+++ /dev/null
-#
-# silcd.conf
-#
-# Example configuration file. Note that this attempts to present various
-# configuration possibilities and may not actually give any sensible
-# configuration. For real life example see the examples/ directory.
-#
-# Most of the settings in this file are optional. If some setting is
-# mandatory it is mentioned separately. If some setting is omitted it means
-# that its builtin default value will be used. Boolean values, that is
-# setting something on or off, is done by setting either "true" or "false"
-# value, respectively.
-#
-# The ServerInfo section is mandatory section. Other sections are optional.
-# However, if General section is defined it must be defined before the
-# ConnectionParams sections. On the other hand, the ConnectionParams section
-# must be defined before Client, ServerConnection or RouterConnection
-# sections. Other sections can be in free order.
-#
-
-#
-# Include global algorithms from the "silcalgs.conf" file. This file defines
-# ciphers, hash functions, HMACs and PKCS algorithms that can be used.
-#
-Include "@ETCDIR@/silcalgs.conf";
-
-#
-# General configuration options
-#
-# These defines the default behaviour of the server. Most of these values
-# can be overridden with ConnectionParams, which can be defined independently
-# for different connections.
-#
-General {
- # This is the default path where to search modules. If omitted
- # built-in modules will be used. Built-in modules will also be
- # used if a module file cannot be located.
- module_path = "@MODULESDIR@";
-
- # If both passphrase and public key authentication is set for a
- # connection the public key authentication is the preferred one
- # to use. Set this to `true' to prefer passphrase authentication
- # over public key authentication in these cases.
- #prefer_passphrase_auth = true;
-
- # Set this to true if the server should require fully qualified
- # domain names (FQDN) for incoming connections. If true, a host
- # without FQDN cannot connect to the server.
- #require_reverse_lookup = true;
-
- # Maximum number of connections server can handle. If you want
- # to limit the number of incoming connections, define the
- # connections_max in the ConnectionParams.
- connections_max = 1000;
-
- # Maximum number of incoming connections allowed per single host.
- # For example, if this is one (1) it means a host can link only
- # once to the server. Attempting to connect more than once would
- # be refused. This can be overridden with ConnectionParams.
- #connections_max_per_host = 10;
-
- # Required version of the remote side. If these are specified then
- # the remote must be of at least this version, or newer. If older
- # then the connection will not be allowed.
- #
- # version_protocol - SILC protocol version ("major.minor")
- # version_software - software version ("major.minor")
- # version_software_vendor - vendor specific version extension
- #
- # The version_software_vendor may be for example a string or a build
- # number of the software. The string can be a regex string to match
- # more widely. Usually the vendor version checking is not necessary
- # and can be omitted. These can be overridden with ConnectionParams.
- #version_protocol = "1.3";
- #version_software = "2.0";
- #version_software_vendor = "SomeVendor";
-
- # Default keepalive frequency (seconds). This can be overridden with
- # with ConnectionParams.
- keepalive_secs = 300;
-
- # Default reconnection parameters defines how the server reconnect
- # to the remote if the connection was lost. The reconnection phase
- # use so called exponential backoff algorithm; The reconnect
- # interval grows when reconnect count grows. Next example will
- # attempt to reconnect after 10 seconds of disconnect, and the
- # interval grows up to 600 seconds or until 7 times was attempted
- # to reconnect. These settings has effect only when connecting
- # as initiator.
- #
- # reconnect_count - how many times reconnect is attempted
- # reconnect_interval - how often reconnect it performed (seconds)
- # reconnect_interval_max - maximum interval for reconnect, the
- # server never waits longer than this to
- # reconnect (seconds).
- # reconnect_keep_trying - whether to keep trying even after
- # reconnect_count is reached (the interval
- # will be reconnect_interval_max).
- #
- # These can be overridden with ConnectionParams.
- reconnect_count = 7;
- reconnect_interval = 10;
- reconnect_interval_max = 600;
- reconnect_keep_trying = true;
-
- # Key exchange protocol rekey interval (seconds). How often to
- # regenerate the session key with the remote. Initiator will perform
- # the rekey and this setting affects only when connecting as initiator.
- # This can be overridden with ConnectionParams.
- #key_exchange_rekey = 3600;
-
- # Key exchange with Perfect Forward Secrecy (PFS). This will perform
- # the rekey process with PFS, making the new key more secure since it
- # is not dependent in any way of the old key. This will make the rekey
- # process somewhat slower, than without PFS. This can be overridden
- # with ConnectionParams.
- #key_exchange_pfs = true;
-
- # Key exchange timeout (seconds). If the key exchange protocol is not
- # finished in this time period the remote connection will be closed.
- #key_exchange_timeout = 60;
-
- # Connection authentication timeout (seconds). If the connection
- # authentication protocol is not finished in this time period the
- # remote connection will be closed.
- #conn_auth_timeout = 60;
-
- # Channel key rekey interval (seconds). How often channel key is
- # regenerated. Note that channel key is regenerated also always when
- # someone joins or leaves the channel.
- #channel_rekey_secs = 3600;
-
- # SILC session detachment disabling and limiting. By default clients
- # can detach their sessions from server. If you set detach_disabled
- # to true the DETACH command cannot be used by clients. If you want
- # to limit for how long the server keeps detached sessions you can
- # set the time (minutes) in detach_timeout. After that timeout the
- # detached session is closed if it is not resumed. By default
- # sessions are persistent as long as server is running.
- #detach_disabled = true;
- #detach_timeout = 1440;
-
- # Quality of Service (QoS) settings. The QoS can be used to handle
- # the incoming data and limit its handling rate to avoid flooding.
- # By default QoS is disabled and can be enabled by setting "qos" to
- # true value. The "qos_rate_limit" is the data reads per second,
- # and if more frequently is read due to for example data flooding,
- # QoS is applied to the data. The "qos_bytes_limit" is maximum bytes
- # allowed for incoming data. If more is received at once the QoS
- # is applied to the data. The "qos_limit_sec" and "qos_limit_usec"
- # is the timeout used to delay the data handling, seconds and
- # microseconds, respectively. NOTE: If you enable QoS in General
- # section it applies to server connections as well. Server
- # connections SHOULD NOT use QoS. This can be overridden with
- # ConnectionParams.
- #qos = true;
- #qos_rate_limit = 10;
- #qos_bytes_limit = 2048;
- #qos_limit_sec = 0;
- #qos_limit_usec = 500000;
-
- # Limit on how many channels one client can join. Default is 50.
- #channel_join_limit = 100;
-
- # HTTP server access to the server for retrieving server statistics
- # with a web browser. This is disabled by default.
- #http_server = true;
- #http_server_ip = "127.0.0.1";
- #http_server_port = 5000;
-
- # Debug string. Debug string can be set to print debugging from
- # the running server. The debug is redirected to stderr.
- # debug_string = "";
-};
-
-#
-# Server information
-#
-ServerInfo {
- #
- # Server name (FQDN)
- #
- hostname = "lassi.kuo.fi.ssh.com";
-
- #
- # Primary listener. Specify the IP address and the port to bind
- # the server.
- #
- Primary {
- ip = "10.2.1.6";
- port = 706;
- };
-
- #
- # Secondary listener(s). If you need to bind your server into
- # several interfaces use the Secondary to specify the listener(s).
- #
- #Secondary { ip = "10.2.1.60"; port = 706; };
- #Secondary { ip = "10.2.1.160"; port = 706; };
-
- #
- # ServerType field specifies the purpose of this server
- # This is only a descriptive field.
- #
- ServerType = "Test Server";
-
- #
- # Geographic location
- #
- Location = "Kuopio, Finland";
-
- #
- # Full admin name
- #
- Admin = "Foo T. Bar";
-
- #
- # Admin's email address
- #
- AdminEmail = "foo-admin@bar.com";
-
- #
- # Run SILC server as specific user and group. The server must be
- # initially run as root.
- #
- User = "nobody";
- Group = "nobody";
-
- #
- # Public and private keys
- #
- PublicKey = "@ETCDIR@/silcd.pub";
- PrivateKey = "@ETCDIR@/silcd.prv";
-
- #
- # Motd file
- #
- # Specifies the text file displayed on client connection
- #
- #MotdFile = "@ETCDIR@/motd.txt";
-
- #
- # Pid file
- #
- PidFile = "@PIDFILE@";
-};
-
-#
-# Log files.
-#
-# This section is used to set various logging files, their paths, maximum
-# sizes and logging options.
-#
-# There are only four defined channels allowed for defining (see below).
-# The log channels have an importance value, and most important channels
-# are redirected on the less important ones, thus setting a valid logging
-# file for "Info" will ensure logging for all channels, while setting
-# logging file for "Errors" will ensure logging for channels "Errors"
-# and "Fatals". If only, for example, "Info" is set then all logs go to
-# that file (like in example below).
-#
-Logging {
- # Use timestamp in the logging files? (Usually it is a good idea,
- # but you may want to disable this if you run silcd under some
- # daemontool).
- Timestamp = true;
-
- # If QuickLogs is true, then the logging files will be updated
- # real-time. This causes a bit more CPU and HDD activity, but
- # reduces memory usage. By default it is false and log files are
- # written with FlushDelay timeout.
- #
- #QuickLogs = true;
-
- # FlushDelay tells log files update delay (seconds) in case you
- # have chosen buffering output. This setting has effect only if
- # the QuickLogs is false.
- #
- FlushDelay = 180;
-
- # Informational messages
- Info {
- File = "@LOGSDIR@/silcd.log";
- Size = "100k";
- };
-
- # Warning messages
- #Warnings {
- # File = "@LOGSDIR@/silcd_warnings.log";
- # Size = "50k";
- #};
-
- # Error messages
- #Errors {
- # File = "@LOGSDIR@/silcd_errors.log";
- # Size = "50k";
- #};
-
- # Fatal messages
- #Fatals {
- # File = "@LOGSDIR@/silcd_fatals.log";
- # Size = "50k";
- #};
-};
-
-#
-# Connection Parameters
-#
-# This section defined connection parameters. It is possible to use
-# specific parameters in different connections, and to define different
-# parameters to different connections. The parameters can define how the
-# connection is handled and how the session is managed. If connection
-# parameters are not used in connections the default values will apply
-# (or values defined in General section). You can have multiple
-# ConnectionParams blocks defined.
-#
-ConnectionParams {
- # unique name. The name is used to reference to this parameter
- # block from the connections. This field is mandatory.
- name = "normal";
-
- # Maximum number of connections allowed. More connections will be
- # refused. This can be used for example to limit number of clients.
- # Note that this never can be larger than the connections_max
- # specified in General section.
- connections_max = 200;
-
- # Maximum number of connections allowed per host. For example, if
- # this is one (1) it means a host can link only once to the server.
- # Attempting to link more than once would be refused.
- #
- # If this connection parameters block is used with incoming server
- # connections it is recommended that this value is set to one (1).
- connections_max_per_host = 10;
-
- # Required version of the remote side. If these are specified then
- # the remote must be of at least this version, or newer. If older
- # then the connection will not be allowed.
- #
- # version_protocol - SILC protocol version ("major.minor")
- # version_software - software version ("major.minor")
- # version_software_vendor - vendor specific version extension
- #
- # The version_software_vendor may be for example a string or a build
- # number of the software. The string can be a regex string to match
- # more widely. Usually the vendor version checking is not necessary
- # and can be omitted. These can be overridden with ConnectionParams.
- #version_protocol = "1.1";
- #version_software = "1.3";
- #version_software_vendor = "SomeVendor";
-
- # Keepalive frequency (seconds).
- keepalive_secs = 300;
-
- # Reconnection parameters defines how the server reconnects to
- # the remote if the connection was lost. The reconnection phase
- # use so called exponential backoff algorithm; The reconnect
- # interval grows when reconnect count grows. Next example will
- # attempt to reconnect after 10 seconds of disconnect, and the
- # interval grows up to 600 seconds or until 7 times was attempted
- # to reconnect. These settings has effect only when connecting
- # as initiator.
- #
- # reconnect_count - how many times reconnect is attempted
- # reconnect_interval - how often reconnect it performed (seconds)
- # reconnect_interval_max - maximum interval for reconnect, the
- # server never waits longer than this to
- # reconnect (seconds).
- # reconnect_keep_trying - whether to keep trying even after
- # reconnect_count is reached (the interval
- # will be reconnect_interval_max).
- reconnect_count = 7;
- reconnect_interval = 10;
- reconnect_interval_max = 600;
- reconnect_keep_trying = true;
-
- # Key exchange protocol rekey interval (seconds). How often to
- # regenerate the session key with the remote. Initiator will perform
- # the rekey and this setting affects only when connecting as initiator.
- #key_exchange_rekey = 3600;
-
- # Key exchange with Perfect Forward Secrecy (PFS). This will perform
- # the rekey process with PFS, making the new key more secure since it
- # is not dependent in any way of the old key. This will make the rekey
- # process somewhat slower, than without PFS.
- #key_exchange_pfs = true;
-
- # Anonymous connection. This setting has effect only when this
- # this is used with client connections. If set to true then clients
- # using this connection parameter will be anonymous connections.
- # This means that the client's username and hostname information
- # is scrambled and anonymous mode is set for the user.
- #anonymous = true;
-
- # Quality of Service (QoS) settings. The QoS can be used to handle
- # the incoming data and limit its handling rate to avoid flooding.
- # By default QoS is disabled and can be enabled by setting "qos" to
- # true value. The "qos_rate_limit" is the incmoing data reading
- # per second, and if more frequently than the set limit is read the
- # QoS is applied to the data. The "qos_bytes_limit" is maximum bytes
- # allowed for incoming data. If more is received at once the QoS
- # is applied to the data. The "qos_limit_sec" and "qos_limit_usec"
- # is the timeout used to delay the data handling, seconds and
- # microseconds, respectively. For server connections QoS SHOULD NOT
- # be set.
- #qos = true;
- #qos_rate_limit = 10;
- #qos_bytes_limit = 2048;
- #qos_limit_sec = 0;
- #qos_limit_usec = 500000;
-};
-
-#
-# Configured client connections.
-#
-# The "Host" defines the incoming IP address or hostname of the client.
-# If it is omitted all hosts will match this client connection. The
-# "Params" is optional and can be used to set specific connection parameters
-# for this connection.
-#
-# The authentication data is specified by Passphrase and/or PublicKey.
-# If both are provided then both password and public key based authentication
-# is allowed. The "PublicKey" includes the single key contained in the
-# specified file, while "PublicKeyDir" includes all files in the specified
-# directory, which must all be valid public keys with ".pub" suffix.
-#
-# Next example connection will match to all incoming client connections,
-# and no authentication is required.
-#
-Client {
- #Host = "10.1.*";
- #Passphrase = "secret";
- #PublicKey = "/path/to/the/user_my.pub";
- #PublicKey = "/path/to/the/user_221.pub";
- #PublicKey = "/path/to/the/user_313.pub";
- #PublicKeyDir = "/path/to/keys/dir/";
- Params = "normal";
-};
-
-#
-# Configured server administrator connections
-#
-# The fields "Host", "User", and "Nick", are optional but you are encouraged
-# in using them to better identify your admins.
-#
-# The authentication data is specified by Passphrase and/or PublicKey.
-# If both are provided then both password and public key based authentication
-# is allowed. If the PublicKey is used it includes the file path to the
-# public key file. If none of them is provided then authentication is not
-# required.
-#
-Admin {
- Host = "10.2.1.199";
- User = "priikone";
- Nick = "pekka";
- Passphrase = "verysecret";
- # PublicKey = "/path/to/the/public.pub";
-};
-
-#
-# Configured server connections.
-#
-# If server connections are configured it means that this server is
-# router server. Normal servers must not configure server connections.
-# Thus, if this server is not router do not configure this section. If
-# your server is router, this must be configured. The Host (mandatory)
-# specifies the remote server.
-#
-# The authentication data is specified by Passphrase and/or PublicKey.
-# If both are provided then both password and public key based authentication
-# is allowed. If the PublicKey is used it includes the file path to the
-# public key file. If none of them is provided then authentication is not
-# required.
-#
-# If the connection is backup connection then set the "Backup" option
-# to true. For normal connections set it false. If it is set to true then
-# your server will be backup router.
-#
-ServerConnection {
- Host = "10.2.1.7";
- Passphrase = "verysecret";
- #PublicKey = "/path/to/the/public.pub";
- Params = "normal";
- Backup = false;
-};
-
-#
-# Configured router connections
-#
-# For normal servers only one entry maybe configured to this section. It
-# must be the router this server will be connected to. For router servers,
-# this section includes all configured router connections. The first
-# configured connection is the primary route. The Host (mandatory) specifies
-# the remote hostname or IP address. The Port specifies the remote port
-# to connect when Initiator is true. When Initiator is false the Port
-# specifies the local port (listener port).
-#
-# The authentication data is specified by Passphrase and/or PublicKey.
-# If both are provided then both password and public key based authentication
-# is allowed. If the PublicKey is used it includes the file path to the
-# public key file. If none of them is provided then authentication is not
-# required.
-#
-# If you are the initiator of the connection then set the "Initiator"
-# option to true. If you are the responder of the connection (waiting for
-# incoming connection) then set it to false.
-#
-# If the connection is backup router connection then set the "BackupHost"
-# option to the IP address of the router that the backup router will
-# replace if it becomes unavailable. Set also the router's port to the
-# "BackupPort" option. For normal connection leave both commented. If this
-# backup router is in our cell then set the "BackupLocal" option to true.
-# If the backup router is in other cell then set it to false.
-#
-RouterConnection {
- Host = "10.2.1.100";
- Port = 706;
- Passphrase = "verysecret";
- #PublicKey = "/path/to/the/public.pub";
- Params = "normal";
- Initiator = true;
- #BackupHost = "10.2.1.6";
- #BackupPort = 706;
- #BackupLocal = true;
-};
-
-#
-# Denied connections
-#
-# These connections are denied to connect to our server.
-#
-# The "Reason" field is mandatory, while the "Host" field can be omitted to
-# match everything.
-#
-#Deny {
-# Host = "10.2.1.99";
-# Reason = "Go away spammer";
-#};
-#Deny {
-# Host = "10.3.*";
-# Reason = "You are not welcome.";
-#};