Technical Notes

Best Practices for Configuring Reflection Secure Shell
Technical Note 1857
Last Reviewed 31-May-2006
Applies To
Reflection for HP with NS/VT version 13.0 through 14.x
Reflection for UNIX and OpenVMS version 13.0 through 14.x
Reflection Suite for X version 13.0 through 14.x
Reflection X version 13.0 through 14.x
Reflection FTP Client version 13.0 through 14.x
Reflection for Secure IT Windows Client version 6.0 or higher
Summary

This document provides information about the best practices to use when configuring secure, encrypted communications between a trusted host and an end user's PC, using Reflection products with Reflection Secure Shell. This note provides a matrix that suggests how to configure Reflection to establish SSH connections with minimum, medium, or high security, and provides a list of additional security considerations for your review.

Note the following:

• Beginning in Reflection 13.0, the SSH connection is called Secure Shell. Earlier Reflection versions called the SSH connection OpenSSH.
• Creating a secure network environment is a complex task involving many custom elements designed to fit your individual network environment and security needs. Neither the security matrix nor the additional security configuration suggestions made in this note should be considered to include all necessary security options for your environment. This information is designed to provide Reflection customers with a framework on which to start building individual security environments.
• Beginning in Reflection 14.0, Attachmate was added to the path of many configuration and settings files, for example, My Documents\Attachmate\Reflection\.ssh\config. In version 13.x, Attachmate was not in the path. This note uses version 14.0 path information.

For Reflection security updates, see Technical Note 1708.

Overview of Reflection Secure Shell

Reflection Secure Shell provides the following functionality:

• The ability to establish secure connections to both SSH1 and SSH2 protocol servers using Reflection X, Reflection for UNIX and OpenVMS, Reflection for ReGIS Graphics, Reflection for HP, and Reflection FTP Client applications.
• Support for standard SSH features such as port forwarding (including X11), data stream compression and encryption, authentication using a password, public key or Kerberos ticket, and logging.
• The ability to create RSA1 (SSH1 only), RSA, and DSA user keys with lengths between 512 and 32768 bits. (This feature is available both as an MS-DOS utility and through the client user interface.)
• Support for secure file transfer, both within the Reflection FTP Client using SFTP and with standalone SCP and SFTP MS-DOS utilities.

Determining How to Configure Reflection SSH for Secure Connections

The security matrix presented below lists Reflection Secure Shell parameters and recommends how each parameter should be configured to provide minimum, medium, or high security for your PC-to-host connection.

Note the following:

• The minimum, medium, and high classifications used in this matrix do not represent clearly defined industry terms; rather, they are subjective classifications. The intent of creating such categories is to provide a starting place for administrators who are researching PC-to-host security options.
• The matrix contains a subset of available Secure Shell security parameters, which apply to common network configurations. Additional options are available, and may be necessary in your specific network environment.

• The recommendation for some settings is "do not use." These are settings that have no impact or a negative impact on the security of your host to PC connection. These settings often apply only to SSH1, which has been deprecated.

Security Matrix

Secure Shell Parameter	Minimum Security	Medium Security	High Security	Dialog Box*
ChallengeResponseAu thentication	yes (default)	no	no
Cipher	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	X
Ciphers	aes128-cbc, 3des-cbc, blowfish-cbc, aes192-cbc, aes256-cbc	aes128-cbc, blowfish-cbc, aes192-cbc, aes256-cbc	blowfish-cbc, aes256-cbc	X
ClearAllForwardings	yes	yes	yes
CompressionLevel	no	no	no	X
DynamicForward	do not use	do not use	do not use
FallBackToRsh	do not use	do not use	do not use
GssapiAuthentication	no (default)	yes	yes	X
KbdInteractiveAuth entication	yes (default)	no	no	X
KerberosAuthentic ation	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	X
KerberosTgtPassing	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	do not use (this parameter applies only to SSH1)	X
PasswordAuthenti cation	yes (default)	no	no	X
PreferredAuthenti cations	include all methods except: none	include all methods except: password, none	include only: gssapi
Protocol	2	2	2	X
PubkeyAuthentication	yes (default)	yes (default)	no	X
RhostsAuthentication	no	no	no
RhostsRSAAuthen tication	no	no	no
RSAAuthentication	no	no	no	X
StrictHostKeyCheck ing	no (default)	no (default)	yes	X
UseRsh	no	no	no

* In the Dialog Box column, an "X" denotes that the parameter can be configured from either the Reflection interface or by editing the "My Documents\Attachmate\Reflection\.ssh\config" file. Parameters that are not marked with an "X" can be configured only from the config file. For more details, see the following sections.

Configuring Reflection Secure Shell Parameters

Reflection Secure Shell security parameters can be configured by manually editing the "My Documents/Attachmate/Reflection/.ssh/config" file, or through the Reflection interface. When selecting which configuration method best suits your needs, consider the following:

• Both methods save Reflection Secure Shell settings to the same file, "My Documents\Attachmate\Reflection\.ssh\config."
• Not all Reflection Secure Shell parameters are available through the Reflection interface.
• Parameters configured through the Reflection interface apply only to a single host connection, not to all host connections, unless you use an SSH config scheme. (See the Reflection Secure Shell help topic, Config Schemes.)
• Manually editing the config file allows you to configure parameters that apply to single host connections or multiple host connections (using wildcards).
• Alternately, if you already have a config file on your host that is properly configured for security in your environment, you can use that file by copying it to each PC.

Using the Config File

To set the config file for basic minimum, medium, or high security, copy and paste the appropriate section below into your "My Documents\Attachmate\Reflection\.ssh\config" file.

Note the following:

• The config file has host-specific sections, each containing parameters that apply to the specified host or group of hosts. For example:

• You can specify security parameters for connections to individual hosts or use the wildcard characters, "*" or "?", to specify a group of hosts.

• If multiple "Host" sections apply to the host a user is connecting to (as with Host Greenglass in the example above), the first applicable Host section in the file is used. Therefore, if using wildcards to specify a group of hosts, it is helpful to place individual host entries at the beginning of the file, and wildcard entries at the end of the file.
• If a parameter you are adding already exists for the host you are configuring, change the value of the existing parameter, rather than adding a second entry for the same parameter. If multiple entries exist for the same parameter, only the first entry is used.
• Blank lines and lines starting with the pound character, #, are comments and are not read by the client.
• More details about configuring the Secure Shell config file can be found on the openssh.org web site (http://www.openssh.org) or, more directly, from the openbsd.org web site at http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config.

Minimum

Medium

High

Using the Reflection Interface

Some Secure Shell settings can be configured through the Reflection interface. Settings configured from the Reflection interface are saved per connection and apply only to single host connections.

Note: To configure global Secure Shell settings for connections, use the config file (see Using the Config File above), or create an SSH config scheme from within the user interface.

To configure Secure Shell settings using the Reflection interface, follow the steps below:

1. Start the Reflection product.
2. Using the procedures for your Reflection product, open the Reflection Secure Shell Settings dialog box.

For Reflection for UNIX and OpenVMS and Reflection for HP with NS/VT:

1. Click Connection > Connection Setup.
2. Under Connect using, select Network and Secure Shell.
3. Enter a host name and click Security. Proceed with step 3.

For Reflection X:

1. In the Reflection X Manager, expand the Client Templates and Client Startup trees, and then select your host type.
2. Change the connection Method to Secure Shell and enter your Host name and User name.
3. Click Advanced and proceed with step 3.

For Reflection FTP Client:

1. In the Connect to FTP Site dialog box, select a host to connect to and click Properties.
2. Click Security, and then click the Secure Shell tab.
3. Select the Use Reflection Secure Shell check box, and then click Configure. Proceed with step 3.
3. The table below shows each of the Secure Shell parameters that can be configured through the Reflection interface, and matches each parameter to the equivalent configuration in the Reflection interface. Use this table, combined with the Security Matrix above, to configure Reflection to meet your security needs.

Secure Shell Parameter	Configured Using…
Cipher	Encryption tab. View SSH protocol 1. Note: Cipher settings apply only to SSH1, which has been deprecated. Using SSH2 is highly recommended.
Ciphers	Encryption tab. Under SSH protocol 2, remove any SSH protocol 2 ciphers you do not wish to use and order the remaining protocols by preference.
CompressionLevel	General tab. Select or clear Enable compression. Note: The compression level slider control applies only to SSH protocol 1.
GssapiAuthentication	General tab. Under User Authentication, select or clear GSSAPI/Kerberos.
PasswordAuthentication	General tab. Under User Authentication, select or clear Password.
Protocol	General tab. On the Protocol drop-down list, select a protocol.
PubkeyAuthentication	User Keys tab. Click the Generate Key button. Select your options (for example, RSA or DSA for Key Type) and click Create. General tab. Under User Authentication, select or clear Public Key. Note the following: If PubkeyAuthentication is enabled, you must also copy the public key from "My Documents\Attachmate\Reflection\.ssh\id_rsa.pub" or "My Documents\Attachmate\Reflection\.ssh\id_dsa.pub" to the host. For details, see the Reflection online help.
RSAAuthentication	User Keys tab. Click the Generate Key button. From the drop-down Key Type list, select RSA1. Select other options and click Create. Note the following: If RSAAuthentication is enabled, you must also copy the public key from "My Documents\Attachmate\Reflection\.ssh\identity.pub" to the host. For details, see the Reflection online help. RSAAuthentication applies only to SSH1, which has been deprecated. Using SSH2 is highly recommended.

Deploying Custom Secure Shell Settings

As the system administrator, you can create a customized Reflection installer that includes the Secure Shell configuration settings needed by your users. The installer method provides machine-wide Secure Shell default settings to your users.

Note the following:

• The administrator's workstation must have the Reflection Administrator's Toolkit installed.
• Reflection Customization Manager cannot be used to install per-user Secure Shell settings.

1. Launch the Reflection product you are using for your secure connections and configure your Secure Shell settings as described in Configuring Reflection Secure Shell Parameters.

2. Create the following copies of your SSH files. (These are the file names used for configuring machine-wide settings.)

• Create a copy of known_hosts called ssh_known_hosts.
• Create a copy of config called ssh_config.

3. Launch the Reflection Customization Manager (click Start > Programs >Attachmate (or WRQ) Reflection > Administrative Tools > Customization Manager) and create an administrative installation (or use an existing one).
4. Click Customize, open the installation, and then click Add Files. Add the Secure Shell files to the installation as follows. You must install the files to the location described here:
   1. Click Add, and then Browse to locate the ssh_known_hosts you created in step 2.
   2. Select the "Install file to end user machine without shortcut" option.
   3. Under Install file to, select Shared Application Data, and enter Reflection in the second field to create a subfolder named "Reflection." Click OK.
5. Close the open dialog boxes to return to the Customization Manager, make other customization if you choose, and then create a shortcut for deploying your custom installation.

Users can now install Reflection using your customized installation. The Secure Shell settings will be available to all users of the PC running any Reflection client configured to use SSH.

Additional Configuration Points to Consider

Review these points to help determine how strictly you want to control user configuration functionality.

• The ssh_config and ssh_known_hosts files in the Shared Application Data folder should have restricted write access to prevent unauthorized changes to the configuration settings or keys. (These files are typically located in Documents and Settings\All Users\Application Data\Attachmate\Reflection\ssh)
• The configuration and key information from these files will be read first, and if a valid host match is found, the Reflection Secure Shell client will not check the user's config or known_keys files; however, this does not preclude a user from manually creating these files in their My Documents\Attachmate\Reflection\.ssh folder. You may want to restrict access to the .ssh folder as well.
• If you want to ensure that users do not connect to any unauthorized hosts, set the StrictHostKeyChecking parameter in the ssh_config file to "yes" at the top of the file.

Additional Suggestions

Beyond configuring Reflection Secure Shell, there are many other things administrators can do to help secure a PC-to-host connection. The following is a list of additional steps to consider when designing your security environment.

Note: This list is non-inclusive. Many other security steps may be necessary in your network environment; however, the suggestions on this list should be considered when establishing your security policies.

• Keep all servers up to date with the current releases, patches, and updates.
• Do not allow users to log on to systems as root.
• Prevent remote users from making their initial logon as root by editing the sshd_config file and setting PermitRootLogin to no. Once successfully logged on as a normal user, users with permissions can then use "su" or "su -" (depending on configuration) to log on as root. For details on the su command, refer to the host's MAN pages.
• Adopt strong password policies.
• Determine if you will use SSH StrictHostKeyChecking.
• Take precautions to secure your PCs and hosts.
• Implement host and user keys greater than 1024K in length.
• Configure Reflection X to be restrictive enough to meet your corporate security policy. For details about security settings available in Reflection X, see Technical Note 1677.

SSH Resources

For general information about SSH1 and SSH2, as well as information about SSH servers and clients, see the OpenSSH web page, http://www.openssh.com.

Related Technical Notes

1677	Reflection X Security Settings
1708	Security Updates and Reflection
1727	Best Practices for Configuring Reflection OpenSSH