NAME
silcd.conf - format of configuration file for silcd
CONFIGURATION FILE
Silcd reads its configuration from /etc/silc/silcd.conf (or the file
specified with -f). The file contains sections, subsections and key-
value pairs. Each section or subsection is bound with a starting { and
ending }. Keys and values are of the format ’KEY=VALUE;’. All
statements as well as sections must be terminated with a ’;’.
Mandatory section in configuration file is ServerInfo. Other sections
are optional but recommended. If General section is defined it must be
defined before the ConnectionParams section. On the other hand, the
ConnectionParams section must be defined before Client,
ServerConnection and/or RouterConnection sections. Other sections can
be in a free order in the configuration file.
SECTION: General
General section contains global settings for the silcd.
dynamic_server
Dynamic router connections. If this is set for normal SILC
server the connection to primary router is not created untill it
is actually needed. Giving for example /WHOIS
foobar@silcnet.org would then create connection to the primary
router to resolve user foobar. On the other hand giving /WHOIS
foobar would try to search the user foobar locally, without
creating the connection. Note that giving /JOIN foobar will
also created the connection as current SILC Server version
supports only global channels (all JOINs require connection to
router, if one is configured).
prefer_passphrase_auth
If both public key and passphrase authentication are set for a
connection, public key authentication is by default preferred.
Setting this value to true causes silcd to prefer passphrase
authentication in these cases.
require_reverse_lookup
Set this value to true if all connecting hosts must have a fully
qualified domain name (FQDN). If set to true, a host without
FQDN is not allowed to connect to server.
connections_max
Maximum number of incoming connections to this server. Any
further connections are refused.
connections_max_per_host
Maximum number of incoming connections from any single host.
This setting can be overridden on a connection-specific basis
with ConnectionParams.
version_protocol
Defines the minimum required version of protocol to allow
connecting to server. A client or server using this version of
protocol or newer is allowed to connect, one using anything
older will be rejected. Leaving unset allows all versions to
connect. This can be overridden with ConnectionParams.
version_software
Defines the minimum required version of software to allow
connecting to server. A client or server that is of this version
or newer is allowed to connect, one using anything older will be
rejected. Leaving unset allows all versions to connect. This
can be overridden with ConnectionParams.
version_software_vendor
Defines the allowed software vendor string that is required to
connect. Usually this is either a build number or special
client tag. Using this requirement is not encouraged unless the
server is in very limited use. Leaving unset allows all
versions regardless of their vendor to connect. Can be
overridden with ConnectionParams.
key_exchange_rekey
Defines the interval, in seconds, how often the session key will
be regenerated. This setting only applies to the connection
initiator, as rekey is always performed by the initiating party.
Setting has effect only when the server acts as an initiator,
and can be overridden with ConnectionParams.
key_exchange_pfs
Boolean value to determine, whether key-exchange is performed
with Perfect Forward Secrecy (PFS) or without. If set to true,
the rekey process will be somewhat slower, but more secure since
the key is entirely regenerated. Can be overridden with
ConnectionParams.
key_exchange_timeout
Key exchange timeout in seconds. If the key exchange is not
completed within this time, the remote connection will be
closed.
conn_auth_timeout
Connection authentication timeout in seconds. If the connection
authentication is not completed within this time, the remote
connection will be closed.
channel_rekey_secs
Seconds, how often channel key will be regenerated. Note that
channel key is regenerated each time someone joins or leaves the
channel. This is the maximum time any channel can have the same
key.
detach_disabled
Boolean value controlling, whether clients are denied the use of
DETACH command. Default value is false (DETACH is allowed).
detach_timeout
Time in seconds how long detached sessions will be available. By
default, detached sessions do not expire and as such, are
persistent as long as the server is running. If DETACH command
is allowed, this value should be set as well.
qos
Boolean value controlling, whether Quality of Service settings
are enabled. Default setting is false. NOTE: If you enable QoS
in general section, it applies to every connection the server
has, including server connections. This setting can be
overridden with ConnectionParams and in case of server
connections, it SHOULD BE overridden (server connections should
not use QoS).
qos_rate_limit
Limits read operations per second to given amount. Do note that
one read operation may read several SILC packets, so this
setting does not automatically correspond to amount of messages
transmitted or accepted.
qos_bytes_limit
Limits incoming SILC data to the specified number of bytes per
second.
qos_limit_sec
This value defines the timeout, in seconds, for the delay of
received data in case it was left in a QoS queue.
qos_limit_usec
This value defines the timeout, in microseconds, for the delay
of received data for received data in case it was left in a QoS
queue.
SECTION: ServerInfo
ServerInfo contains values for bound interfaces and administrative
info.
hostname
Server’s name (FQDN).
ServerType
This is a descriptive text field, usually telling what the
server and its purpose are.
Location
Descriptive field of server’s geographic location.
Admin
Administrator’s full name.
AdminEmail
Administrator’s email address.
User
The name of the user account silcd will be running on. This must
be an existing user. Silcd needs to executed as root; after
binding the port it will drop root privileges and use the
account given here.
Group
The name of the group silcd will be running on. This must be an
existing group. Silcd needs to be executed as root; after
binding the port it will drop root privileges and use the group
given here.
PublicKey
Full path to server’s public key file.
PrivateKey
Full path to server’s private key file.
MotdFile
Full path to MOTD (Message Of The Day) file, a text file that
will be displayed to each client upon connection.
PidFile
Full path to file where silcd will write its PID.
SUBSECTION: Primary
This is the primary listener info. Each server can have no more than
one Primary section.
ip
Specifies the address silcd is listening on.
port
Specifies the port silcd is listening on.
public_ip
Optional field. If your server is behind NAT this IP would be
the public IP address. The ’ip’ field would include the
internal IP address. With this option it is possible to run
silcd behind NAT device.
SUBSECTION: Secondary
This is a secondary listener info. A server may have any amount of
Secondary listener settings. These are needed only if silcd needs to
listen on several interfaces. Secondary subsections have the same
information that Primary does.
SECTION: Logging
This section is used to set up various log files; their paths, maximum
sizes and individual logging options.
There are four defined logging channels. The log channels have an
importance value, and more important channels are always redirected to
the less important ones. Setting a valid logging file for Info will
ensure logging for all channels, whereas a setting for Errors would
only ensure logging for Errors and Fatals.
Timestamp
A boolean value that dictates whether log lines will have
timestamps prefixed. In general, this is a good idea. You might
want to disable this if you are running silcd under some special
logging daemon, such as daemontools.
QuickLogs
A boolean value that determines how often log files are updated.
Setting this to true makes silcd log in real-time. Setting this
to false makes silcd write to logs every FlushDelay seconds.
Real-time logging causes a bit more CPU and HDD usage but
reduces memory consumption.
FlushDelay
Time in seconds, how often logs are flushed to logfiles. This
setting has effect only if QuickLogs is disabled.
SUBSECTION: Info
SUBSECTION: Warnings
SUBSECTION: Errors
SUBSECTION: Fatals
Each of these subsections has the same attributes, File and Size.
Different levels of problems are logged to their respective channels
(Info, Warnings, Errors, Fatals), depending on their need of attention.
File
Full path to log file.
Size
Limit the size the log file is allowed to grow to. Any further
messages to this file cause the oldest lines to be removed in
order to keep the file size within given limit.
SECTION: ConnectionParams
This section defines connection parameters. Each connection may have
its own set of ConnectionParams but having one is in no way mandatory.
If no separate parameters have been assigned, the defaults and the ones
from General section will be used. A silcd configuration may have any
number of ConnectionParams sections.
name
This is a unique name that separates this particular
ConnectionParams section from all the others. It is also the
name with which settings are referred to a given set of
parameters. This field is mandatory.
connections_max
Limits how many concurrent connections are allowed. Any further
connections are simply refused. Note that this setting can not
override the figure given in General section.
connections_max_per_host
Maximum number of connections allowed from any single host. If
this parameter is set for a block controlling server
connections, it is highly suggested to use a value of one (1).
version_protocol
Exactly the same as in General section.
version_software
Exactly the same as in General section.
version_software_vendor
Exactly the same as in General section.
keepalive_secs
How often (seconds) to send HEARTBEAT packets to connected
clients.
reconnect_count
When connection is lost, how many times a reconnection is tried.
reconnect_interval
How often, in seconds, a reconnection is attempted.
reconnect_interval_max
Reconnection time is lengthened each time an unsuccessful
attempt occurs. This value defines the maximum interval to which
the delay may be prolonged.
reconnect_keep_trying
Boolean value controlling whether server eventually gives up
trying to reconnect. If set to false, server will give up once
reconnect_count is reached or, even at maximum interval no
connection is established.
key_exchange_rekey
Exactly the same as in General section.
key_exchange_pfs
Exactly the same as in General section.
anonymous
This boolean setting has meaning only to client connections. If
set to true, client connections using this ConnectionParams
block will have their username and host scrambled. The client
will also have an anonymous mode set to it.
qos
Exactly the same as in General section NOTE: For server
connection this should be set to false value.
qos_rate_limit
Exactly the same as in General section.
qos_bytes_limit
Exactly the same as in General section.
qos_limit_sec
Exactly the same as in General section.
qos_limit_usec
Exactly the same as in General section.
SECTION: Client
This section defines how incoming client connections are handled. There
can be several Client sections, each with their own requirements. A
silcd admin could for example require that connections from certain IP-
address space must supply a connection password.
Host
An address or wildcarded set of addresses, either in numeric IP-
address fashion or as hostnames. For example "10.1.*" or
"*.mydomain.domain.org".
Passphrase
The required passphrase to allow client connection.
PublicKey
The path to a file containing the client’s public key. There can
be any number of PublicKey statements in one Client section.
Matching any of them will do.
Params
Name of client connection parameters.
SECTION: ServerConnection
This section defines a configured server connection. A regular SILC
server does not need one at all. If this block exists, it means that
the server is a SILC router. There must be one ServerConnection for
each SILC server that connects to this router.
Host
Either an FQDN or strict IP-address of the connecting server.
Passphrase
If server connection requires passphrase authentication, set it
here.
PublicKey
This is a path to connecting server’s public key. If server
connection requires public key authentication, set this value.
If both Passphrase and PublicKey are set, then either of them
will be accepted.
Params
Connection parameters.
Backup
A boolean value controlling whether this server acts as a
backup. Set to false for normal servers. If set to true, this
server is a backup router.
SECTION: RouterConnection
This section covers router connections. Stand-alone servers won’t have
this section, and regular servers should only have one.
Router servers need one RouterConnection for each other router they
have been configured to connect to. First configured section is the
primary route.
Port
If Initiator is set tro true, this setting defines the remote
port in which to connect. if Initiator is set to false, then
this defines the local (listening) port.
Passphrase
If connecting server requires a passphrase authentication, it is
set here.
PublicKey
If connecting to server requires public key authentication, the
path to server’s public key file is set here.
Params
Connection parameters.
Initiator
A boolean setting that defines whether this server is the
connecting party.
BackupHost
If the configured connection is a backup connection, set this to
the address of the main router that will be replaced. For normal
router connection leave this option out.
BackupPort
If the configured connection is a backup connection, set this to
the remote port which to connect to. For normal router
connection, leave this option out.
BackupLocal
A boolean value. If this setting is true, then the backup router
is in the same cell. If the backup router is in another cell,
set this to false. Needless to say, for normal router
connection, leave this option out.
SECTION: Admin
This section defines configured administration connections.
Host
Either FQDN or a strict IP-address to the origin of connection.
This field is optional.
User
Username that the connecting client announces. This field is
optional.
Nick
Nickname that the connecting client announces. This field is
optional.
Passphrase
Passphrase required to obtain server operator privileges.
PublicKey
Path to administrator’s public key file. If both Passphrase and
PublicKey are defined, either one can be used.
SECTION: Deny
This section defines denied incoming connections. They apply equally to
both client and server connections, so make sure you know what you add
here. Each Deny section covers one instance of denied connection(s).
There may be any number of Deny sections.
Host
Address or wildcarded addresses of denied connections. NOTE!
This field is not mandatory, but highly recommended. If you
don’t specify Host at all, or give it a value of "*", you have a
silcd that denies every single incoming connection.
Reason
A string giving the reason as to why the connecting party is not
allowed to connect. Unlike Host, this field IS mandatory.
FILES
silcd.conf
SEE ALSO
silcd(8)
AUTHOR
SILC is designed and written by Pekka Riikonen <priikone@iki.fi> and
rest of the SILC Project.
Configuration file format and parser is by Giovanni Giacobbi
<giovanni@giacobbi.net>.
This manpage was written by Mika ’Bostik’ Boström <bostik@lut.fi>
See CREDITS for full list of contributors.