Documentation / Server configuration file syntax

Server configuration syntax

Server configuration is done in config/config.yaml file. The file uses YAML format.


keys

Private keys to be used by the server. If only one directory is specified and no keys are found then the server will generate and save the private keys on startup. Note: password-protected keys are not supported (yet).

keys: 
  # Directory where keys are stored
  - keys/ 
  # Private key file
  - /home/my_private_key

bindings

Port and IP address bindings. By default the server will bind to any IP address, listen on port 22 and will serve both SFTP and SCP protocols. You can specify multiple bindings. You can also use hostname instead of IP address - the address(es) will be resolved for you.

bindings:
  - { port: 22, ipAddress: 0.0.0.0, sftp: true, scp: true }
  - { port: 22, ipAddress: test.rebex.net, sftp: true, scp: true }

ipFilter

IP filtering rules. Allow list has priority over deny list. By default all IP addresses are allowed. To block all incoming requests (except for those in 'allow') add 0.0.0.0/0 (all IPv4) and ::/0 (all IPv6) to deny section. Please note that IPv6 addresses must be enclosed in double quotes as required by YAML format.

ipFilter:
  deny:
    # single IP address
    - 192.168.66.12 
    # CIDR notation
    - 192.168.66.12/24
  allow:
    # Address range
    - 192.168.66.0-192.168.66.10
    # IPv6
    - "2001:db8::/48"  # quotes required

logging

No logs will be saved unless you specify log location. Single file per day shall be used - the application does not do any cleanup. Make sure that the user the server service uses has write access to the locations specified.

logging: 
  # Access log (user activity over SSH)
  access:
    # Directory where logs will be kept
    location: D:\buru\logs\access
    
  # Server log (for debugging purposes)
  server:
    location: D:\buru\logs\server
    # Minimal log level to write. Set to warning by default.
    # Supported values are: verbose, debug, information, warning, error and fatal. 
    minLevel: warning

users

User and password policies

users:
  passwordHashAlgorithm: SHA512
  passwordSaltSize: 20
  usernameCaseSensitive: true
  usernamePattern: "^[a-zA-Z0-9_\\@\\-\\.]{1,128}$"

ssh

SSH Configuration. We recommend to use only __MODERN suites if possible; for maximum compatibility without compromising too much on security use __INTERMEDIATE.

ssh:
  encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
  hostKeyAlgorithms: ['__MODERN']
  kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
  macAlgorithms: ['__INTERMEDIATE']
  
  shellHostName: myserver

SSH shell - EXPERIMENTAL.

Disabled by default. Aliases are defined in aliases file. See also ssh-shell-aliases.

sshShell:
  enabled: true

SSH tunnelling - EXPERIMENTAL.

Disabled by default, without any implicit bindings.

sshTunnelling:
  enabled: true
  bindings:
    - { port: 22, ipAddress: 0.0.0.0 }


Documentation / Server configuration file syntax