1 SILCD_CONF(5) silc-server SILCD_CONF(5)
6 silcd.conf - format of configuration file for silcd
10 Silcd reads its configuration from /etc/silc/silcd.conf (or the file
11 specified with -f). The file contains sections, subsections and
12 key-value pairs. Each section or subsection is bound with a starting {
13 and ending }. Keys and values are of the format 'KEY=VALUE;'. All
14 statements as well as sections must be terminated with a ';'.
16 Mandatory section in configuration file is ServerInfo. Other sections
17 are optional but recommended. If General section is defined it must be
18 defined before the ConnectionParams section. On the other hand, the
19 ConnectionParams section must be defined before Client, ServerConnec-
20 tion and/or RouterConnection sections. Other sections can be in a free
21 order in the configuration file.
25 General section contains global settings for the silcd.
28 Dynamic router connections. If this is set for normal SILC
29 server the connection to primary router is not created untill it
30 is actually needed. Giving for example /WHOIS foobar@silc-
31 net.org would then create connection to the primary router to
32 resolve user foobar. On the other hand giving /WHOIS foobar
33 would try to search the user foobar locally, without creating
34 the connection. Note that giving /JOIN foobar will also created
35 the connection as current SILC Server version supports only
36 global channels (all JOINs require connection to router, if one
40 prefer_passphrase_auth
41 If both public key and passphrase authentication are set for a
42 connection, public key authentication is by default preferred.
43 Setting this value to true causes silcd to prefer passphrase
44 authentication in these cases.
47 require_reverse_lookup
48 Set this value to true if all connecting hosts must have a fully
49 qualified domain name (FQDN). If set to true, a host without
50 FQDN is not allowed to connect to server.
54 Maximum number of incoming connections to this server. Any fur-
55 ther connections are refused.
58 connections_max_per_host
59 Maximum number of incoming connections from any single host.
60 This setting can be overridden on a connection-specific basis
61 with ConnectionParams.
65 Defines the minimum required version of protocol to allow con-
66 necting to server. A client or server using this version of pro-
67 tocol or newer is allowed to connect, one using anything older
68 will be rejected. Leaving unset allows all versions to connect.
69 This can be overridden with ConnectionParams.
73 Defines the minimum required version of software to allow con-
74 necting to server. A client or server that is of this version or
75 newer is allowed to connect, one using anything older will be
76 rejected. Leaving unset allows all versions to connect. This
77 can be overridden with ConnectionParams.
80 version_software_vendor
81 Defines the allowed software vendor string that is required to
82 connect. Usually this is either a build number or special
83 client tag. Using this requirement is not encouraged unless the
84 server is in very limited use. Leaving unset allows all ver-
85 sions regardless of their vendor to connect. Can be overridden
86 with ConnectionParams.
90 Defines the interval, in seconds, how often the session key will
91 be regenerated. This setting only applies to the connection ini-
92 tiator, as rekey is always performed by the initiating party.
93 Setting has effect only when the server acts as an initiator,
94 and can be overridden with ConnectionParams.
98 Boolean value to determine, whether key-exchange is performed
99 with Perfect Forward Secrecy (PFS) or without. If set to true,
100 the rekey process will be somewhat slower, but more secure since
101 the key is entirely regenerated. Can be overridden with Connec-
106 Key exchange timeout in seconds. If the key exchange is not com-
107 pleted within this time, the remote connection will be closed.
111 Connection authentication timeout in seconds. If the connection
112 authentication is not completed within this time, the remote
113 connection will be closed.
117 Seconds, how often channel key will be regenerated. Note that
118 channel key is regenerated each time someone joins or leaves the
119 channel. This is the maximum time any channel can have the same
124 Boolean value controlling, whether clients are denied the use of
125 DETACH command. Default value is false (DETACH is allowed).
129 Time in seconds how long detached sessions will be available. By
130 default, detached sessions do not expire and as such, are per-
131 sistent as long as the server is running. If DETACH command is
132 allowed, this value should be set as well.
136 Boolean value controlling, whether Quality of Service settings
137 are enabled. Default setting is false. NOTE: If you enable QoS
138 in general section, it applies to every connection the server
139 has, including server connections. This setting can be overrid-
140 den with ConnectionParams and in case of server connections, it
141 SHOULD BE overridden (server connections should not use QoS).
145 Limits read operations per second to given amount. Do note that
146 one read operation may read several SILC packets, so this set-
147 ting does not automatically correspond to amount of messages
148 transmitted or accepted.
152 Limits incoming SILC data to the specified number of bytes per
157 This value defines the timeout, in seconds, for the delay of
158 received data in case it was left in a QoS queue.
162 This value defines the timeout, in microseconds, for the delay
163 of received data for received data in case it was left in a QoS
169 ServerInfo contains values for bound interfaces and administrative
173 Server's name (FQDN).
177 This is a descriptive text field, usually telling what the
178 server and its purpose are.
182 Descriptive field of server's geographic location.
186 Administrator's full name.
190 Administrator's email address.
194 The name of the user account silcd will be running on. This must
195 be an existing user. Silcd needs to executed as root; after
196 binding the port it will drop root privileges and use the
201 The name of the group silcd will be running on. This must be an
202 existing group. Silcd needs to be executed as root; after bind-
203 ing the port it will drop root privileges and use the group
208 Full path to server's public key file.
212 Full path to server's private key file.
216 Full path to MOTD (Message Of The Day) file, a text file that
217 will be displayed to each client upon connection.
221 Full path to file where silcd will write its PID.
226 This is the primary listener info. Each server can have no more than
230 Specifies the address silcd is listening on.
234 Specifies the port silcd is listening on.
238 Optional field. If your server is behind NAT this IP would be
239 the public IP address. The 'ip' field would include the inter-
240 nal IP address. With this option it is possible to run silcd
245 SUBSECTION: Secondary
246 This is a secondary listener info. A server may have any amount of Sec-
247 ondary listener settings. These are needed only if silcd needs to lis-
248 ten on several interfaces. Secondary subsections have the same informa-
249 tion that Primary does.
253 This section is used to set up various log files; their paths, maximum
254 sizes and individual logging options.
256 There are four defined logging channels. The log channels have an
257 importance value, and more important channels are always redirected to
258 the less important ones. Setting a valid logging file for Info will
259 ensure logging for all channels, whereas a setting for Errors would
260 only ensure logging for Errors and Fatals.
263 A boolean value that dictates whether log lines will have time-
264 stamps prefixed. In general, this is a good idea. You might want
265 to disable this if you are running silcd under some special log-
266 ging daemon, such as daemontools.
270 A boolean value that determines how often log files are updated.
271 Setting this to true makes silcd log in real-time. Setting this
272 to false makes silcd write to logs every FlushDelay seconds.
273 Real-time logging causes a bit more CPU and HDD usage but
274 reduces memory consumption.
278 Time in seconds, how often logs are flushed to logfiles. This
279 setting has effect only if QuickLogs is disabled.
287 Each of these subsections has the same attributes, File and Size. Dif-
288 ferent levels of problems are logged to their respective channels
289 (Info, Warnings, Errors, Fatals), depending on their need of attention.
292 Full path to log file.
296 Limit the size the log file is allowed to grow to. Any further
297 messages to this file cause the oldest lines to be removed in
298 order to keep the file size within given limit.
302 SECTION: ConnectionParams
303 This section defines connection parameters. Each connection may have
304 its own set of ConnectionParams but having one is in no way mandatory.
305 If no separate parameters have been assigned, the defaults and the ones
306 from General section will be used. A silcd configuration may have any
307 number of ConnectionParams sections.
310 This is a unique name that separates this particular Connection-
311 Params section from all the others. It is also the name with
312 which settings are referred to a given set of parameters. This
317 Limits how many concurrent connections are allowed. Any further
318 connections are simply refused. Note that this setting can not
319 override the figure given in General section.
322 connections_max_per_host
323 Maximum number of connections allowed from any single host. If
324 this parameter is set for a block controlling server connec-
325 tions, it is highly suggested to use a value of one (1).
329 Exactly the same as in General section.
333 Exactly the same as in General section.
336 version_software_vendor
337 Exactly the same as in General section.
341 How often (seconds) to send HEARTBEAT packets to connected
346 When connection is lost, how many times a reconnection is tried.
350 How often, in seconds, a reconnection is attempted.
353 reconnect_interval_max
354 Reconnection time is lengthened each time an unsuccessful
355 attempt occurs. This value defines the maximum interval to which
356 the delay may be prolonged.
359 reconnect_keep_trying
360 Boolean value controlling whether server eventually gives up
361 trying to reconnect. If set to false, server will give up once
362 reconnect_count is reached or, even at maximum interval no con-
363 nection is established.
367 Exactly the same as in General section.
371 Exactly the same as in General section.
375 This boolean setting has meaning only to client connections. If
376 set to true, client connections using this ConnectionParams
377 block will have their username and host scrambled. The client
378 will also have an anonymous mode set to it.
382 Exactly the same as in General section NOTE: For server connec-
383 tion this should be set to false value.
387 Exactly the same as in General section.
391 Exactly the same as in General section.
395 Exactly the same as in General section.
399 Exactly the same as in General section.
404 This section defines how incoming client connections are handled. There
405 can be several Client sections, each with their own requirements. A
406 silcd admin could for example require that connections from certain
407 IP-address space must supply a connection password.
410 An address or wildcarded set of addresses, either in numeric
411 IP-address fashion or as hostnames. For example "10.1.*" or
412 "*.mydomain.domain.org".
416 The required passphrase to allow client connection.
420 The path to a file containing the client's public key. There can
421 be any number of PublicKey statements in one Client section.
422 Matching any of them will do.
426 Name of client connection parameters.
430 SECTION: ServerConnection
431 This section defines a configured server connection. A regular SILC
432 server does not need one at all. If this block exists, it means that
433 the server is a SILC router. There must be one ServerConnection for
434 each SILC server that connects to this router.
437 Either an FQDN or strict IP-address of the connecting server.
441 If server connection requires passphrase authentication, set it
446 This is a path to connecting server's public key. If server con-
447 nection requires public key authentication, set this value. If
448 both Passphrase and PublicKey are set, then either of them will
453 Connection parameters.
457 A boolean value controlling whether this server acts as a
458 backup. Set to false for normal servers. If set to true, this
459 server is a backup router.
463 SECTION: RouterConnection
464 This section covers router connections. Stand-alone servers won't have
465 this section, and regular servers should only have one.
467 Router servers need one RouterConnection for each other router they
468 have been configured to connect to. First configured section is the
472 If Initiator is set tro true, this setting defines the remote
473 port in which to connect. if Initiator is set to false, then
474 this defines the local (listening) port.
478 If connecting server requires a passphrase authentication, it is
483 If connecting to server requires public key authentication, the
484 path to server's public key file is set here.
488 Connection parameters.
492 A boolean setting that defines whether this server is the con-
497 If the configured connection is a backup connection, set this to
498 the address of the main router that will be replaced. For normal
499 router connection leave this option out.
503 If the configured connection is a backup connection, set this to
504 the remote port which to connect to. For normal router connec-
505 tion, leave this option out.
509 A boolean value. If this setting is true, then the backup router
510 is in the same cell. If the backup router is in another cell,
511 set this to false. Needless to say, for normal router connec-
512 tion, leave this option out.
517 This section defines configured administration connections.
520 Either FQDN or a strict IP-address to the origin of connection.
521 This field is optional.
525 Username that the connecting client announces. This field is
530 Nickname that the connecting client announces. This field is
535 Passphrase required to obtain server operator privileges.
539 Path to administrator's public key file. If both Passphrase and
540 PublicKey are defined, either one can be used.
545 This section defines denied incoming connections. They apply equally to
546 both client and server connections, so make sure you know what you add
547 here. Each Deny section covers one instance of denied connection(s).
548 There may be any number of Deny sections.
551 Address or wildcarded addresses of denied connections. NOTE!
552 This field is not mandatory, but highly recommended. If you
553 don't specify Host at all, or give it a value of "*", you have a
554 silcd that denies every single incoming connection.
558 A string giving the reason as to why the connecting party is not
559 allowed to connect. Unlike Host, this field IS mandatory.
572 SILC is designed and written by Pekka Riikonen <priikone@iki.fi> and
573 rest of the SILC Project.
575 Configuration file format and parser is by Giovanni Giacobbi <gio-
578 This manpage was written by Mika 'Bostik' Bostrom <bostik@lut.fi>
580 See CREDITS for full list of contributors.
584 silc-server November 2 2002 SILCD_CONF(5)