WIXLIB

CHAPTER 2Getting Startedfå íÜáë Ü éíÉê Start a New Terminal Session15Display the Configuration Toolbar16Transfer Files Using the FTP Client16Understanding Secure Shell18General Tab (Secure Shell Settings)19Secure Shell is a protocol for securely logging onto a remote computer andexecuting commands. It provides a secure alternative to Telnet, FTP, rlogin,or rsh. Secure Shell connections require both server and userauthentication, and all communications pass between hosts over anencrypted communication channel. You can also use Secure Shellconnections to forward X11 sessions or specified TCP/IP ports through thesecure tunnel.Start a New Terminal SessionIn most cases you can connect to your host and log on using your passwordwithout making any changes to the default settings.qç ëí êí åÉï íÉêãáå ä ëÉëëáçå ìëáåÖ ÇÉÑ ìäíë 1On the Windows Start menu, click Attachmate Reflection SSH Client.2On the Reflection for Secure IT toolbar, click the Connect/Disconnectbutton:3Enter your host and user name in the Connect to Host dialog box andclick OK.Note: If this is the first time you’re connecting to this host you will see adialog box asking you to confirm the authenticity of the host. You canconfirm the validity of the host key by contacting the systemadministrator for that host. Click Always to add this host to your knownhosts list.4Enter your password for this host and click OK.5To save a settings file with this session configuration, click File Save.

16Reflection for Secure ITDisplay the Configuration ToolbarThe configuration toolbar gives you quick access to session settings.qç Çáëéä ó íÜÉ çåÑáÖìê íáçå qççäÄ ê 1Open a Reflection for Secure IT session2Click the Configure session settings toolbar button:3Save your session settings (File Save) to see this toolbar each time youopen this session.Transfer Files Using the FTP ClientYou can transfer files in the FTP Client with a simple drag and dropoperation.You can drag individual files, multiple files, and entire folders.qç ÅçååÉÅí íç ëÉêîÉê åÇ íê åëÑÉê ÑáäÉë 1On the Windows Start menu, click Attachmate Reflection FTP Client.The Connect to FTP Site dialog box opens automatically.2Click New.3Step through the wizard, entering your host and user name whenprompted.Note: When you install FTP Client with Reflection for Secure IT, thewizard is configured to create SFTP connections by default. You canconfigure additional connection types using the Security Propertiesdialog box. Use the Security button in the Login Information dialog box4On the last panel you are asked if you want to connect to the host. Yes isselected by default. Leave this selected and click Finish to exit thewizard and make the connection.Note: If you are making an SFTP connection to a server to which youhave not yet connected, you may see a dialog box asking you to confirmthe authenticity of the host. You can confirm the validity of the host keyby contacting the system administrator for that host. Click Always toadd this host to your known hosts list.

Chapter 2 Getting Started56Browse to the locate the files or folders you want to transfer and thedestination location.To browseUse theLocal foldersLeft paneServerdirectoriesRight paneSelect the files or folders you want to transfer and drag them from thesource location to your desired destination.qç ë îÉ íÜáë ëÉêîÉê íç óçìê äáëí çÑ ëáíÉë Click File Save to save the site configuration to your FTP Clientsettings file.qç ÅçååÉÅí íç ë îÉÇ ëáíÉ 1Launch the FTP Client.2Click to select a site in the Connect to FTP Site dialog box.3Click Connect.Note: For complete information about working with the FTP Client, referto the FTP Client application help.17

18Reflection for Secure ITUnderstanding Secure ShellThis diagram outlines the basic steps involved in creating a Secure Shellchannel and using it to transmit data securely.1.Establish a secure connection.The client and server negotiate to establish a shared key and cipher touse for session encryption, and a hash to use for data integrity checking.2. Authenticate the server.Server authentication enables the client to confirm the identity of theserver. The server has only one chance to authenticate to the clientduring the authentication process. If this authentication fails, theconnection fails.3. Authenticate the client.Client authentication enables the server to confirm the identity of theclient user. By default, the client is allowed multiple authenticationattempts. The server and client negotiate to agree on one or moreauthentication methods.4. Send data through the encrypted session.Once the encrypted session is established, all data exchanged betweenthe Secure Shell server and client is encrypted. Users now have secureremote access to the server and can execute commands and transferfiles securely through the secure channel.5. Use port forwarding to secure communications between other clientsand servers.

Chapter 2 Getting StartedPort forwarding, also known as tunneling, provides a way to redirectcommunications through the Secure Shell channel of an active session.When port forwarding is configured, all data sent to a specified port isredirected through the secure channel.qç ÅçåÑáÖìêÉ pÉÅìêÉ pÜÉää ëÉííáåÖë Ñêçã å ppe ÅäáÉåí ëÉëëáçå 1On the Connection menu, click Connection Setup.2Under Connection options enter values for Host name and (optional)SSH config scheme. (If you leave SSH config scheme blank, Reflectionsaves any changes you make to an SSH configuration scheme (page 133)with the same name as the Host name.)3Click Security.Note: The Security button is not available until you have entered a hostname.qç ÅçåÑáÖìêÉ pÉÅìêÉ pÜÉää ëÉííáåÖë Ñêçã íÜÉ cqm äáÉåí 1In the Connect to FTP Site dialog box, click to select a site.2Click Security.3From the Secure Shell tab, select Use Reflection Secure Shell. (Whenyou install the FTP Client with Reflection for Secure IT, this is selectedby default.)4(Optional) Specify an SSH config scheme. (If you leave SSH configscheme blank, your Secure Shell settings are saved to an SSHconfiguration scheme (page 133) with the same name as the name yourhost.)5Click Configure.19

20Reflection for Secure ITGeneral Tab (Secure Shell Settings)Getting there (page 19)The options are:Port numberSpecifies the port to connect to on the server. Thedefault is 22, which is the standard port for SecureShell connections.ProtocolSpecifies which version of the Secure Shell protocolReflection uses when it establishes a connection tothe host. The most secure value for this setting is 2only.UserAuthenticationClick in the box next to any authentication method(page 34) to clear or enable that method. You mustselect at least one authentication method. Forprotocol 2 connections, you can use the arrows tospecify your order of preference. Reflection attemptseach method in order, starting from the top.Server KeepAliveWhen Server Keep Alive is selected, Reflectionsends NOOP messages to the server through thesecure tunnel at the specified interval. Use thissetting to maintain the connection to the server. UseInterval to specify how frequently server alivemessages are sent. If this is setting is not enabled,the Secure Shell connection will not terminate if theserver dies or the network connection is lost. Thissetting can also be used to keep connections thatonly forward TCP sessions from being timed out bythe server, as the server may timeout theseconnections because it detects no SSH traffic.The Secure Shell Server Keep Alive setting is notrelated to the TCP keep alive setting that can be setin the Windows registry to keep all TCP/IPconnections from being timed out by a firewall. Tochange the TCP/IP keep alive behavior, you need toedit the Windows registry.EnablecompressionWhen Enable compression is selected, the clientrequests compression of all data. Compression isdesirable on modem lines and other slowconnections, but will only slow down response rateon fast networks. The compression level setting isavailable for protocol version 1 only and has no effecton protocol version 2 connections.

Chapter 2 Getting StartedReuse existingconnection ifavailableBy default, multiple sessions to the same host reuse(page 35) the original Secure Shell connection, andtherefore don't require re-authentication. If youclear Reuse existing connection if available,Reflection establishes a new connection for eachsession, which means that each new connectionrepeats the authentication process.Logging LevelDetermines how much information is written to theSecure Shell log file (page 92).Notes The settings you configure in this dialog box are saved to the SecureShell configuration file (page 23). You can also configure Secure Shellsettings by editing this file manually in any text editor. Within the configuration file, these settings are saved for the currentlyspecified SSH configuration scheme (page 133).21

CHAPTER 3Configurationfå íÜáë Ü éíÉê Settings Files23Secure Shell Client Configuration Files23Reflection for Secure IT and the FTP Client use a number of files forstoring settings.Settings FilesSettings Files configure application-specific settings. Reflection for SecureIT and the FTP Client use different settings files.ApplicationExtensionConfiguresReflection forSecure IT*.r3wHost connection information,terminal emulation, display setup,key mapping, mouse configurationFTP Client*.rfwHost connection information,directory display preferences,transfer settingsTo save a settings file, use File Save.Note: For information about configuring these settings, use the Reflectionfor Secure IT and FTP Client application Help; this information is notcovered in this user guide.

24Reflection for Secure ITSecure Shell Client Configuration FilesThe Secure Shell configuration file contains settings that are specific to theSecure Shell client connection. This user-specific file is created and updatedautomatically when you modify your settings using the Reflection SecureShell Settings dialog box (page 19). Settings are saved automatically whenyou close this dialog box. The file name and location is: personal documents folder \Attachmate\Reflection\.ssh\configSettings in this file are applied per host (or per SSH configuration scheme(page 133)) and affect both the Reflection for Secure IT client and the FTPClient. For example, when you configure non-default Secure Shell settingsfor a connection to Acme.com using Reflection for Secure IT (and you don’tspecify an SSH configuration scheme), the Secure Shell settings are savedin the configuration file in a section identified with the following line:Host Acme.comIf you also configure the FTP Client to connect to Acme.com (and you don’tspecify an SSH configuration scheme), the FTP Client uses the settings inthe "Host Acme.com" section of the configuration file. (Settings are sharedin the same way if you specify the same SSH configuration scheme in bothapplications.)Note: When you close the Reflection Secure Shell Settings dialog box,values with default settings are not saved to the configuration file. If adefault value has been manually added to the file, it is removed when youclose the dialog box. This imposes design constraints if you use wildcardhost stanzas in combination with stanzas that use specific host names. Ifyou have manually configured a default value in a specific host stanza thatis meant to override a value configured in a wildcard stanza, the defaultsetting is removed when you open the Secure Shell settings dialog box toview settings for the host-specific SSH config scheme. You can successfullyhandle this situation by using the global configuration file, which is notupdated when users open and close the Reflection Secure Shell Settingsdialog box.däçÄ ä çåÑáÖìê íáçå cáäÉ System administrators can also install a system-wide configuration file. Thefile name and location is: application data folder (page 167)\Attachmate\Reflection\ssh configSettings in this file affect client connections for all users of the computer.

CHAPTER 4Encryptionfå íÜáë Ü éíÉê Data Encryption25Federal Information Processing Standard (FIPS)25Encryption Tab (Secure Shell Settings)27Data EncryptionEncryption protects the confidentiality of data in transit. This protection isaccomplished by encrypting the data before it is sent using a secret key andcipher. The received data must be decrypted using the same key and cipher.The cipher used for a given session is the cipher highest in the client's orderof preference that is also supported by the server.Reflection for Secure IT Windows Client supports the following dataencryption standards: DES (56-bit) Arcfour (40- or 128-bit) TripleDES (168-bit) Cast (128-bit) Blowfish (128-bit) AES (also known as Rijndael) (128-, 192-,or 256-bit)

26Reflection for Secure ITFederal Information Processing Standard (FIPS)When Reflection is configured to run in FIPS mode it enforces the UnitedStates government Federal Information Processing Standard (FIPS) 140-2.All available settings use security protocols and algorithms that meet thisstandard. Options that do not meet these standards are not available. Youcan configure individual sessions to run in FIPS mod or enforce FIPS modefor all Reflection sessions. çåÑáÖìêÉ ëéÉÅáÑáÅ pÉÅìêÉ pÜÉää ëÉëëáçåë íç êìå áå cfmp ãçÇÉ You can use the following procedure to configure specific Secure Shellsessions to run in FIPS mode.Note: This procedure does not enforce FIPS standards for all Secure Shellsessions. This change is saved to your Secure Shell configuration file (page23) and is applied to a specific SSH configuration scheme (page 133). (If youdon't specify a scheme, the setting applies to all connections to the currenthost.) This change has no effect on subsequent Secure Shell sessions unlessthey are configured to use the same SSH configuration scheme (or hostname).qç ëÉí cfmp ãçÇÉ Ñçê é êíáÅìä ê Üçëíë çê ppe ÅçåÑáÖìê íáçå ëÅÜÉãÉë 1Open the Secure Shell Settings dialog box (page 19).2On the Encryption tab select Run in FIPS mode.You can also configure this setting manually by editing the Secure Shellconfiguration file manually. The keyword for setting FIPS mode isFIPSMode. çåÑáÖìêÉ ää oÉÑäÉÅíáçå ëÉëëáçåë íç êìå áå cfmp ãçÇÉ Administrators can use Reflection Group Policies to configure all Reflectionsessions to run in FIPS mode.qç ëÉí cfmp ãçÇÉë Ñçê ää ëÉëëáçåë 1Run the Group Policy editor using one of the following techniques: Type the following at the command line:Gpedit.msc 2In the Active Directory Users and Computers console, open theproperties for an Organizational Unit, click the Group Policy tab,and edit or create a new policy object.Install the Reflection template (ReflectionPolicy) if you have not alreadydone so.

Chapter 4 Encryption3Under Local Computer Policy User Configuration AdministrativeTemplates Reflection Settings, disable the setting Allow non-FIPSmode.Encryption Tab (Secure Shell Settings)Getting there (page 19)Use the Encryption tab of the Reflection Secure Shell Settings dialog box tospecify what ciphers (page 163) the Secure Shell connection should use.Different options are available depending on which Secure Shell protocol isused for the connection.The options are:ppe éêçíçÅçä O Cipher ListUse this list to specify the ciphers (page 163) you wantto allow for protocol 2 connections to the current host.When more than one cipher is selected, the SecureShell client attempts to use ciphers in the order youspecify, starting from the top. To change the order,select an cipher from the list, then click the up ordown arrow. The cipher used for a given session is thefirst item in this list that is also supported by theserver.HMAC ListSpecifies the HMAC (hashed message authenticationcode) methods you want to allow. This hash is used toverify the integrity of all data packets exchanged withthe server. When more than one HMAC is selected,the Secure Shell client attempts to negotiate anHMAC with the server in the order you specify,starting from the top. To change the order, select anHMAC from the list, then click the up or down arrow.27

28Reflection for Secure ITKey ExchangeAlgorithmsSpecifies which key exchange algorithms the clientsupports, and the order of preference. The supportedvalues are: DH Group1 SHA1 - Specifies diffie-hellmangroup1-sha1 DH Group Ex SHA1 - Specifies diffie-hellmangroup-exchange-sha1 DH Group14 SHA1 - Specifies diffie-hellmangroup14-sha1In some cases, you may need to change the order ofthe key exchange algorithms to put DH Group14SHA1 ahead of the other two. This is required if youwant use use the hmac-sha512 MAC, or if you see thefollowing error during key exchange: "fatal:dh gen key: group too small: 1024 (2*need 1024)".Two additional encryption algorithms (gss-group1sha1-*) are supported, but do not appear in the list ofavailable key exchange algorithms. These twoalgorithms are automatically proposed by the clientwhen you enable GSSAPI/Kerberos from the General(page 19) tab (under User Authentication), and youalso select Reflection Kerberos from the GSSAPI(page 69) tab.Signature typesSpecifies the hash algorithm the client uses in theprocess of proving possession of the private key. Thishash is used during public key user authentication.Use RSA to specify the hash used with RSA keys andDSA to specify the hash used with DSA keys.SSH protocol 1CipherUse this setting to select the cipher you want used forprotocol 1 connections to the current host. The defaultis Triple DES and this option is recommended.Run in FIPSModeWhen Run in FIPS mode is selected, Reflectionenforces the United States government FederalInformation Processing Standard (FIPS) 140-2 for thisconnection. Options on the Encryption tab that do notmeet this standard are not available when Run inFIPS mode is selected.

Chapter 4 EncryptionNotes The settings you configure in this dialog box are saved to the SecureShell configuration file (page 23). You can also configure Secure Shellsettings by editing this file manually in any text editor. Within the configuration file, these settings are sa

Reflection for Secure IT Windows Client is a full-featured, easily customizable Windows-based Secure Shell client. It provides secure, encrypted communications between a trusted host and your Windows workstation over an unsecured network. All connections between your local computer and the remote host(s) are encrypted, protecting the data sent