You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

164 lines
3.9 KiB

# httpd
# =====
#
# Configures the buitin HTTP daemon.
[httpd]
# Addr is the TCP listening address
addr = "localhost:4443"
# TLS enables HTTPS
tls = true
# Cert is the path to the TLS certificate file
cert = "testdata/server.crt"
# Key is the path to the TLE key file
key = "testdata/server.key"
# Secret for encrypting cookies and tokens
# To generate, use: openssl rand -hex 16
# If not configured, the server will generate an ephemeral key,
# resulting in all http cookies and tokens to be invalidated when
# the server starts.
#secret = "0123456789abcdef0123456789abcdef"
# AccessLog is the configuration for the HTTP acccess log
[httpd.accesslog]
# File is the log file path.
file = "testdata/access.log"
# MaxSize is the maximum file size (in megabytes).
#maxsize = 128
# MaxDays is the maximum number of days the files are kept.
# Zero value means keep all logs.
maxdays = 0
# Keep is the maximum number of files to keep.
# Zero value means keep all logs.
keep = 0
# Compress enables log file compression.
compress = false
# Level is the default log level.
#level = "info"
# sshd
# ====
#
# Configures the builtin SSH daemon.
[sshd]
addr = "localhost:4222"
keys = [ "testdata/ssh_host_rsa_key", "testdata/ssh_host_ed25519_key"]
banner = "Welcome to the Gate SSH server"
motd = "Welcome to the Gate SSH shell.\n\nAll your activities are logged and your sessions may be recorded.\n\n\nType \"help\" for help."
prompt = "%u@%h%% "
[sshd.auth]
#required = ["keyboard"]
#threshold = 1
[sshd.auth.method]
password = "file"
pubkey = "system"
keyboard = "radius"
# Recorder can record sessions to a file.
[recorder]
path = "testdata/recording"
compress = true
# Auth provider
# identity and MFA provider need to be configured to pass auth
# =================
#[auth.ldap]
#addr = "ldap:ldaps"
#bind = true
#insecure = true
#base_dn = "dc=activehotels,dc=com"
#user_dn = "ou=People,dc=activehotels,dc=com"
#user_filter = "(&(objectClass=posixAccount)(!(loginShell=/bin/false)))"
#user_id = "uid"
#user_name = "gecos"
#user_password = ""
#user_pubkey = "sshPublicKey"
#group_dn = "ou=Group,dc=activehotels,dc=net"
#group_filter = "(objectClass=posixGroup)"
#group_name = "cn"
#group_member = "memberUid"
[auth.file]
users = "testdata/users"
groups = "testdata/groups"
[auth.radius]
server = "127.0.0.1"
secret = "testing"
[auth.system]
# No configuration required here.
[auth.yubikey]
prompt = "Token: "
servers = [
"http://10.196.70.219", # RADIUSRDB-102
"http://10.186.69.184", # RADIUSRDB-201
]
# credential provider
# ===================
[credential.agent]
[credential.certificate]
key = "testdata/ssh_host_ed25519_key"
key_type = "rsa2048"
# identity provider
# =================
[identity]
type = "file"
users = "testdata/users"
groups = "testdata/groups"
# policies
# ========
# matches ssh root target users:
[[policy.ssh.user]]
match = "root"
# use the "certificate" credential provider
credential = "certificate"
# permit groups and roles
permit_groups = ["admin", "staff", "wheel"]
permit_roles = ["admin"]
# match ssh test target users:
[[policy.ssh.user]]
match = "test*"
# reject groups
reject_groups = ["admin", "staff", "wheel"]
# matches all ssh target users:
[[policy.ssh.user]]
match = "*"
# use the "certificate" credential provider
credential = "certificate"
# match ssh localhost target hosts:
[policy.ssh.host."127.0.0.0/8"]
reject = { groups = ["admin", "staff", "wheel"] }
[policy.ssh.host."::1"]
reject = { groups = ["admin", "staff", "wheel"] }
# match any tcp target host:
[policy.tcp.host."0.0.0.0/0"]
permit_protos = ["ssh"]
# mesh clustering
# ===============
#[mesh.network]
#peers = ["127.0.0.123"]
[log]
# Levels:
# 0 - panic
# 1 - fatal
# 2 - error
# 3 - warn
# 4 - info
# 5 - debug
# 6 - trace
level = "trace"