Best Practices for Configuring Reflection Secure Shell (SSH)

This document provides information about the best practices to use when configuring secure, encrypted communications between a trusted host and an end user's PC, using Reflection products with Reflection Secure Shell (SSH). This note provides a matrix that suggests how to configure Reflection to establish SSH connections with minimum, medium, or high security, and provides a list of additional security considerations for your review.

Note the following:

• Creating a secure network environment is a complex task involving many custom elements designed to fit your individual network environment and security needs. Neither the security matrix nor the additional security configuration suggestions made in this note should be considered to include all necessary security options for your environment. This information is designed to provide Reflection customers with a framework on which to start building individual security environments.
• The Secure Shell configuration described in this note applies to all Reflection terminal sessions, Reflection FTP Client sessions, and Reflection X 14.x sessions. Reflection X Advantage Secure Shell settings are saved to the Reflection X Advantage database, not to the config file described in this note; and the user interface for making changes is different. Refer to the Reflection X Advantage product help for details.

For security update information, select your product from https://support.microfocus.com/security/.

Overview of Reflection Secure Shell

Reflection Secure Shell provides the following functionality:

• The ability to establish secure connections to both SSH1 and SSH2 protocol servers using EXTRA! X-treme, INFOConnect, Reflection 2014, Reflection 2011, Reflection X, Reflection for UNIX and OpenVMS, Reflection for ReGIS Graphics, Reflection for HP, and Reflection FTP Client applications (see the Applies To section of this technical note).
• Support for standard SSH features such as port forwarding (including X11), data stream compression and encryption, authentication using a password, public key or Kerberos ticket, and logging.
• The ability to create RSA1 (SSH1 only), RSA, and DSA user keys with lengths between 512 and 8192 bits. (This feature is available both as an MS-DOS utility and through the client user interface.)
• Support for secure file transfer, both within the Reflection FTP Client using SFTP and with standalone SCP and SFTP Windows command line utilities.

Determining How to Configure Reflection SSH for Secure Connections

The security matrix presented below lists Reflection Secure Shell parameters and recommends how each parameter should be configured to provide minimum, medium, or high security for your PC-to-host connection.

Note the following:

• The minimum, medium, and high classifications used in this matrix do not represent clearly defined industry terms; rather, they are subjective classifications. The intent of creating such categories is to provide a starting place for administrators who are researching PC-to-host security options.
• The matrix contains a subset of available Secure Shell security parameters, which apply to common network configurations. Additional options are available, and may be necessary in your specific network environment.

• The recommendation for some settings is "do not use." These are settings that have no impact or a negative impact on the security of your host to PC connection. These settings often apply only to SSH1, which has been deprecated.

Security Matrix

[*a] In the Dialog Box column, an "X" denotes that the parameter can be configured from either the Reflection interface or by editing the "My Documents\Attachmate\Reflection\.ssh\config" file. Parameters that are not marked with an "X" can be configured only from the config file. For more details, see the following sections.

[*b] The AES _ctr mode encryption algorithms are available in Reflection version 14.1, Reflection 2011, Reflection 2014, and EXTRA! 9.2 or higher.

[*c] The hmac_sha2 Macs, sha256 host key digital signature and sha256 key exchange algorithms are available in Reflection 14.1 SP3, EXTRA 9.3, Reflection 2011 R3 or higher, and Reflection 2014.

[*d] GSSAPI authentication requires that a Kerberos Key Distribution Center be set up and configured.

[*e] GssapiUseSSPI authentication requires that a Microsoft Windows Domain be set up and all systems be joined to the domain.

Configuring Reflection Secure Shell Parameters

Reflection Secure Shell security parameters can be configured by manually editing the "My Documents/Attachmate/Reflection/.ssh/config" file, or through the Reflection interface. When selecting which configuration method best suits your needs, consider the following:

• Both methods save Reflection Secure Shell settings to the same file, "My Documents\Attachmate\Reflection\.ssh\config."
• Not all Reflection Secure Shell parameters are available through the Reflection interface.
• Parameters configured through the Reflection interface apply only to a single host connection, not to all host connections, unless you use an SSH config scheme. (See the Reflection Secure Shell help topic, Config Schemes.)
• Manually editing the config file allows you to configure parameters that apply to single host connections or multiple host connections (using wildcards).
• Alternately, if you already have a config file on your host that is properly configured for security in your environment, you can use that file by copying it to each PC.

Using the Config File

To set the config file for basic minimum, medium, or high security, copy and paste the appropriate section below into your "My Documents\Attachmate\Reflection\.ssh\config" file.

Note the following:

• The config file has host-specific sections, each containing parameters that apply to the specified host or group of hosts. For example:

• You can specify security parameters for connections to individual hosts or use the wildcard characters, "*" or "?", to specify a group of hosts.

• A Reflection connection will use the first occurrence of any matching Host string (including wildcard characters). Any subsequent matches will be ignored.

• If a parameter you are adding already exists for the host you are configuring, change the value of the existing parameter, rather than adding a second entry for the same parameter. If multiple entries exist for the same parameter, only the first entry is used.
• Blank lines and lines starting with the pound character, #, are comments and are not read by the client.
• More details about configuring the Secure Shell config file can be found in each product's Help documentation available from https://support.microfocus.com/manuals/.

Minimum

Note that only keywords containing non-default settings are included:

Medium

Note that only keywords containing non-default settings are included:

High

Note that only keywords containing non-default settings are included:

Using the Reflection Interface

Some Secure Shell settings can be configured through the Reflection interface. Settings configured from the Reflection interface are saved per connection and apply only to single host connections.

Note: To configure global Secure Shell settings for connections, use the config file (see Using the Config File), or create an SSH config scheme from within the user interface.

To configure Secure Shell settings using the Reflection interface, follow the steps below:

1. Start the Reflection product.
2. Using the procedures below for your Reflection product, open the Reflection Secure Shell Settings dialog box.

View Full Size

Figure 1 - Reflection Secure Shell Settings Dialog Box, Encryption Tab

For Reflection 2011 and Reflection 2014:

1. Create a VT terminal session.
2. In the VT Document Settings dialog box:

3. In the Settings for VT dialog box, click Set Up Connection Security.
4. Proceed with step 3.

1. Click Connection > Connection Setup.
2. Under Connect using, select Network and Secure Shell.
3. Enter a host name and click Security. Proceed with step 3.

1. In the Reflection X Manager, expand the Client Templates and Client Startup trees, and then select your host type.
2. Change the connection Method to Secure Shell and enter your Host name and User name.
3. Click Advanced and proceed with step 3.

1. In the Connect to FTP Site dialog box, select a host to connect to and click Properties.
2. Click Security, and then click the Secure Shell tab.
3. Select the Use Reflection Secure Shell check box, and then click Configure. Proceed with step 3.
3. The table below shows each of the Secure Shell parameters that can be configured through the Reflection interface, and matches each parameter to the equivalent configuration in the Reflection interface. Use this table, combined with the Security Matrix, to configure Reflection to meet your security needs.

Secure Shell Parameter	Configured Using…
Cipher	Encryption tab. View SSH protocol 1. Note: Cipher settings apply only to SSH1, which has been deprecated. Using SSH2 is highly recommended.
Ciphers	Encryption tab. Under SSH protocol 2, remove any SSH protocol 2 ciphers you do not wish to use and order the remaining protocols by preference.
CompressionLevel	General tab. Select or clear Enable compression. Note: The compression level slider control applies only to SSH protocol 1.
GssapiAuthentication	General tab. Under User Authentication, select or clear GSSAPI/Kerberos.
PasswordAuthentication	General tab. Under User Authentication, select or clear Password.
Protocol	General tab. On the Protocol drop-down list, select a protocol.
PubkeyAuthentication	User Keys tab. Click the Generate Key button. Select your options (for example, RSA or DSA for Key Type) and click Create. General tab. Under User Authentication, select or clear Public Key. Note the following: If PubkeyAuthentication is enabled, you must also copy the public key from "My Documents\Attachmate\Reflection\.ssh\id_rsa.pub" or "My Documents\Attachmate\Reflection\.ssh\id_dsa.pub" to the host. For details, see the Reflection online help.
RSAAuthentication	User Keys tab. Click the Generate Key button. From the drop-down Key Type list, select RSA1. Select other options and click Create. Note the following: If RSAAuthentication is enabled, you must also copy the public key from "My Documents\Attachmate\Reflection\.ssh\identity.pub" to the host. For details, see the Reflection online help. RSAAuthentication applies only to SSH1, which has been deprecated. Using SSH2 is highly recommended.

Deploying Custom Secure Shell Settings

System administrators can simplify user setup by deploying system-wide (global) Secure Shell settings to client computers.

1. Launch the product you are using for your secure connections and configure your Secure Shell settings as described in Configuring Reflection Secure Shell Parameters.

2. Create the following copies of your Secure Shell files. These are the file names used for configuring system-wide/global settings.

• Create a copy of config called ssh_config.
• Create a copy of known_hosts called ssh_known_hosts.

3. Deploy ssh_config and ssh_known_hosts to Reflection application data folder.

The procedure depends on which product you are using.

In Reflection 14.x

Go to Help > Help Topics and see “Deploying custom Secure Shell settings in Reflection 14.0.x.”

For general deployment information, see the System Administrator Guide at https://docs.attachmate.com/reflection/14.1/r14_1sag.pdf.

In Reflection for Secure IT 7.x

Go to Help > Help Topics and see the topic “Deploying Secure Shell Settings in Reflection for Secure IT 7.0.x”.

For general deployment information, see the User Guide at https://support.microfocus.com/manuals/rsit_win_client.html.

In Reflection 2014

Click Help > Contents > Secure Connections > Secure Shell Configurations Files, and see “Deploy Secure Shell Settings with a Companion Installer.”

For general deployment information, see “Installation and Deployment Guide” at https://docs.attachmate.com/reflection/2014/r1/deploy/deploymentguide.pdf.

In Reflection 2011

Click Help > Contents > Secure Connections > Secure Shell Configurations Files, and see “Deploy Secure Shell Settings with a Companion Installer.”

For general deployment information, see “Installation and Deployment Guide” at https://docs.attachmate.com/reflection/2011/r3/deploy/deploymentguide.pdf.

The Deployment Guide for Reflection X 2011 and Reflection Suite for X 2011 is available at https://support.microfocus.com/manuals/rx_rsx_2011.html.

In EXTRA! X-treme

See “Customizing the EXTRA! X-treme Installation" in Help: https://docs.attachmate.com/extra/x-treme/9.2/help/en/index.htm.

In INFOConnect Enterprise Edition

See “Appendix C: Attachmate Customization Tool Reference” in the Product Guide at https://docs.attachmate.com/infoconnect/ented/9.1sp1/pdf/product_guide_infoconnect.pdf.

Additional Configuration Points to Consider

Review these points to help determine how strictly you want to control user configuration functionality.

• The ssh_config and ssh_known_hosts files in the Shared Application Data folder should have restricted write access to prevent unauthorized changes to the configuration settings or keys. (These files are typically located in Documents and Settings\All Users\Application Data\Attachmate\Reflection\ssh)
• The configuration and key information from these files will be read first, and if a valid host match is found, the Reflection Secure Shell client will not check the user's config or known_hosts files; however, this does not preclude a user from manually creating these files in their My Documents\Attachmate\Reflection\.ssh folder. You may want to restrict access to the .ssh folder as well.
• If you want to ensure that users do not connect to any unauthorized hosts, set the StrictHostKeyChecking parameter in the ssh_config file to "yes" at the top of the file.

Additional Suggestions

Beyond configuring Reflection Secure Shell, there are many other things administrators can do to help secure a PC-to-host connection. The following is a list of additional steps to consider when designing your security environment.

Note: This list is non-inclusive. Many other security steps may be necessary in your network environment; however, the suggestions on this list should be considered when establishing your security policies.

• Keep all servers up to date with the current releases, patches, and updates.
• Do not allow users to log on to systems as root.
• Prevent remote users from making their initial logon as root by editing the sshd_config file and setting PermitRootLogin to no. Once successfully logged on as a normal user, users with permissions can then use “sudo”, "su" or "su -" (depending on configuration) to log on as root. For details on the su and sudo commands, refer to the host's MAN pages.
• Adopt strong password policies.
• Determine if you will use SSH StrictHostKeyChecking.
• Take precautions to secure your PCs and hosts.
• Implement host and user keys greater than 2048 bits in length.
• Configure Reflection X to be restrictive enough to meet your corporate security policy. For details about security settings available in Reflection X, see KB 7021774.

SSH Resources

For general information about SSH1 and SSH2, as well as information about SSH servers and clients, see the OpenSSH web page, http://www.openssh.com.

Legacy KB ID