Generate/SecureFXsysicon.jpg  Connection / SSH2


The SSH2 category of the Session Options dialog allows you to configure your SSH2 [The second version of the SSH protocol which provides a way to encrypt network traffic between a client and a server, with a slightly different set of security features (including SFTP) than the SSH1 protocol provides.] connection. The SSH2 category only appears when you have selected SSH2, SFTP, or SCP as your Protocol.

SSH2 Overview

SSH2 provides secure communication over an nonsecure channel by encrypting the data channel using the cipher algorithm selected for the session by the user. The cipher selected must also be supported by the destination SSH2 server (an error will be reported during a connection attempt if the chosen cipher is not supported by the server). A cipher is used to encrypt network traffic between the local machine and the SSH2 server, thus providing data privacy [The concept that data should only be viewed or accessed by those with authorization to do so. Data privacy is achieved using a cipher to encrypt data.] .

If you have installed SecureCRT® 5.0 or newer on the same machine as SecureFX 3.0 or newer, you can also set up port forwarding [The concept of connecting a logical port on a local machine to a port on a remote machine over a secure (encrypted) channel. All requests for services sent to the local port are then forwarded across the secure channel to the corresponding port on the remote machine.] . Port forwarding is another feature based on SSH security. See "Port Forwarding with SSH" in the SecureCRT Help system to learn more about encrypting connections for other applications (such as IMAP) that are not secure by default.

SSH2 connection settings include hostname, port, username, and authentication [The process of verifying that an individual truly is who he or she claims to be. Supplying a password is a very common method of authentication.] .

Hostname

The hostname or IP address [Every site that is reachable on the Internet must have a valid IP, or Internet Protocol,address. An IP address should be entered as four numbers separated by period (.) characters (for example: 198.105.232.1).] of the remote machine that provides the SSH2 service.

Port

The port number of the SSH2 service on the remote machine. For SSH2, the default port is 22.

Firewall

If your connection involves a firewall, select your firewall from the list of firewalls that have been configured in the Global Options/Firewall dialog.

Note: You can also select an SSH2 session to be used as a firewall. When a session is specified as a firewall, the firewall session will be connected first.

Username

The username used to log on to the remote machine.

Credentials

The set of credentials used to log on to the remote window. Press the Manage Saved Credentials button to add or edit saved credentials.

Authentication group

SecureFX supports several authentication methods for connecting to SSH2 servers, and will attempt to connect using them in the order that you specify.

Password authentication transmits the user's password to the server to authenticate the connection. The transmitted password is protected from network eavesdropping, due to the cipher encryption [The process of converting a data transmission into a secret format that cannot easily be read by unauthorized individuals. See also: decryption.] of the data channel.

Note: If the remote machine supports both the SSH2 protocol and changing passwords at the protocol level, the password for an SSH2 session can be changed by clicking the Change Password button in the Password Properties dialog, which is accessed by selecting Password in the Authentication group and clicking the Properties button.

PublicKey authentication uses a public/private key pair to authenticate the connection. During the authentication process, the client and the server negotiate a public key to use for the connection. Once a public key has been determined, the client uses the corresponding private key to perform a signature operation over a unique connection identifier. This signature is then sent to the server for verification. If verification is successful, the client is given permission to connect to the server. The security of the mechanism requires that no one but the owner have access to the private key. The private key is stored locally in an identity file [Identity files are two files containing the public-private key pair  used to connect to an SSH server using RSA or DSA authentication. The Identity.pub file contains only the public key and is uploaded to the SSH server. The corresponding Identity file contains both public and private keys. Though "identity" is usually the name given to identity files other file names can be used.] . Also, prior to using public-key authentication, the public key must be made available to the SSH2 server.

Keyboard Interactive authentication allows you to use the keyboard to respond to challenges put forth by the server.

GSSAPI (Generic Security Services Application Program Interface) is a generic API for performing client/server authentication. GSSAPI allows SecureFX to authenticate with a server without knowing anything about the specific authentication mechanism in use.  For more information about using GSSAPI, see the GSSAPI Properties dialog.

Key exchange group

Key exchange is part of establishing trust between a client and a Secure Shell server. SecureCRT supports several algorithms for doing key exchange and will attempt to use them in the order that you specify.

Diffie-Hellman key exchange algorithms are common cryptographic protocols which are supported by Secure Shell servers.

GSSAPI key exchange algorithms can be used to connect to SSH2 servers that support GSSAPI. When a GSSAPI key exchange algorithm is specified and the server supports it, further authentication is not needed if you already have GSSAPI credentials (e.g., by logging onto a Windows machine that is part of an Active Directory domain).  

If a GSSAPI key exchange algorithm is specified and is not supported by the server, there could be a delay during connection because the server is waiting to time out. To prevent this delay, uncheck the GSSAPI key exchange algorithms.

Minimum group exchange prime size

Allows the minimum size prime number that can be used for group exchange to be specified.

 

Related Topics

  1. Session Options/Connection
  2. Session Options/Connection/SSH2/Advanced