Best Practices for Configuring Reflection Secure Shell (SSH)

  • 7021930
  • 09-May-2005
  • 01-Apr-2018

Environment

Reflection 2014
Reflection Pro 2014
Reflection for IBM 2014
Reflection for UNIX and OpenVMS 2014
Reflection X 2014
EXTRA! X-treme version 9.2 or higher
INFOConnect Enterprise Edition version 8.1 SP2 or higher
Reflection for UNIX and OpenVMS 2011
Reflection Standard Suite 2011
Reflection X 2011
Reflection Suite for X 2011
Reflection for Secure IT Windows Client version 7.x
Reflection for HP with NS/VT version 14.x
Reflection for UNIX and OpenVMS version 14.x
Reflection X version 14.x
Reflection Suite for X version 14.x
Reflection for the Multi-Host Enterprise Standard Edition version 14.x
Reflection for the Multi-Host Enterprise Professional Edition version 14.x
Reflection FTP Client version 14.x

Situation

This document provides information about the best practices to use when configuring secure, encrypted communications between a trusted host and an end user's PC, using Reflection products with Reflection Secure Shell (SSH). This note provides a matrix that suggests how to configure Reflection to establish SSH connections with minimum, medium, or high security, and provides a list of additional security considerations for your review.

Resolution

Note the following:

  • Creating a secure network environment is a complex task involving many custom elements designed to fit your individual network environment and security needs. Neither the security matrix nor the additional security configuration suggestions made in this note should be considered to include all necessary security options for your environment. This information is designed to provide Reflection customers with a framework on which to start building individual security environments.
  • The Secure Shell configuration described in this note applies to all Reflection terminal sessions, Reflection FTP Client sessions, and Reflection X 14.x sessions. Reflection X Advantage Secure Shell settings are saved to the Reflection X Advantage database, not to the config file described in this note; and the user interface for making changes is different. Refer to the Reflection X Advantage product help for details.

For security update information, select your product from https://support.microfocus.com/security/.

Overview of Reflection Secure Shell

Reflection Secure Shell provides the following functionality:

  • The ability to establish secure connections to both SSH1 and SSH2 protocol servers using EXTRA! X-treme, INFOConnect, Reflection 2014, Reflection 2011, Reflection X, Reflection for UNIX and OpenVMS, Reflection for ReGIS Graphics, Reflection for HP, and Reflection FTP Client applications (see the Applies To section of this technical note).
  • Support for standard SSH features such as port forwarding (including X11), data stream compression and encryption, authentication using a password, public key or Kerberos ticket, and logging.
  • The ability to create RSA1 (SSH1 only), RSA, and DSA user keys with lengths between 512 and 8192 bits. (This feature is available both as an MS-DOS utility and through the client user interface.)
  • Support for secure file transfer, both within the Reflection FTP Client using SFTP and with standalone SCP and SFTP Windows command line utilities.

Determining How to Configure Reflection SSH for Secure Connections

The security matrix presented below lists Reflection Secure Shell parameters and recommends how each parameter should be configured to provide minimum, medium, or high security for your PC-to-host connection.

Note the following:

  • The minimum, medium, and high classifications used in this matrix do not represent clearly defined industry terms; rather, they are subjective classifications. The intent of creating such categories is to provide a starting place for administrators who are researching PC-to-host security options.
  • The matrix contains a subset of available Secure Shell security parameters, which apply to common network configurations. Additional options are available, and may be necessary in your specific network environment.

A complete listing of SSH configuration parameters, definitions of these settings (including those shown and not shown in the following table), and each settings' default configuration can be found in each product's Help documentation available from https://support.microfocus.com/manuals/.

  • The recommendation for some settings is "do not use." These are settings that have no impact or a negative impact on the security of your host to PC connection. These settings often apply only to SSH1, which has been deprecated.

Security Matrix

Secure Shell Parameter
Minimum Security
Medium Security
High Security
Dialog Box [*a]
ChallengeResponseAuthentication
no
(this parameter applies only to SSH1)

no
(this parameter applies only to SSH1)

no
(this parameter applies only to SSH1)

 
Cipher
do not use
(this parameter applies only to SSH1)

do not use
(this parameter applies only to SSH1)

do not use
(this parameter applies only to SSH1)

X
Ciphers [*b]
aes128-ctr, aes128-cbc, 3des-cbc, blowfish-cbc, aes192-cbc, aes256-cbc
aes128-ctr, aes128-cbc, aes192-ctr, aes192-cbc, aes256-ctr, aes256-cbc, 3des-cbc, blowfish-cbc
aes256-ctr, aes192-ctr, aes128-ctr
X
ClearAllForwardings
yes
yes
yes
 
CompressionLevel
no (default)
no (default)
no (default)
X
ConnectionReuse
yes (default for GUI applications)
no
no
X
DynamicForward
do not use
do not use
do not use
 
FIPSMode
no (default)
yes
yes
X
GatewayPorts
no (default)
no
no
 
GssapiAuthentication [*d]
no (default)
yes
yes
X
GssapiDelegateCredentials [*c]
no (default)
yes
no
X
GssapiUseSSPI [*e]
no (default)
yes
yes
X
HostKeyAlgorithms [*c]
x509v3-rsa2048-sha256, x509v3-sign-rsa, x509v3-sign-dss, ssh-rsa-sha2-256@attachmate.com, ssh-rsa,ssh-dss
(default)

x509v3-rsa2048-sha256, x509v3-sign-rsa, x509v3-sign-dss, ssh-rsa-sha2-256@attachmate.com
x509v3-rsa2048-sha256, x509v3-sign-rsa, x509v3-sign-dss, ssh-rsa-sha2-256@attachmate.com
 
KbdInteractiveAuthentication
yes (default)
no
no
X
KerberosAuthentication
do not use
(this parameter applies only to SSH1)

do not use
(this parameter applies only to SSH1)

do not use
(this parameter applies only to SSH1)

X
KerberosTgtPassing
do not use
(this parameter applies only to SSH1)

do not use
(this parameter applies only to SSH1)

do not use
(this parameter applies only to SSH1)

X
KexAlgorithms [*c]
diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256 (default)
diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256, gss-group1-sha1-*
diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, gss-group1-sha1-*
 
Macs [*c]
hmac-sha256, hmac-sha2-256, hmac-sha1, hmac-md5, hmac-ripemd160, hmac-sha1-96, hmac-md5-96, hmac-sha512, hmac-sha2-512 (default)
hmac-sha256, hmac-sha2-256, hmac-sha1, hmac-sha512, hmac-sha2-512

hmac-sha256, hmac-sha2-256, hmac-sha512, hmac-sha2-512

 
PasswordAuthentication
yes (default)
no
no
X
PreferredAuthentications
include all methods except: none
include all methods except:
password, none

include only: publickey, gssapi-with-mic
X
Protocol
2
2
2
X
PubkeyAuthentication
yes (default)
yes (default)
yes (default)
X
RSAAuthentication
no
(this parameter applies only to SSH1)

no
(this parameter applies only to SSH1)

No
(this parameter applies only to SSH1)

X
StrictHostKeyCheck
ing

ask (default)
ask (default)
yes
X

[*a] In the Dialog Box column, an "X" denotes that the parameter can be configured from either the Reflection interface or by editing the "My Documents\Attachmate\Reflection\.ssh\config" file. Parameters that are not marked with an "X" can be configured only from the config file. For more details, see the following sections.

[*b] The AES _ctr mode encryption algorithms are available in Reflection version 14.1, Reflection 2011, Reflection 2014, and EXTRA! 9.2 or higher.

[*c] The hmac_sha2 Macs, sha256 host key digital signature and sha256 key exchange algorithms are available in Reflection 14.1 SP3, EXTRA 9.3, Reflection 2011 R3 or higher, and Reflection 2014.

[*d] GSSAPI authentication requires that a Kerberos Key Distribution Center be set up and configured.

[*e] GssapiUseSSPI authentication requires that a Microsoft Windows Domain be set up and all systems be joined to the domain.

Configuring Reflection Secure Shell Parameters

Reflection Secure Shell security parameters can be configured by manually editing the "My Documents/Attachmate/Reflection/.ssh/config" file, or through the Reflection interface. When selecting which configuration method best suits your needs, consider the following:

  • Both methods save Reflection Secure Shell settings to the same file, "My Documents\Attachmate\Reflection\.ssh\config."
  • Not all Reflection Secure Shell parameters are available through the Reflection interface.
  • Parameters configured through the Reflection interface apply only to a single host connection, not to all host connections, unless you use an SSH config scheme. (See the Reflection Secure Shell help topic, Config Schemes.)
  • Manually editing the config file allows you to configure parameters that apply to single host connections or multiple host connections (using wildcards).
  • Alternately, if you already have a config file on your host that is properly configured for security in your environment, you can use that file by copying it to each PC.

Using the Config File

To set the config file for basic minimum, medium, or high security, copy and paste the appropriate section below into your "My Documents\Attachmate\Reflection\.ssh\config" file.

Note the following:

  • The config file has host-specific sections, each containing parameters that apply to the specified host or group of hosts. For example:
      Host Bluebell
         Protocol 1
         PasswordAuthentication yes
      Host Redrose
         Protocol 2
         CompressionLevel 6

  • You can specify security parameters for connections to individual hosts or use the wildcard characters, "*" or "?", to specify a group of hosts.

For example, in the sample below the Protocol and PasswordAuthentication parameters would apply to host Bluebell.flowers.com, and the CompressionLevel and LogLevel parameters would apply to all hosts in the domain, *.mycompany.

      Host Bluebell.flowers.com
         Protocol 1
         PasswordAuthentication yes
         Host Greenglass.mycompany.com
         Protocol 2
           LogLevel QUIET
      Host *.mycompany
         CompressionLevel 6
         LogLevel INFO 

  • A Reflection connection will use the first occurrence of any matching Host string (including wildcard characters). Any subsequent matches will be ignored.

If multiple "Host" sections apply to the host a user is connecting to (as with Host Greenglass in the example above), the first parameter in the first applicable Host section in the file is used. Therefore, if using wildcards to specify a group of hosts, it is helpful to place more specific host entries at the beginning of the file, and wildcard entries at the end of the file – unless you want the setting to override that specific keyword for all matching hosts.

  • If a parameter you are adding already exists for the host you are configuring, change the value of the existing parameter, rather than adding a second entry for the same parameter. If multiple entries exist for the same parameter, only the first entry is used.
  • Blank lines and lines starting with the pound character, #, are comments and are not read by the client.
  • More details about configuring the Secure Shell config file can be found in each product's Help documentation available from https://support.microfocus.com/manuals/.

Minimum

Note that only keywords containing non-default settings are included:

Ciphers aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256
ClearAllForwardings yes
Protocol 2
RSAAuthentication no

Medium

Note that only keywords containing non-default settings are included:

ChallengeResponseAuthentication no
Ciphers aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,3des-cbc,blowfish-cbc
ClearAllForwardings yes
KbdInteractiveAuthentication no
Macs hmac-sha256,hmac-sha2-256,hmac-sha1,hmac-sha512,hmac-sha2-512
Protocol 2
PasswordAuthentication no
PreferredAuthentications external-keyx,gssapi,publickey
RSAAuthentication no
GssapiAuthentication yes

High

Note that only keywords containing non-default settings are included:

ChallengeResponseAuthentication no
ClearAllForwardings yes
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Macs hmac-sha256,hmac-sha2-256,hmac-sha512,hmac-sha2-512
KbdInteractiveAuthentication no
PasswordAuthentication no
PreferredAuthentications gssapi
PubkeyAuthentication no
RSAAuthentication no
StrictHostKeyChecking yes
GssapiAuthentication yes

Using the Reflection Interface

Some Secure Shell settings can be configured through the Reflection interface. Settings configured from the Reflection interface are saved per connection and apply only to single host connections.

Note: To configure global Secure Shell settings for connections, use the config file (see Using the Config File), or create an SSH config scheme from within the user interface.

To configure Secure Shell settings using the Reflection interface, follow the steps below:

  1. Start the Reflection product.
  2. Using the procedures below for your Reflection product, open the Reflection Secure Shell Settings dialog box.
View Full Size
Figure 1 - Reflection Secure Shell Settings Dialog Box, Encryption Tab
Figure 1 - Reflection Secure Shell Settings Dialog Box, Encryption Tab

For Reflection 2011 and Reflection 2014:

    1. Create a VT terminal session.
    2. In the VT Document Settings dialog box:

- Select Secure Shell

- Enter a host name

- Select Configure additional settings

- Click OK

    1. In the Settings for VT dialog box, click Set Up Connection Security.
    2. Proceed with step 3.

For Reflection for UNIX and OpenVMS and Reflection for HP with NS/VT:

    1. Click Connection > Connection Setup.
    2. Under Connect using, select Network and Secure Shell.
    3. Enter a host name and click Security. Proceed with step 3.

For Reflection X:

    1. In the Reflection X Manager, expand the Client Templates and Client Startup trees, and then select your host type.
    2. Change the connection Method to Secure Shell and enter your Host name and User name.
    3. Click Advanced and proceed with step 3.

For Reflection FTP Client:

    1. In the Connect to FTP Site dialog box, select a host to connect to and click Properties.
    2. Click Security, and then click the Secure Shell tab.
    3. Select the Use Reflection Secure Shell check box, and then click Configure. Proceed with step 3.
  1. The table below shows each of the Secure Shell parameters that can be configured through the Reflection interface, and matches each parameter to the equivalent configuration in the Reflection interface. Use this table, combined with the Security Matrix, to configure Reflection to meet your security needs.
    Secure Shell Parameter
    Configured Using…
    Cipher
    Encryption tab. View SSH protocol 1.
    Note: Cipher settings apply only to SSH1, which has been deprecated. Using SSH2 is highly recommended.
    Ciphers
    Encryption tab. Under SSH protocol 2, remove any SSH protocol 2 ciphers you do not wish to use and order the remaining protocols by preference.
    CompressionLevel
    General tab. Select or clear Enable compression.
    Note: The compression level slider control applies only to SSH protocol 1.
    GssapiAuthentication
    General tab. Under User Authentication, select or clear GSSAPI/Kerberos.
    PasswordAuthentication
    General tab. Under User Authentication, select or clear Password.
    Protocol
    General tab. On the Protocol drop-down list, select a protocol.
    PubkeyAuthentication
    User Keys tab. Click the Generate Key button. Select your options (for example, RSA or DSA for Key Type) and click Create.
    General tab. Under User Authentication, select or clear
    Public Key.
    Note the following:
    If PubkeyAuthentication is enabled, you must also copy the public key from "My Documents\Attachmate\Reflection\.ssh\id_rsa.pub" or "My Documents\Attachmate\Reflection\.ssh\id_dsa.pub" to the host. For details, see the Reflection online help.

    RSAAuthentication
    User Keys tab. Click the Generate Key button. From the drop-down Key Type list, select RSA1. Select other options and click Create.
    Note the following:
    If RSAAuthentication is enabled, you must also copy the public key from "My Documents\Attachmate\Reflection\.ssh\identity.pub" to the host. For details, see the Reflection online help.
    RSAAuthentication applies only to SSH1, which has been deprecated. Using SSH2 is highly recommended.

Deploying Custom Secure Shell Settings

System administrators can simplify user setup by deploying system-wide (global) Secure Shell settings to client computers.

  1. Launch the product you are using for your secure connections and configure your Secure Shell settings as described in Configuring Reflection Secure Shell Parameters.

When you close the Reflection Secure Shell Settings dialog box, non-default configuration information is saved automatically to <My Documents>\Attachmate\Reflection\.ssh\config.

When you make connections, known host information is saved to <My Documents>\Attachmate\Reflection\.ssh\known_hosts.

  1. Create the following copies of your Secure Shell files. These are the file names used for configuring system-wide/global settings.
    • Create a copy of config called ssh_config.
    • Create a copy of known_hosts called ssh_known_hosts.
  1. Deploy ssh_config and ssh_known_hosts to Reflection application data folder.

The procedure depends on which product you are using.

In Reflection 14.x

Go to Help > Help Topics and see “Deploying custom Secure Shell settings in Reflection 14.0.x.â€

For general deployment information, see the System Administrator Guide at https://docs.attachmate.com/reflection/14.1/r14_1sag.pdf.

In Reflection for Secure IT 7.x

Go to Help > Help Topics and see the topic “Deploying Secure Shell Settings in Reflection for Secure IT 7.0.xâ€.

For general deployment information, see the User Guide at https://support.microfocus.com/manuals/rsit_win_client.html.

In Reflection 2014

Click Help > Contents > Secure Connections > Secure Shell Configurations Files, and see “Deploy Secure Shell Settings with a Companion Installer.â€

For general deployment information, see “Installation and Deployment Guide†at https://docs.attachmate.com/reflection/2014/r1/deploy/deploymentguide.pdf.

In Reflection 2011

Click Help > Contents > Secure Connections > Secure Shell Configurations Files, and see “Deploy Secure Shell Settings with a Companion Installer.â€

For general deployment information, see “Installation and Deployment Guide†at https://docs.attachmate.com/reflection/2011/r3/deploy/deploymentguide.pdf.

The Deployment Guide for Reflection X 2011 and Reflection Suite for X 2011 is available at https://support.microfocus.com/manuals/rx_rsx_2011.html.

In EXTRA! X-treme

See “Customizing the EXTRA! X-treme Installation" in Help: https://docs.attachmate.com/extra/x-treme/9.2/help/en/index.htm.

In INFOConnect Enterprise Edition

See “Appendix C: Attachmate Customization Tool Reference†in the Product Guide at https://docs.attachmate.com/infoconnect/ented/9.1sp1/pdf/product_guide_infoconnect.pdf.

Additional Configuration Points to Consider

Review these points to help determine how strictly you want to control user configuration functionality.

  • The ssh_config and ssh_known_hosts files in the Shared Application Data folder should have restricted write access to prevent unauthorized changes to the configuration settings or keys. (These files are typically located in Documents and Settings\All Users\Application Data\Attachmate\Reflection\ssh)
  • The configuration and key information from these files will be read first, and if a valid host match is found, the Reflection Secure Shell client will not check the user's config or known_hosts files; however, this does not preclude a user from manually creating these files in their My Documents\Attachmate\Reflection\.ssh folder. You may want to restrict access to the .ssh folder as well.
  • If you want to ensure that users do not connect to any unauthorized hosts, set the StrictHostKeyChecking parameter in the ssh_config file to "yes" at the top of the file.

Additional Suggestions

Beyond configuring Reflection Secure Shell, there are many other things administrators can do to help secure a PC-to-host connection. The following is a list of additional steps to consider when designing your security environment.

Note: This list is non-inclusive. Many other security steps may be necessary in your network environment; however, the suggestions on this list should be considered when establishing your security policies.

  • Keep all servers up to date with the current releases, patches, and updates.
  • Do not allow users to log on to systems as root.
  • Prevent remote users from making their initial logon as root by editing the sshd_config file and setting PermitRootLogin to no. Once successfully logged on as a normal user, users with permissions can then use “sudoâ€, "su" or "su -" (depending on configuration) to log on as root. For details on the su and sudo commands, refer to the host's MAN pages.
  • Adopt strong password policies.
  • Determine if you will use SSH StrictHostKeyChecking.
  • Take precautions to secure your PCs and hosts.
  • Implement host and user keys greater than 2048 bits in length.
  • Configure Reflection X to be restrictive enough to meet your corporate security policy. For details about security settings available in Reflection X, see KB 7021774.

SSH Resources

For general information about SSH1 and SSH2, as well as information about SSH servers and clients, see the OpenSSH web page, http://www.openssh.com.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 1857.