WIXLIB

PKI Tab (Secure Shell Settings) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Host Data Tab (Secure Shell Settings) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Getting to the Reflection Secure Shell Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8514 Secure Shell Command Line Utilities87ssh Command Line Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87ssh2 Command Line Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91sftp Command Line Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91sftp2 Command Line Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95scp Command Line Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95scp2 Command Line Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98ssh-keygen Command Line Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9815 Reference Topics101SSH Configuration Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Sample Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Configuration File Keyword Reference - Secure Shell Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Configuration File Keyword Reference - Terminal Emulation Settings. . . . . . . . . . . . . . . . . . . . . . . 113DOD PKI Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Glossary of Terms125Contents5

6Reflection for Secure IT Client for Windows

1Introduction1Reflection for Secure IT Client for Windows is a full-featured, easily customizable Windows-basedSecure Shell client. It provides secure, encrypted communications between a trusted host and yourWindows workstation over an unsecured network. All connections between your local computer andthe remote host(s) are encrypted, protecting the data sent between these machines. Passwords arenever sent over the network in a clear text format as they are when you use Telnet, FTP, rlogin, or rsh.Reflection for Secure IT Client for Windows supports: Secure connections to both protocol version 1 and protocol version 2 servers. Standard Secure Shell features including: TCP port forwarding (including X-11), data streamcompression and encryption, authentication (password, keyboard interactive, public key, orKerberos/GSSAPI), and logging. A user key generation tool that enables you to create RSA, RSA1, and DSA keys. Tools for uploading public keys to your Secure Shell server. Reflection automatically detects theserver type, exports the correct key type, and installs it in the correct location on the server. Tools to view and manage trusted host keys. A Key Agent utility that enables you to manage multiple keys and certificates with a singlepassphrase, and forward authentication to additional servers. PKI support, including a certificate manager that enables you to manage certificates in aReflection-specific certificate store. You can also configure Reflection to use certificates in theWindows store, or on smart cards or other PKCS #11-compliant hardware devices. Secure SFTP file transfer. Standalone DOS command-line utilities for ssh, ssh-keygen, sftp, and scp.Introduction7

8Reflection for Secure IT Client for Windows

2Installation2For information about supported platforms, and additional system requirements, see Technical note1944 .Reflection is typically distributed electronically. If your installation requires a CD, you will need torequest it when you place your order.In this Chapter “Install Your Attachmate Product on a Workstation” on page 9 “Features Selection Tab” on page 10 “Upgrading from Previous Versions” on page 10Install Your Attachmate Product on a WorkstationNOTE: You must log on with administrator privileges to install Reflection. If you do not have thenecessary access rights, ask your system administrator to elevate your privileges.To install on a workstation1 Run the Setup program.If you install fromDo ThisA download siteClick the download link, and then run the downloadprogram. Select a location for the installer files, and thenclick Next. This extracts the files to the specified locationand starts the Setup program.An administrative installation imageFrom the administrative installation point, double-clickthe setup.exe file.2 From the Setup program, click Continue, and then accept a license.3 (Optional) To change the default installation folder, click the File Location tab and browse to thefolder in which you want to install Reflection.4 (Optional) To select which features, components, or languages are installed, click the FeatureSelection tab.5 Click Install Now.NOTE: Use the Advanced tab of the installer only if you want to modify the installer log settings, or ifyou are an administrator configuring a deployment. An administrative installation does not actuallyinstall the product — instead, it creates an installation image that administrators can use to customizeand deploy Reflection to end users.Installation9

Features Selection TabUse the Feature Selection tab to select which features you want to install.Click the icon to the left of the feature name and select from the options below.OptionFeature will be installed on local hard driveDescriptionInstalls the selected feature.NOTE: Some features listed under a selected feature maynot be included when you select to install the higher-levelfeature. The features that are included are therecommended defaults. If you select the higher levelfeature a second time, all sub-features will be included.Feature will be installed when requiredInstalls the feature when you first use it (for example, whenyou click the Start menu shortcut for this feature).Leaves the feature uninstalled.Feature will be unavailableUpgrading from Previous VersionsReview this information before upgrading to version 7.2. You do not need to uninstall your previous version. When you install this version, the installerautomatically detects and upgrades the older version. Your existing Secure Shell settings remainin effect, and existing settings files are still available. You cannot retain an earlier version of Reflection for Secure IT when you install this version. Theinstaller automatically upgrades the older version, even if you select a different installationlocation. The earlier version is removed by the upgrade. After you install this version, removing it will not restore your prior version.10Reflection for Secure IT Client for Windows

3Getting Started3Secure Shell is a protocol for securely logging onto a remote computer and executing commands. Itprovides a secure alternative to Telnet, FTP, rlogin, or rsh. Secure Shell connections require bothserver and user authentication, and all communications pass between hosts over an encryptedcommunication channel. You can also use Secure Shell connections to forward X11 sessions orspecified TCP/IP ports through the secure tunnel.In this Chapter “Start a New Terminal Session” on page 11 “Display the Configuration Toolbar” on page 11 “Transfer Files Using the FTP Client” on page 12 “Understanding Secure Shell” on page 13Start a New Terminal SessionIn most cases you can connect to your host and log on using your password without making anychanges to the default settings.To start a new terminal session using defaults1 On the Windows Start menu, click Attachmate Reflection SSH Client.2 On the Reflection for Secure IT toolbar, click the Connect/Disconnect button:3 Enter your host and user name in the Connect to Host dialog box and click OK.NOTE: If this is the first time you’re connecting to this host you will see a dialog box asking youto confirm the authenticity of the host. You can confirm the validity of the host key by contactingthe system administrator for that host. Click Always to add this host to your known hosts list.4 Enter your password for this host and click OK.5 To save a settings file with this session configuration, click File Save.Display the Configuration ToolbarThe configuration toolbar gives you quick access to session settings.To display the Configuration Toolbar1 Open a Reflection for Secure IT session2 Click the Configure session settings toolbar button:Getting Started11

3 Save your session settings (File Save) to see this toolbar each time you open this session.Transfer Files Using the FTP ClientYou can transfer files in the FTP Client with a simple drag and drop operation. This client supportssecure SFTP transfers as well as FTP transfers. You can drag individual files, multiple files, andentire folders.To connect to a server and transfer files1 On the Windows Start menu, click Attachmate Reflection FTP Client. The Connect to FTP Sitedialog box opens automatically.2 Click New.3 Step through the wizard, entering your host and user name when prompted.NOTE: When you install FTP Client with Reflection for Secure IT, the wizard is configured tocreate SFTP connections by default. You can configure additional connection types using theSecurity Properties dialog box. Use the Security button in the Login Information dialog box4 On the last panel you are asked if you want to connect to the host. Yes is selected by default.Leave this selected and click Finish to exit the wizard and make the connection.NOTE: If you are making an SFTP connection to a server to which you have not yet connected,you may see a dialog box asking you to confirm the authenticity of the host. You can confirm thevalidity of the host key by contacting the system administrator for that host. Click Always to addthis host to your known hosts list.5 Browse to locate the files or folders you want to transfer and the destination location.To browseUse theLocal foldersLeft paneServer directoriesRight pane6 Select the files or folders you want to transfer and drag them from the source location to yourdesired destination.To save this server to your list of sites Click File Save to save the site configuration to your FTP Client settings file.To connect to a saved site1 Launch the FTP Client.2 Click to select a site in the Connect to FTP Site dialog box.3 Click Connect.NOTE: For complete information about working with the FTP Client, refer to the FTP Clientapplication help.12Reflection for Secure IT Client for Windows

Understanding Secure ShellThis diagram outlines the basic steps involved in creating a Secure Shell channel and using it totransmit data securely.1 Establish a secure connection.The client and server negotiate to establish a shared key and cipher to use for sessionencryption, and a hash to use for data integrity checking.2 Authenticate the server.Server authentication enables the client to confirm the identity of the server. The server has onlyone chance to authenticate to the client during the authentication process. If this authenticationfails, the connection fails.3 Authenticate the client.Client authentication enables the server to confirm the identity of the client user. By default, theclient is allowed multiple authentication attempts. The server and client negotiate to agree onone or more authentication methods.4 Send data through the encrypted session.Once the encrypted session is established, all data exchanged between the Secure Shell serverand client is encrypted. Users now have secure remote access to the server and can executecommands and transfer files securely through the secure channel.5 Use port forwarding to secure communications between other clients and servers.Port forwarding, also known as tunneling, provides a way to redirect communications throughthe Secure Shell channel of an active session. When port forwarding is configured, all data sentto a specified port is redirected through the secure channel.Getting Started13

14Reflection for Secure IT Client for Windows

4Configuration4Reflection for Secure IT and the FTP Client use a number of files for storing settings.In this Chapter “Settings Files” on page 15 “Secure Shell Client Configuration Files” on page 15Settings FilesSettings Files configure application-specific settings. Reflection for Secure IT and the FTP Client usedifferent settings files.ApplicationExtensionConfiguresReflection for Secure IT*.r3wHost connection information, terminal emulation, displaysetup, key mapping, mouse configurationFTP Client*.rfwHost connection information, directory displaypreferences, transfer settingsTo save a settings file, use File Save.NOTE: For information about configuring these settings, use the Reflection for Secure IT and FTPClient application Help; this information is not covered in this user guide.Secure Shell Client Configuration FilesThe Secure Shell configuration file contains settings that are specific to the Secure Shell clientconnection. This user-specific file is created and updated automatically when you modify yoursettings using the “Reflection Secure Shell Settings Dialog Box” on page 71. Settings are savedautomatically when you close this dialog box. The file name and location is:My s in this file are applied per host (or per SSH configuration scheme (page 101)) and affect bothterminal session and FTP Client sessions. For example, when you configure non-default SecureShell settings for a connection to Acme.com from a terminal session (and you don’t specify an SSHconfiguration scheme), the Secure Shell settings are saved in the configuration file in a sectionidentified with the following line:Host Acme.comIf you also configure the FTP Client to connect to Acme.com (and you don’t specify an SSHconfiguration scheme), the FTP Client uses the settings in the "Host Acme.com" section of theconfiguration file. (Settings are shared in the same way if you specify the same SSH configurationscheme in both applications.)Configuration15

NOTE: When you close the Reflection Secure Shell Settings dialog box, values with default settingsare not saved to the configuration file. If a default value has been manually added to the file, it isremoved when you close the dialog box. This imposes design constraints if you use wildcard hoststanzas in combination with stanzas that use specific host names. If you have manually configured adefault value in a specific host stanza that is meant to override a value configured in a wildcardstanza, the default setting is removed when you open the Secure Shell settings dialog box to viewsettings for the host-specific SSH config scheme. You can successfully handle this situation by usingthe global configuration file, which is not updated when users open and close the Reflection SecureShell Settings dialog box.Global Configuration FileSystem administrators can also install a system-wide configuration file. The file name and location is:%programdata%\attachmate\reflection\.ssh\ssh configSettings in this file affect client connections for all users of the computer.16Reflection for Secure IT Client for Windows

5Encryption5In this Chapter “Supported Cryptographic Algorithms” on page 17 “Federal Information Processing Standard (FIPS)” on page 18Supported Cryptographic AlgorithmsData Encryption StandardsEncryption protects the confidentiality of data in transit. This protection is accomplished by encryptingthe data before it is sent using a secret key and cipher. The received data must be decrypted usingthe same key and cipher. The cipher used for a given session is the cipher highest in the client's orderof preference that is also supported by the server. You can use the Encryption (page 74) tab of theReflection Secure Shell Settings dialog box to specify which ciphers the Secure Shell connectionshould use.The following data encryption standards are supported: DES (56-bit) - Available with SSH protocol 1 only Arcfour, Arcfour128, and Arcfour258 (stream mode) TripleDES (168-bit) CBC mode Cast (128-bit) Blowfish (128-bit) CBC mode AES (also known as Rijndael) (128-, 192-,or 256-bit) CBC mode and CTR modeData IntegrityData integrity ensures that data is not altered in transit. Secure Shell connections use MACs(message authentication codes) to ensure data integrity. The client and server independentlycompute a hash for each packet of transferred data. If the message has changed in transit, the hashvalues are different and the packet is rejected. The MAC used for a given session is the MAC highestin the client's order of preference that is also supported by the server. Reflection supports thefollowing MAC standards: hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd-160 hmac-sha256 hmac-sha2-256 hmac-sha512 hmac-sha2-512Encryption17

Digital SignaturesDigital signatures are used for public key authentication (including certificate authentication). Theauthenticating party uses the digital signature to confirm that the party being authenticated holds thecorrect private key. The Secure Shell client uses a digital signature to authenticate the host. TheSecure Shell server uses a digital signature to authenticate the client when public key authenticationis configured. Reflection supports the following digital signature algorithms: x509v3-rsa2048-sha256 x509v3-sign-rsa x509v3-sign-dss ssh-rsa-sha2-256@attachmate.com ssh-rsa ssh-dssFederal Information Processing Standard (FIPS)When Reflection is configured to run in FIPS mode it enforces the United States government FederalInformation Processing Standard (FIPS) 140-2. All available settings use security protocols andalgorithms that meet this standard. Options that do not meet these standards are not available. Youcan configure individual sessions to run in FIPS mod or enforce FIPS mode for all Reflectionsessions.Configure specific Secure Shell sessions to run in FIPS modeYou can use the following procedure to configure specific Secure Shell sessions to run in FIPS mode.NOTE: This procedure does not enforce FIPS standards for all Secure Shell sessions. This change issaved to your Secure Shell configuration file (page 15) and is applied to a specific SSH configurationscheme (page 101). (If you don't specify a scheme, the setting applies to all connections to thecurrent host.) This change has no effect on subsequent Secure Shell sessions unless they areconfigured to use the same SSH configuration scheme (or host name).To set FIPS mode for particular hosts or SSH configuration schemes1 Open the Secure Shell Settings dialog box (page 85).2 On the Encryption tab select Run in FIPS mode.You can also configure this setting manually by editing the Secure Shell configura

1 On the Windows Start menu, click Attachmate Reflection FTP Client. The Connect to FTP Site dialog box opens automatically. 2 Click New. 3 Step through the wizard, entering your host and user name when prompted. NOTE: When you install FTP Client with Reflection for Secure IT, the wizard is configured to create SFTP connections by default.