Server configuration syntax

Server configuration is done in config/config.yaml file. The file uses YAML format.


keys

Private keys to be used by the server. If only one directory is specified and no keys are found then the server will generate and save the private keys on startup. Note: password-protected keys are not supported (yet).

keys: 
  # Directory where keys are stored
  - keys/ 
  # Private key file
  - /home/my_private_key

bindings

Port and IP address bindings. By default the server will bind to any IP address, listen on port 22 and will serve both SFTP and SCP protocols. You can specify multiple bindings. You can also use hostname instead of IP address - the address(es) will be resolved for you.

bindings:
  - { port: 22, ipAddress: 0.0.0.0, sftp: true, scp: true }
  - { port: 22, ipAddress: test.rebex.net, sftp: true, scp: true }

ipFilter

IP filtering rules. Allow list has priority over deny list. By default all IP addresses are allowed. To block all incoming requests (except for those in 'allow') add 0.0.0.0/0 (all IPv4) and ::/0 (all IPv6) to deny section. Please note that IPv6 addresses must be enclosed in double quotes as required by YAML format.

ipFilter:
  deny:
    # single IP address
    - 192.168.66.12 
    # CIDR notation
    - 192.168.66.12/24
  allow:
    # Address range
    - 192.168.66.0-192.168.66.10
    # IPv6
    - "2001:db8::/48"  # quotes required

logging

No logs will be saved unless you specify log location. Single file per day shall be used - the application does not do any cleanup. Make sure that the user the server service uses has write access to the locations specified.

logging: 
  # Allow anonymous crash reporting. 
  # Turned off by default but you'll make us happy if you turn it on so we can fix bugs.
  enableCrashReporting: true
  
  # Access log (user activity over SSH)
  access:
    # Directory where logs will be kept
    location: D:\buru\logs\access
    
  # Server log (for debugging purposes)
  server:
    location: D:\buru\logs\server
    # Minimal log level to write. Set to warning by default.
    # Supported values are: verbose, debug, information, warning, error and fatal. 
    minLevel: warning

passwordPolicy

Server password policy.

passwordPolicy:
  hashAlgorithm: SHA512
  saltSize: 20

ssh

SSH Configuration. We recommend to use only __MODERN suites if possible; for maximum compatibility without compromising too much on security use __INTERMEDIATE.

ssh:
  encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
  hostKeyAlgorithms: ['__MODERN']
  kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
  macAlgorithms: ['__INTERMEDIATE']
  
  shellHostName: myserver

Miscellaneous

usernamePattern - User name regular expression filter. Default: ^[a-zA-Z0-9_\@\-\.]{1,128}$

usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"

SSH shell - EXPERIMENTAL.

Disabled by default. Aliases are defined in aliases file. See also README_ALIASES.

sshShell:
  enabled: true

SSH tunnelling - EXPERIMENTAL.

Disabled by default, without any implicit bindings.

sshTunnelling:
  enabled: true
  bindings:
    - { port: 22, ipAddress: 0.0.0.0 }

Continue to next chapter - Command-line API