Environment
Situation
Resolution
Overview
A settings file is a record of your Reflection settings preferences saved in a file; it includes such information as host name, host window size, and many other settings. A config file is a record of your Secure Shell settings preferences saved in a file. Users can create settings files to use when they launch a Reflection session, and they can create a config file to use before they connect to the host.
As an administrator, you can create a site-default Reflection settings files as well as a system-wide config file to deploy to your users. The following sections describe two types of settings files, config files, and known hosts files in Reflection for Secure IT. The last section of this document explains the order of precedence for user-specific and system-wide Secure Shell settings.
Note: This technical note does not include information about the settings update file or the settings layout file. For information about these settings files, see the Reflection help.
File Locations and Upgrading
Some file locations changed from version 6.0 to version 6.1 through 7.1 SP1. If you have Reflection for Secure IT version 6.0 installed and you upgrade to 6.1 by installing over version 6.0, your paths will retain the 6.0 location.
If you remove version 6.0 before you install 6.1 or higher, the path locations will default to the 6.1 through 7.1 SP1 location. Note: If version 6.0 is removed before 6.1 through 7.1 SP1 is installed, the new installation will not find the previous settings in the config or known_hosts files. To use the previous settings, copy the config and known_hosts files to the new location (C:\Documents and Settings\Username\My Documents\Attachmate\Reflection).
Complete Settings Files
Complete settings files are used to save changes to your Reflection application settings. Setting files can be created by individual users and by administrators.
User-defined Complete Settings Files (<file name>.r3w)
When Reflection launches, it opens with application defaults and an "Untitled" title bar on the terminal window. An individual user can change settings and then save the changes by clicking File > Save As, entering a file name (such as mysettings.r3w), and clicking Save. The settings file is saved to the default location for the product version.
Version 6.1 or higher default location:
C:\Documents and Settings\My Documents\<username>\Attachmate\Reflection
Version 6.0 default location:
C:\Documents and Settings\My Documents\<username>\Reflection
The settings can be reset to factory defaults by clicking Setup > Defaults. Users are prompted to confirm the reset.
You can launch Reflection by double-clicking the <file name>.r3w file or by clicking a shortcut that you create.
Creating a Shortcut
To launch Reflection with mysettings.r3w, create a shortcut as follows:
- Click File > Save As, and click the Shortcut button to open the Shortcut dialog box.
- Select the "Create a shortcut when saving settings files" check box, and select the "Place the shortcut" option of your choice.
Administrator-defined Complete Settings Files (site.r3w)
Beginning in Reflection for Secure IT version 6.1, a site default settings file, site.r3w, is available for administrators to silently give users a set of site default settings that are different from factory default settings.
An administrator can manually create the site.r3w file and deploy it with a deployment package to the location, C:\Program Files\Attachmate\Rsecure (or to C:\Program Files\WRQ\RSecure in version 6.0). Reflection will search for and launch with the site.r3w file if it is in this location. (The Profiler utility cannot be used to create this file.)
Note: Deploying a site.r3w settings file will not change existing user-created settings files. However, any new user-created settings files will include the site default settings.
How Site Default Settings Work
When Reflection launches, the title bar is "Untitled" (unless changed in the site default settings file), and it appears to users to be an untitled session with factory defaults; though in reality, the session is using site default settings.
If Reflection is launched with a custom settings file, such as mysettings.r3w, and the user clicks Setup > Defaults and chooses to go back to defaults, then the session will be set back to site defaults (per site.r3w), not to factory defaults.
If a user launches Reflection with a site.r3w file present and then changes and saves settings, the user will be prompted to save the settings file in the default user location: C:\Documents and Settings\My Documents\username\Attachmate\Reflection (or C:\Documents and Settings\My Documents\username\Reflection inversion 6.0).
Migration Note: Site.r3w is similar to F-Secure client's default.ssh file.
Attachmate recommends that administrators use site.r3w to deploy default settings to users. Note: Not all settings can be deployed using the site.r3w file; be sure to test your settings file before you deploy to your users.
Viewing Your Settings
To view your settings, click Setup > View Settings. You can choose to view All settings, Settings changed from site default, or Settings changed from factory default.
Secure Shell Settings Files
Secure Shell settings files enable you to save security settings in a config file. Users can create their own config file, and administrators can create a system-wide configuration file, ssh_config.
User-specific Configuration File (config)
Reflection Secure Shell settings are stored in a file named config. A config file is created when a user changes a setting to a non-default value in the Reflection Secure Shell Settings dialog box and clicks OK. (To open Secure Shell Settings, click Connection > Connection Setup, enter a host name, and click the Security button.)
Default Location
By default, Reflection looks in the following default locations for a config file. You can specify a non-default config file location by using use the –F option on the command line.
Version 6.1 or higher Config Default location:
C:\Documents and Settings\<username>\My Documents\Attachmate\Reflection\.ssh
Version 6.0 Config Default location:
C:\Documents and Settings\<username>\My Documents\Reflection\.ssh
SSH Config Schemes
A config file is comprised of one or more SSH config schemes; SSH config scheme names are identified using the Host keyword. The sample config file below contains two SSH config schemes: MyHost.Demo.Com and GeneralSSH.
The settings under MyHost.Demo.Com identify a set of Secure Shell settings using an actual host name. These settings will be used for all connections that specify MyHost.Demo.Com as the SSH config scheme, and also for connections to that host when no SSH config scheme is specified.
Because GeneralSSH does not identify an actual host address, these settings will be used only if you specify this SSH config scheme when you configure your Reflection session.
Note: If you use this sample config file to make a connection to a new host (not MyHost.Demo.com) and you do not specify the GeneralSSH scheme, Reflection will connect using the default Secure Shell settings.
Sample Config File
Host MyHost.Demo.Com
Protocol 2
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
RSAAuthentication no
IdentityFile "C:\Documents and Settings\username\My Documents\Attachmate\Reflection\.ssh\mykey"
LogLevel VERBOSE
#EndHost
Host GeneralSSH
StrictHostKeyChecking yes
ServerAlive yes
#EndHost
System-wide Configuration File (ssh_config)
Ssh_config is a system-wide configuration file that administrators can use to configure security settings for all users. The ssh_config file can be deployed to C:\Documents and Settings\All Users\Application Data\Attachmate\Reflection.
A user cannot overwrite the ssh_config file that is in the All Users location.
When a user loads secure shell settings from the ssh_config file using an ssh config scheme name and changes the secure shell settings through the Secure Shell Settings dialog box, the changed settings are written to a file called config in the user's profile.
The scheme names that are included in the ssh_config file will appear in the SSH config scheme drop down list in the Connection dialog box. On the command line the -H option can be used to find a scheme name with the ssh or ssh2 command.
Known Hosts Files
Reflection for Secure IT maintains a list of known hosts in the known hosts file. There are two possible locations for this file, one for the current user (known_hosts) and one for all users of the pc (ssh_known hosts).
User's list (known_hosts)
The default known hosts file, called known_hosts, is located in the \Reflection\.ssh folder. Reflection automatically updates this file when you update the Trusted Host Keys list in the Host Keys tab of the Secure Shell settings dialog box.
This file is also updated when you connect to a previously unknown host and answer "Always" in response to the Host Key Authenticity prompt.
System-wide list (ssh_known_hosts)
Ssh_known_hosts is a system-wide list of known host keys. The advantage of using an ssh_known_hosts file is that users are not prompted to accept the identity of the hosts listed in the ssh_known_hosts file when making a connection to that host.
System administrators can add a system-wide ssh_known_hosts file to the Reflection application data folder (for example, C:\Documents and Settings\All Users\Application Data\Attachmate\Reflection). In this location the known hosts file provides a list of hosts for all users of the PC. Keys in this list can be viewed—but not edited—in the Global Host Keys list (located in the Host Keys tab of the Secure Shell Settings dialog box).
Administrators can also use the Reflection Customization Manager (available with the Reflection Administrator's Toolkit) to add such a file to a Reflection installation. As a result, the end-user machines can be correctly configured for Secure Shell the first time the users launch Reflection.
Deploying Reflection Secure Shell Settings
To deploy custom Secure Shell settings, follow the procedure in Reflection help. Click Help > Help Topics > Reflection Secure Shell Topics > Configuring Secure Shell > Deploying Secure Shell settings.
Reflection for Secure IT can be customized and deployed from an Administrative Installation. Use the Reflection Customization Manager to configure your customizations. Files can be added to the customized package and installed in All User locations and under Program Files. You can deploy ssh_config, site.r3w, and ssh_known_hosts in this way. For information on 7.x, see the Reflection for Secure IT 7.x User Guide.
Ssh_config and ssh_known_hosts can be deployed to C:\Documents and Settings\All Users\Application Data\Attachmate\Reflection and be read as system-wide settings. Attachmate recommends that you, as an administrator, use the Secure Shell Settings dialog box to create a config file and then change the name to ssh_config and add it to the package.
Order of Precedence for Reflection Secure Shell Settings
Secure Shell settings can be configured in several locations, so it is important to know which setting takes precedence. The following list defines the order of precedence for Secure Shell settings, with command line options taking precedence over all other settings:
2. Config (user-specific settings)
3. Ssh_config (system-wide settings)
Within a config or ssh_config file, the settings read first are the ones used.
Example of Precedence
In the following example, a user runs SSH from the command line using -o to set authentication to password and –H to find the ssh config scheme, Host1.
Command Line:
C:\Documents and Settings\<username>>ssh
-oPreferredAuthentications=password -oPasswordAuthentication=yes -H
testing username@Host1
The user's machine has two Secure Shell configuration files: config and ssh_config, as follows.
Config File (user-specific Secure Shell settings)
Location: C:\Documents and Settings\<username>\My Documents\Attachmate\Reflection\.ssh
Contents:
Host Host1
Port 22
Protocol 2
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
RSAAuthentication no
PreferredAuthentications publickey,password,keyboard-interactive,gssapi-with-mic,external-keyx,gssapi
IdentityFile "C:\Documents and Settings\username\My Documents\Attachmate\Reflection\.ssh\key-sk123-ge"
LogLevel DEBUG3
#EndHost
Host Host1
Port 22
Protocol 1
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
RSAAuthentication no
PreferredAuthentications publickey,password,keyboard-interactive,gssapi-with-mic,external-keyx,gssapi
IdentityFile "C:\Documents and Settings\username\My Documents\Attachmate\Reflection\.ssh\key-sk123"
LogLevel DEBUG2
Ssh_config File (system-wide Secure Shell settings)
Location: C:\Documents and Settings\All Users\Application Data\Attachmate\Reflection
Contents:
Host Host1
Protocol 2
Port 2222
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
RSAAuthentication no
PreferredAuthentications publickey,password,keyboard-interactive,gssapi-with-mic,external-keyx,gssapi
IdentityFile "C:\Documents and Settings\username\My Documents\Attachmate\Reflection\.ssh\key-sk123-ge"
Loglevel DEBUG1
DisplayRows 132
InverseVideo yes
#EndHost
Final result
The settings set on the command line takes precedence over the same settings in the user-specific config file, and the settings in config take precedence over the same settings in the system-wide ssh_config file. Based on the order of precedence, below is a list of the settings that will be used:
Authentication: passwordPort 22
LogLevel: DEBUG3
DisplayRows 132
InverseVideo yes