Technical Notes

Best Practices for Configuring Reflection OpenSSH
Technical Note 1727
Last Reviewed 09-May-2005
Applies To
Reflection for HP version 12.x
Reflection for UNIX and OpenVMS version 12.x
Reflection Suite for X version 12.x
Reflection X version 12.x
Reflection FTP Client version 12.x
Summary

This document provides information about the best practices to use when configuring secure, encrypted communications between a trusted host and an end user's PC, using Reflection products with Reflection OpenSSH. This note provides a matrix that suggests how to configure Reflection to establish host connections with minimum, medium, or high security, and provides a list of additional security considerations for your review.

Note the following:

• Reflection 12.x calls the SSH connection OpenSSH. Beginning in Reflection 13.0, the SSH connection is called Secure Shell. For more information, see Technical Note 1857.
• Creating a secure network environment is a complex task involving many custom elements designed to fit your individual network environment and security needs. Neither the security matrix nor the additional security configuration suggestions made in this note should be considered to include all necessary security options for your environment. This information is designed only to provide Reflection customers with a framework on which to start building individual security environments.

For Reflection security updates, see Technical Note 1708.

Overview of Reflection OpenSSH

Reflection OpenSSH provides the following functionality:

• The ability to establish secure connections to both SSH1 and SSH2 protocol servers using Reflection X, Reflection for UNIX and OpenVMS, Reflection for ReGIS Graphics, Reflection for HP, and Reflection FTP Client applications.
• Support for standard SSH features such as port forwarding (including X11), data stream compression and encryption, authentication using a password, public key or Kerberos ticket, and logging.
• The ability to create RSA1 (SSH1 only), RSA, and DSA user keys with lengths between 512 and 32768 bits. (This feature is available both as an MS-DOS utility and through the client user interface.)
• Support for secure file transfer, both within the Reflection FTP Client using SFTP and with standalone SCP and SFTP MS-DOS utilities.

Determining How to Configure Reflection OpenSSH for Secure Connections

The security matrix presented below lists Reflection OpenSSH parameters and recommends how each parameter should be configured to provide minimum, medium, or high security for your PC-to-host connection.

Note the following:

• The minimum, medium, and high classifications used in this matrix do not represent clearly defined industry terms; rather, they are subjective classifications. The intent of creating such categories is to provide a starting place for administrators who are researching PC-to-host security options.
• The matrix contains a subset of available OpenSSH security parameters, which apply to common network configurations. Further options are available, and may be necessary in your specific network environment.

• The recommendation for some settings is "do not use." These are settings that have no impact or a negative impact on the security of your host to PC connection. These settings often apply only to SSH1.

Security Matrix

OpenSSH Parameter	Minimum Security	Medium Security	High Security	Dialog Box*
ChallengeResponseAu thentication	yes (default)	no	no
Cipher	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	X
Ciphers	aes128-cbc, 3des-cbc, blowfish-cbc, aes192-cbc, aes256-cbc	aes128-cbc, blowfish-cbc, aes192-cbc, aes256-cbc	blowfish-cbc, aes256-cbc	X
ClearAllForwardings	yes	yes	yes
CompressionLevel	no	no	no	X
DynamicForward	do not use	do not use	do not use
FallBackToRsh	do not use	do not use	do not use
GssapiAuthentication	no (default)	yes	yes	X
KbdInteractiveAuth entication	yes (default)	no	no
KerberosAuthentic ation	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	X
KerberosTgtPassing	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	X
PasswordAuthenti cation	yes (default)	no	no	X
PreferredAuthenti cations	include all methods except: none	include all methods except: password, none	include only: gssapi
Protocol	2	2	2	X
PubkeyAuthentication	yes (default)	yes (default)	no	X
RhostsAuthentication	no	no	no
RhostsRSAAuthen tication	no	no	no
RSAAuthentication	no	no	no	X
StrictHostKeyCheck ing	no (default)	no (default)	yes
UseRsh	no	no	no

* In the Dialog Box column, an "X" denotes that the parameter can be configured from either the Reflection interface or by editing the "My Documents\Reflection\.ssh\config" file. Parameters that are not marked with an "X" can be configured only from the config file. For further details, see the following sections.

Configuring Reflection OpenSSH Security Parameters

Reflection OpenSSH security parameters can be configured by manually editing the "My Documents/Reflection/.ssh/config" file, or through the Reflection interface. When selecting which configuration method best suits your needs, consider the following:

• Both methods save Reflection OpenSSH settings to the same file, "My Documents\Reflection\.ssh\config."
• Not all Reflection OpenSSH parameters are available through the Reflection interface.
• Parameters configured through the Reflection interface apply only to a single host connection, not to all host connections.
• Manually editing the config file allows you to configure parameters that apply to single host connections or multiple host connections (using wildcards).
• Alternately, if you already have a config file on your host that is properly configured for security in your environment, you can utilize that file by copying it to each PC.

Using the Config File

To set the config file for basic minimum, medium, or high security, copy and paste the appropriate section below into your "My Documents\Reflection\.ssh\config" file.

Note the following:

• The config file is broken into host-specific sections, each containing parameters that apply to the specified host or group of hosts. For example:

• You can specify security parameters for connections to individual hosts or use the wildcard characters, "*" or "?", to specify a group of hosts.

• If multiple "Host" sections apply to the host a user is connecting to (as with Host Greenglass in the example above), the first applicable Host section in the file is used. Therefore, if using wildcards to specify a group of hosts, it is helpful to place individual host entries at the beginning of the file, and wildcard entries at the end of the file.
• If a parameter you are adding already exists for the host you are configuring, change the value of the existing parameter, rather than adding a second entry for the same parameter. If multiple entries exist for the same parameter, only the first entry is used.
• Blank lines and lines starting with the pound character, #, are comments.
• More details regarding configuring the OpenSSH config file can be found on the openssh.org web site (http://www.openssh.org) or, more directly, from the openbsd.org web site at http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config.

Minimum

Medium

High

Using the Reflection Interface

Some OpenSSH security settings can be configured through the Reflection interface. Settings configured from the Reflection interface are saved per connection, and apply only to single host connections.

Note: To configure global OpenSSH settings for connections, use the config file. (See, the Using the Config File section above.).

To configure OpenSSH security settings through the Reflection interface, follow the steps below:

1. Start the Reflection product.
2. Using the procedures for your Reflection product, open the OpenSSH Client Settings dialog box (see Figure 1).

1. Click Connection > Connection Setup.
2. Under Connect using, select Network and OpenSSH.
3. Click Security and proceed with step 3.

1. In the Reflection X Manager, expand the Client Templates and Client Startup trees, and then select your host type.
2. Change the connection Method to OPENSSH and enter your Host name and User name.
3. Click Advanced and proceed with step 3.

1. In the Connect to FTP Site dialog box, select a host to connect to and click Properties.
2. Click Security > OpenSSH.
3. Select Use Reflection OpenSSH, and then click Configure. Proceed with step 3.
3. The table below shows each of the OpenSSH parameters that can be configured through the Reflection interface, and matches each parameter to the equivalent configuration in the Reflection interface. Use this table, combined with the security matrix above, to configure Reflection to meet your security needs.

OpenSSH Parameter	Configured Using…
Cipher	Click Cipher Setup, and view SSH protocol 1. Note: Cipher settings apply only to SSH1. Only SSH2 is recommended.
Ciphers	Click Cipher Setup. Under SSH protocol 2, remove any SSH protocol 2 ciphers you do not wish to use and place the remaining protocols in order of preference.
CompressionLevel	Under Compression, select or clear Enable compression. Note: The compression level slider control applies only to SSH protocol 1.
GssapiAuthentication	Under Authentication, select or clear Kerberos key exchange.
PasswordAuthentication	Under Authentication, select or clear Password.
Protocol	On the Protocol drop-down menu, select a protocol. Note: SSH2 is recommended for all options on the security matrix.
PubkeyAuthentication	Click Generate User Key. Select RSA or DSA key type. Note the following: If PubkeyAuthentication is enabled, you must also copy the public key from "My Documents\Reflection\.ssh\id_rsa.pub" or "My Documents\Reflection\.ssh\id_dsa.pub" to the host. For details, see the Reflection online help. Under Authentication, select or clear User key.
RSAAuthentication	Click Generate User Key. Select RSA1 key type. Note the following: If RSAAuthentication is enabled, you must also copy the public key from "My Documents\Reflection\.ssh\identity.pub" to the host. For details, see the Reflection online help. RSAAuthentication applies only to SSH1. All security options suggest using SSH2 only.

Deploying Custom OpenSSH Settings

As the system administrator, you can create a customized Reflection installer that includes the OpenSSH configuration settings needed by your users. The installer method provides machine-wide OpenSSH default settings to your users.

Note the following:

• The administrator's workstation must have the Reflection Administrator's Toolkit installed.
• Reflection Customization Manager cannot be used to install per-user OpenSSH settings.

1. Launch the Reflection product you are using for your secure connections and configure your OpenSSH settings as described in Configuring Reflection OpenSSH Security Parameters.

2. Create the following copies of your OpenSSH files. (These are the file names used for configuring machine-wide settings.)

• Create a copy of known_hosts called ssh_known_hosts.
• Create a copy of config called ssh_config.

3. Launch the Reflection Customization Manager (click Start > Programs > WRQ Reflection > Administrative Tools > Customization Manager) and create an administrative installation (or use an existing one).
4. Click Customize, open the installation, and then click Add Files. Add the OpenSSH files to the installation as follows. You must install the files to the location described here:
   1. Click Add, and then Browse to locate the ssh_known_hosts you created in step 2.
   2. Select the "Install file to end user machine without shortcut" option.
   3. Under Install file to, select Shared Application Data, and enter Reflection in the second field to create a subfolder named "Reflection." Click OK.
5. Close the open dialog boxes to return to the Customization Manager, make other customization if you choose, and then create a shortcut for deploying your custom installation.

Users can now install Reflection using your customized installation. The OpenSSH settings will be available to all users of the PC running any Reflection client configured to use OpenSSH.

Additional Configuration Points to Consider

Review these points to help determine how strictly you want to control user configuration functionality.

• The ssh_config and ssh_known_hosts files in the Shared Application Data folder should have restricted write access to prevent unauthorized changes to the configuration settings or keys. (These files are typically located in Documents and Settings\All Users\Application Data\Reflection\ssh)
• The configuration and key information from these files will be read first, and if a valid host match is found, the Reflection OpenSSH client will not check the user's config or known_keys files; however, this does not preclude a user from manually creating these files in their My Documents\Reflection\.ssh folder. You may want to restrict access to the .ssh folder as well.
• If you want to ensure that users do not connect to any unauthorized hosts, set the StrictHostKeyChecking parameter in the ssh_config file to "yes" at the top of the file.

Additional Suggestions

Beyond configuring Reflection OpenSSH, there are many other things administrators can do to help secure a PC-to-host connection. The following is a list of some further steps to consider when designing your security environment.

Note: This list is non-inclusive. Many other security steps may be necessary in your network environment; however, the suggestions on this list should be considered when establishing your security policies.

• Keep all servers up to date with the current releases, patches, and updates.
• Do not allow users to log on to systems as root.
• Prevent remote users from making their initial logon as root by editing the sshd_config file and setting PermitRootLogin to no. Once successfully logged on as a normal user, users with permissions can then use "su" or "su -" (depending on configuration) to log on as root. For details on the su command, refer to the host's MAN pages.
• Adopt strong password policies.
• Determine if you will use SSH StrictHostKeyChecking.
• Take precautions to secure your PCs and hosts.
• Implement host and user keys greater than 1024K in length.
• Configure Reflection X to be restrictive enough to meet your corporate security policy. For details about security settings available in Reflection X, see Technical Note 1677.

SSH Resources

For general information about SSH1 and SSH2, as well as information about SSH servers and clients, see the OpenSSH web page, http://www.openssh.com.

Related Technical Notes

1677	Reflection X Security Settings
1708	Security Updates and Reflection
1857	Best Practices for Configuring Reflection Secure Shell