ssh2_config
The system-wide configuration file of the command-line client,
ssh2_config, can be found in the installation directory
(by default C:\Program Files\SSH Communications Security\SSH Secure Shell).
Copy the ssh2_config file to directory
%ALLUSERSPROFILE%\Application Data\SSH,
from where the program reads it.
To make your personal settings to the file, you should copy it to the
%USERPROFILE%\Application Data\SSH directory.
FIPS Mode
To use the FIPS-certified cryptographic library with the command-line
clients, edit the ssh2_config file and add the following option
as the first item in the file (after the comments):
FIPSmode yes
GSSAPI Configuration
Both the client and the server use similar configuration data format.
The name of the GSSAPI method is gssapi. It can be specified with the
AllowedAuthentications keyword in ssh2_config and
sshd2_config configuration files.
There are two additional GSSAPI-related keywords:
GSSAPI.AllowedMethods and GSSAPI.DelegateToken.
GSSAPI.AllowedMethods specifies the actual mechanisms that are to be
used through GSSAPI. Windows implements both the Kerberos5 and NTLM
mechanisms. The default value is
Kerberos,NTLM.
GSSAPI.DelegateToken is a boolean variable (with possible value of
yes and no), which specifies whether the client requests
delegating the GSSAPI authentication over several connections.
The default value is no.
The following is a sample GSSAPI configuration from the ssh2_config
configuration file:
AllowedAuthentications "gssapi,password"
GSSAPI.AllowedMethods "ntlm,kerberos"
GSSAPI.DelegateToken yes
GSSAPI is an option in the Connect to Remote Host dialog and in the
Authentication page. The configuration is stored separately for each
profile.
Strict Modes
The StrictModes option can be used to make the client check the
permissions and ownership of the credentials used during public-key
authentication. Specifically, this checks the user's configuration
directory (by default %USERPROFILE%\Application Data\SSH) and private keys. The files
and directories must be accessible only by the user, the
Administrators group, and the SYSTEM account. The
owner must be the user or the Administrators group.
To enable strict modes, add the following line in the
ssh2_config file:
StrictModes yes
User Configuration Directory
The UserConfigDirectory option can be used to specify where
user-specific configuration data is found for the command-line clients.
It is equal to the -k command-line option of
ssh2.exe, scp2.exe, and sftp2.exe.
The value is given as a pattern string which is expanded by
ssh2. %D is "%USERPROFILE%/Application Data/SSH" and %U is the user's login name. The default is
%D.
To use an alternate location, specify it in the system-wide
ssh2_config file, for example by adding the following line:
UserConfigDirectory "c:/alternate_directory/%U/"
Note that any configuration set in ssh2_config affects only the
command-line clients and this setting is configurable in
ssh2_config only. The GUI client uses always the
"%USERPROFILE%\Application Data\SSH" directory.
Disabling SSH1 Emulation
To disable SSH1 emulation with the command-line client, add the following
line to your %USERPROFILE%\Application Data\SSH\ssh2_config file:
Ssh1InternalEmulation no
