Skip to content

SSH connection

Defines the behavior of the SSH protocol for a user who is connecting to Bifröst.

Configuration

addresses

Array<Net Address> = [":22"]

To which address the service will bind and listen to. ``

keys

Keys

See below.

idleTimeout

Duration = "10m"

For how long a connection can be idle before it will forcibly be closed. The client can send keep alive packages to extend the idle time. 0 means that the connection will never time out.

maxTimeout

Duration = 0

The maximum duration a connection can be open before it will be forcibly be closed, regardless whether there are actions or not. 0 means that the connection will never time out.

maxAuthTries

uint8 = 6

How many different authentication methods a client can use before the connection will be rejected.

maxConnections

uint8 = 255

The maximum amount of parallel connections on this service. Every additional connection beyond will be rejected.

banner

String Template<Connection> = 

"{{ `/etc/ssh/sshd-banner` | file `optional` | default `Transcend with Engity Bifröst\n\n` }}"

Banner which will be shown when the client connects to the server even before the first validation of authorizations or similar happens.

Examples

1
2
3
4
5
6
7
8
9
addresses: [ ":22" ]
keys:
  hostKeys: [ /etc/engity/bifroest/key ]
  # ...
idleTimeout: 10m
maxTimeout: 0
maxAuthTries: 6
maxConnections: 255
banner: "Yeah!"

Keys

Configuration

hostKeys

Array<File Path> = ["<defaultLocation>"]

Where to store the host keys at. If they do not exist, they will be created as Ed25519 key.

Default Locations:

  • Linux: /etc/engity/bifroest/key
  • Windows: C:\ProgramData\Engity\Bifroest\key

rsaRestriction

RSA Restriction = "at-least-4096-bits"

Restrict which RSA keys are allowed to be used.

dsaRestriction

DSA Restriction = "none"

Restrict which DSA keys are allowed to be used.

ecdsaRestriction

ECDSA Restriction = "at-least-384-bits"

Restrict which ECDSA keys are allowed to be used.

ed25519Restriction

ED25519 Restriction = "all"

Restrict which ED25519 keys are allowed to be used.

rememberMeNotification

String Template<Authorization> = 

"If you return until {{.session.validUntil | format `dateTimeT`}} with the same public key ({{.key | fingerprint}}), you can seamlessly log in again.\n\n"

Banner which will be shown if the connection was based on an authentication method (like OIDC) which does not have its own public key authentication. At this point the authentication was successful AND the client submitted at least one public key (as authentication try). This key will be used and this message will be shown to the client to inform, that this key will be used for the session from now on. As a result, the original authentication will be skipped (like OIDC) as long as it is not expired and the client presents the same public key.

Examples

1
2
3
4
5
6
hostKeys: [ /etc/engity/bifroest/key ]
rsaRestriction: at-least-4096-bits
dsaRestriction: none
ecdsaRestriction: at-least-384-bits
ed25519Restriction: all
rememberMeNotification: "If you return until {{.session.validUntil | format `dateTimeT`}} with the same public key {{.key | fingerprint}}), you can seamlessly login again.\n\n"

Compatibility

linux/generic linux/extended windows/generic
* * *