Silcd needs to be executed as root; after binding the port it will drop
159 root privileges and use the group given here.)
162 quote(Full path to server's public key file.)
165 quote(Full path to server's private key file.)
168 quote(Full path to MOTD (Message Of The Day) file, a text file that will be
169 displayed to each client upon connection.)
172 quote(Full path to file where silcd will write its PID.)
174 nsubsect(SUBSECTION: Primary)
176 This is the primary listener info. Each server can have no more than one em(Primary)
180 quote(Specifies the address silcd is listening on.)
183 quote(Specifies the port silcd is listening on.)
185 nsubsect(SUBSECTION: Secondary)
187 This is a secondary listener info. A server may have any amount of
188 em(Secondary) listener settings. These are needed only if silcd needs
189 to listen on several interfaces. em(Secondary) subsections have the same
190 information that em(Primary) does.
192 nsect(SECTION: Logging)
194 This section is used to set up various log files; their paths, maximum
195 sizes and individual logging options.
197 There are four defined logging channels. The log channels have an
198 importance value, and more important channels are always redirected to the
199 less important ones. Setting a valid logging file for em(Info) will ensure
200 logging for all channels, whereas a setting for em(Errors) would only ensure
201 logging for em(Errors) and em(Fatals).
204 quote(A boolean value that dictates whether log lines will have timestamps
205 prefixed. In general, this is a good idea. You might want to disable this
206 if you are running silcd under some special logging daemon, such as
210 quote(A boolean value that determines how often log files are updated. Setting
211 this to em(true) makes silcd log in real-time. Setting this to em(false) makes
212 silcd write to logs every em(FlushDelay) seconds. Real-time logging causes a
213 bit more CPU and HDD usage but reduces memory consumption.)
216 quote(Time in seconds, how often logs are flushed to logfiles. This setting
217 has effect only if em(QuickLogs) is disabled.)
219 nsubsect(SUBSECTION: Info)
220 nsubsect(SUBSECTION: Warnings)
221 nsubsect(SUBSECTION: Errors)
222 nsubsect(SUBSECTION: Fatals)
223 Each of these subsections has the same attributes, em(File) and em(Size).
224 Different levels of problems are logged to their respective channels
225 (em(Info), em(Warnings), em(Errors), em(Fatals)), depending on their need
229 quote(Full path to log file.)
232 quote(Limit the size the log file is allowed to grow to. Any further messages
233 to this file cause the oldest lines to be removed in order to keep the file
234 size within given limit.)
236 nsect(SECTION: ConnectionParams)
238 This section defines connection parameters. Each connection may have its own
239 set of em(ConnectionParams) but having one is in no way mandatory. If no
240 separate parameters have been assigned, the defaults and the ones from
241 em(General) section will be used. A silcd configuration may have any number of
242 em(ConnectionParams) sections.
245 quote(This is a unique name that separates bf(this) particular
246 em(ConnectionParams) section from all the others. It is also the name with
247 which settings are referred to a given set of parameters. This field is
251 quote(Limits how many concurrent connections are allowed. Any further
252 connections are simply refused. Note that this setting can not override the
253 figure given in em(General) section.)
255 bf(connections_max_per_host)
256 quote(Maximum number of connections allowed from any single host. If this
257 parameter is set for a block controlling server connections, it is highly
258 suggested to use a value of one (1).)
261 quote(Exactly the same as in em(General) section.)
264 quote(Exactly the same as in em(General) section.)
266 bf(version_software_vendor)
267 quote(Exactly the same as in em(General) section.)
270 quote(How often (seconds) to send HEARTBEAT packets to connected clients.)
273 quote(When connection is lost, how many times a reconnection is tried.)
275 bf(reconnect_interval)
276 quote(How often, in seconds, a reconnection is attempted.)
278 bf(reconnect_interval_max)
279 quote(Reconnection time is lengthened each time an unsuccessful attempt
280 occurs. This value defines the maximum interval to which the delay may
283 bf(reconnect_keep_trying)
284 quote(Boolean value controlling whether server eventually gives up trying
285 to reconnect. If set to em(false), server will give up once em(reconnect_count)
286 is reached or, even at maximum interval no connection is established.)
288 bf(key_exchange_rekey)
289 quote(Exactly the same as in em(General) section.)
292 quote(Exactly the same as in em(General) section.)
295 quote(This boolean setting has meaning only to client connections. If set to
296 em(true), client connections using this em(ConnectionParams) block will have
297 their username and host scrambled. The client will also have an anonymous mode
301 quote(Exactly the same as in em(General) section NOTE: For server
302 connection this should be set to em(false) value.)
305 quote(Exactly the same as in em(General) section.)
308 quote(Exactly the same as in em(General) section.)
311 quote(Exactly the same as in em(General) section.)
314 quote(Exactly the same as in em(General) section.)
316 nsect(SECTION: Client)
318 This section defines how incoming client connections are handled. There can
319 be several em(Client) sections, each with their own requirements. A bf(silcd)
320 admin could for example require that connections from certain IP-address space
321 must supply a connection password.
324 quote(An address or wildcarded set of addresses, either in numeric IP-address
325 fashion or as hostnames. For example em("10.1.*") or
326 em("*.mydomain.domain.org").)
329 quote(The required passphrase to allow client connection.)
332 quote(The path to a file containing the client's public key. There can be any
333 number of em(PublicKey) statements in one em(Client) section. Matching any of
337 quote(Name of client connection parameters.)
339 nsect(SECTION: ServerConnection)
341 This section defines a configured server connection. A regular SILC
342 server does not need one at all. If this block exists, it means that the
343 server is a SILC router. There must be one em(ServerConnection) for each
344 SILC server that connects to this router.
347 quote(Either an FQDN or strict IP-address of the connecting server.)
350 quote(If server connection requires passphrase authentication, set it here.)
353 quote(This is a path to connecting server's public key. If server connection
354 requires public key authentication, set this value. If both em(Passphrase)
355 and em(PublicKey) are set, then either of them will be accepted.)
358 quote(Connection parameters.)
361 quote(A boolean value controlling whether this server acts as a backup. Set
362 to em(false) for normal servers. If set to em(true), this server is a backup
365 nsect(SECTION: RouterConnection)
366 This section covers router connections. Stand-alone servers won't have this
367 section, and regular servers should only have one.
369 Router servers need one em(RouterConnection) for each other router they have
370 been configured to connect to. First configured section is the primary route.
373 quote(If em(Initiator) is set tro em(true), this setting defines the remote
374 port in which to connect. if em(Initiator) is set to false, then this defines
375 the local (listening) port.)
378 quote(If connecting server requires a passphrase authentication, it is set
382 quote(If connecting to server requires public key authentication, the path
383 to server's public key file is set here.)
386 quote(Connection parameters.)
389 quote(A boolean setting that defines whether this server is the connecting
393 quote(If the configured connection is a backup connection, set this to the
394 address of the main router that will be replaced. For normal router connection
395 leave this option out.)
398 quote(If the configured connection is a backup connection, set this to the
399 remote port which to connect to. For normal router connection, leave this
403 quote(A boolean value. If this setting is em(true), then the backup router
404 is in the same cell. If the backup router is in another cell, set this
405 to em(false). Needless to say, for normal router connection, leave this
408 nsect(SECTION: Admin)
410 This section defines configured administration connections.
413 quote(Either FQDN or a strict IP-address to the origin of connection.
414 This field is optional.)
417 quote(Username that the connecting client announces. This field is optional.)
420 quote(Nickname that the connecting client announces. This field is optional.)
423 quote(Passphrase required to obtain server operator privileges.)
426 quote(Path to administrator's public key file. If both em(Passphrase) and
427 em(PublicKey) are defined, either one can be used.)
430 This section defines denied incoming connections. They apply equally to both
431 client and server connections, so make sure you know what you add here. Each
432 em(Deny) section covers one instance of denied connection(s). There may be any
433 number of em(Deny) sections.
436 quote(Address or wildcarded addresses of denied connections. bf(NOTE!) This
437 field is not mandatory, but highly recommended. If you don't specify em(Host)
438 at all, or give it a value of "*", you have a silcd that denies every single
439 incoming connection.)
442 quote(A string giving the reason as to why the connecting party is not allowed
443 to connect. Unlike em(Host), this field IS mandatory.)
455 SILC is designed and written by Pekka Riikonen <priikone@iki.fi> and rest
458 Configuration file format and parser is by Johnny Mnemonic.
460 This manpage was written by Mika 'Bostik' Boström <bostik@lut.fi>
462 See bf(CREDITS) for full list of contributors.