Reflection for Secure IT Windows Server Settings

  • 7022014
  • 01-Feb-2008
  • 02-Mar-2018

Environment

Reflection for Secure IT Windows Server version 8.0 or higher

Situation

Beginning in version 7.0, Reflection for Secure IT Windows Server settings are saved in XML format. This technical note provides an example of a server settings file, rsshd_config.xml.

Resolution

Rsshd_config.xml Server Settings File

Beginning in version 7.0, server settings are saved to the rsshd_config.xml file. You should use only the Reflection SSH Server console to change server settings. (In earlier versions it was possible, and sometimes necessary, to edit the sshd2_config file in order to enable specific server settings.) In version 7.x, all keywords supported by the server can be edited in the Reflection SSH Server console.

Note: It is useful to save copies of rsshd_config.xml for backup, to configure other servers, and to quickly compare the settings of one server with another. It is possible to view the rsshd_config.xml file in a browser or an editor of your choice; however, editing the file outside of the Reflection SSH Server console is not recommended.

File Location

The rsshd_config.xml file location depends on the operating system.

Windows Server 2008 or 2012:

ProgramData\Attachmate\RSecureServer\rsshd_config.xml

Windows Server 2003:

Documents and Settings\All Users\Application Data\Attachmate\RSecureServer\rsshd_config.xml

Because all of the keywords are created and edited by the Reflection SSH Server console, allowed values are best viewed in that application.

Sample rsshd_config.xml

The following sample rsshd_config.xml file shows some of the keywords that may be listed in a server configuration file. It is not an exhaustive list because not all keywords are initially visible in the .xml file; keywords whose default values have not been modified may not appear in the .xml file.

Use the Reflection SSH Server console to edit your rsshd_config.xml file.


- <SshServerSettings version="8.0">
- <UISettings>
  <ShowToolbar>true</ShowToolbar> 
  </UISettings>
- <Identity>
  <HostKeyFile>C:\ProgramData\Attachmate\RSecureServer\hostkey</HostKeyFile> 
  <HostCertificateFile /> 
  <HostCertificatePrivateKeyFile /> 
  <ProtocolVersionString /> 
  <UseComputerCertificate>false</UseComputerCertificate> 
  <ComputerCertificateName /> 
  <ComputerCertificateHash /> 
  </Identity>
- <General>
  <MaximumConnection>60</MaximumConnection> 
  <MaximumConnectionsPerUser>50</MaximumConnectionsPerUser> 
  <IdleTimeOut>0</IdleTimeOut> 
  <BannerMessageFile /> 
  </General>
- <Network>
- <Bindings>
- <Binding>
  <ListenAddress>::</ListenAddress> 
  <Port>22</Port> 
  <RequireDNSLookup>false</RequireDNSLookup> 
  <TCPKeepAlive>true</TCPKeepAlive> 
  <TCPKeepAliveTimeout>60</TCPKeepAliveTimeout> 
  </Binding>
- <Binding>
  <ListenAddress>0.0.0.0</ListenAddress> 
  <Port>22</Port> 
  <RequireDNSLookup>false</RequireDNSLookup> 
  <TCPKeepAlive>true</TCPKeepAlive> 
  <TCPKeepAliveTimeout>60</TCPKeepAliveTimeout> 
  </Binding>
  </Bindings>
  </Network>
- <EventLogging>
  <LogToEventLog>true</LogToEventLog> 
  <EventLoggingLevel>2</EventLoggingLevel> 
  <EventLogEvents /> 
  </EventLogging>
- <DebugLogging>
  <LogToFile>false</LogToFile> 
  <FileLoggingLevel>3</FileLoggingLevel> 
  <LogFileEvents /> 
  <LogFileFormat>0</LogFileFormat> 
  <LogFileDirectory>C:\ProgramData\Attachmate\RSecureServer\Logs</LogFileDirectory> 
  <LogFileRollOverBySize>true</LogFileRollOverBySize> 
  <LogFileMaximumSize>4</LogFileMaximumSize> 
  <LogFileRollOverByTime>false</LogFileRollOverByTime> 
  <RollOverBaseTime>0</RollOverBaseTime> 
  <RollOverRepeatTime>24</RollOverRepeatTime> 
  <LogFileInUnicode>false</LogFileInUnicode> 
  <UnicodeCodePage>65001</UnicodeCodePage> 
  <LogFileWrapColumn>0</LogFileWrapColumn> 
  <LogFileTimeStampsInUTC>true</LogFileTimeStampsInUTC> 
  </DebugLogging>
- <Auditing>
  <AuditLogDirectory>C:\ProgramData\Attachmate\RSecureServer\Logs</AuditLogDirectory> 
- <FileTransfer>
  <AuditFileTransfers>false</AuditFileTransfers> 
  <IncludeFileHash>true</IncludeFileHash> 
  </FileTransfer>
  </Auditing>
- <Encryption>
- <KeyExchange>
  <Diffie_Hellman_Group1_SHA1>true</Diffie_Hellman_Group1_SHA1> 
  <Diffie_Hellman_Group14_SHA1>true</Diffie_Hellman_Group14_SHA1> 
  <Diffie_Hellman_Gex_SHA1>true</Diffie_Hellman_Gex_SHA1> 
  <Diffie_Hellman_Gex_SHA256>true</Diffie_Hellman_Gex_SHA256> 
  <Gss_Group1_SHA1_Kerberos>true</Gss_Group1_SHA1_Kerberos> 
  <Gss_Gex_SHA1_Kerberos>true</Gss_Gex_SHA1_Kerberos> 
  <RekeyIntervalSeconds>3600</RekeyIntervalSeconds> 
  </KeyExchange>
- <Ciphers>
  <aes128-cbc>4</aes128-cbc> 
  <aes192-cbc>5</aes192-cbc> 
  <aes256-cbc>6</aes256-cbc> 
  <des3-cbc>7</des3-cbc> 
  <blowfish-cbc>8</blowfish-cbc> 
  <cast128-cbc>9</cast128-cbc> 
  <arcfour>12</arcfour> 
  <NoEncryption>0</NoEncryption> 
  <aes128-ctr>1</aes128-ctr> 
  <aes192-ctr>2</aes192-ctr> 
  <aes256-ctr>3</aes256-ctr> 
  <arcfour128>11</arcfour128> 
  <arcfour256>10</arcfour256> 
  </Ciphers>
- <MACs>
  <hmac-sha1>2</hmac-sha1> 
  <hmac-md5>3</hmac-md5> 
  <hmac-sha1-96>4</hmac-sha1-96> 
  <hmac-md5-96>5</hmac-md5-96> 
  <hmac-ripemd160>6</hmac-ripemd160> 
  <NoProtection>0</NoProtection> 
  <hmac-sha256>1</hmac-sha256> 
  <hmac-sha512>7</hmac-sha512> 
  </MACs>
- <Compression>
  <zlib>true</zlib> 
  <none>true</none> 
  </Compression>
  <FipsMode>false</FipsMode> 
  </Encryption>
- <Authentication>
  <GraceLoginTimeout>120</GraceLoginTimeout> 
  <IPBlockingWindowsDuration>300</IPBlockingWindowsDuration> 
  <IPBlockingThreshold>20</IPBlockingThreshold> 
  <IPBlockingLockoutTime>3600</IPBlockingLockoutTime> 
  <AuthImmediateDisconnect>false</AuthImmediateDisconnect> 
  <AuthFailureErrorMessages>false</AuthFailureErrorMessages> 
  <KeyboardInteractiveSendTitle>true</KeyboardInteractiveSendTitle> 
  <RecordPasswordForCaching>false</RecordPasswordForCaching> 
  <UsePasswordCache>false</UsePasswordCache> 
- <Password>
  <PasswordAuthentication>2</PasswordAuthentication> 
  <MaximumPasswordAttempts>3</MaximumPasswordAttempts> 
  <PasswordAttemptDelay>2</PasswordAttemptDelay> 
  <PermitEmptyPassword>false</PermitEmptyPassword> 
  <PermitPasswordChange>true</PermitPasswordChange> 
  <AllowKeyboardInteractiveAuthentication>2</AllowKeyboardInteractiveAuthentication> 
  <KeyboardInteractiveChecked>true</KeyboardInteractiveChecked> 
  </Password>
- <RSASecurID>
  <RSASecurIDAuthentication>1</RSASecurIDAuthentication> 
  <MaximumRSASecurIDAttempts>3</MaximumRSASecurIDAttempts> 
  <RSASecurIDAttemptDelay>2</RSASecurIDAttemptDelay> 
  <RSASecurIDAgentPath>C:\Program Files\Common Files\RSA Shared\Auth API</RSASecurIDAgentPath> 
  </RSASecurID>
- <Radius>
  <UseRadius>false</UseRadius> 
  <AllowLocalPwdAuth>false</AllowLocalPwdAuth> 
  <RadiusServers /> 
  </Radius>
- <PublicKeys>
  <AllowPublicKeyAuthentication>2</AllowPublicKeyAuthentication> 
  <UserKeyDirectory>%D\.ssh2</UserKeyDirectory> 
  <AuthorizationFile>authorization</AuthorizationFile> 
  <PublicKeyMinSize>512</PublicKeyMinSize> 
  <PublicKeyMaxSize>8192</PublicKeyMaxSize> 
  <MaxPublicKeyAttempts>100</MaxPublicKeyAttempts> 
- <Certificates>
- <PKIServers>
- <PKIServerEntry>
  <PKIServerBindAddress>localhost</PKIServerBindAddress> 
  <PKIServerBindPort>18081</PKIServerBindPort> 
  <PKIServerPublicKeyFile>C:\ProgramData\Attachmate\ReflectionPKI\config\pki_key.pub</PKIServerPublicKeyFile> 
  <PKIServerEnabled>true</PKIServerEnabled> 
  </PKIServerEntry>
  </PKIServers>
  </Certificates>
  </PublicKeys>
- <GSSAPI>
  <AllowGSSAPIAuthentication>1</AllowGSSAPIAuthentication> 
  </GSSAPI>
  </Authentication>
- <Permission>
  <DenyAllLogins>false</DenyAllLogins> 
  <PermitTerminalShell>true</PermitTerminalShell> 
  <TerminalShell>"%SystemRoot%\System32\cmd.exe"</TerminalShell> 
  <TerminalDefaultDirectory>%D</TerminalDefaultDirectory> 
  <EnableResume>true</EnableResume> 
  <PermitExecutionRequest>true</PermitExecutionRequest> 
  <ExecutionRequestPrefix /> 
  <PermitNonInteractiveLogon>true</PermitNonInteractiveLogon> 
  <PermitSCP>true</PermitSCP> 
  <UseScpAccessibleDirectories>false</UseScpAccessibleDirectories> 
  <PermitSFTP>true</PermitSFTP> 
  <PermitC2SPortForwarding>true</PermitC2SPortForwarding> 
  <PermitS2CPortForwarding>true</PermitS2CPortForwarding> 
  </Permission>
- <SFTPDirectories>
  <AllowAll>true</AllowAll> 
- <AccessibleDirectories>
- <AccessibleDirectory>
  <Allow>true</Allow> 
  <VirtualDirectory>Home</VirtualDirectory> 
  <Type>Local</Type> 
  <PhysicalDirectory>%D</PhysicalDirectory> 
- <DirectoryPermissions>
  <Browse>true</Browse> 
  <Download>true</Download> 
  <Upload>true</Upload> 
  <Delete>true</Delete> 
  <Rename>true</Rename> 
  </DirectoryPermissions>
  <CredentialId /> 
  </AccessibleDirectory>
  </AccessibleDirectories>
  <HomeDirectory>/Home</HomeDirectory> 
  <MountWhenUsed>true</MountWhenUsed> 
  </SFTPDirectories>
  <MappedDrives /> 
- <ExternalUsers>
  <Allow>false</Allow> 
  <RestrictPermissions>true</RestrictPermissions> 
  <ConfigManagerHost>localhost</ConfigManagerHost> 
  <ConfigManagerPort>9190</ConfigManagerPort> 
  <CredentialId>-1</CredentialId> 
  </ExternalUsers>
  <ClientHostAccessControl /> 
  <GroupAccessControl /> 
  <UserAccessControl /> 
  <ClientHostConfiguration /> 
- <GroupConfiguration>
  <DrivesAndDirsInheritedFromAllGroups>false</DrivesAndDirsInheritedFromAllGroups> 
  </GroupConfiguration>
  <UserConfiguration /> 
  </SshServerSettings>

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2289.