SSH Tectia

Defining General Settings

On the General page, you can select the cryptographic library to be used and define the SSH Tectia tray icon settings.

General settings

Figure 4.1. General settings

Configuration File

Shows the location of the user-specific Broker configuration file. The default location is "%APPDATA%\SSH\ssh-broker-config.xml".

Each time the configuration file is saved, a backup of the old configuration is stored in "%APPDATA%\SSH\ssh-broker-config-backup.xml".

Cryptographic Library

SSH Tectia Client can be operated in FIPS mode, using a version of the cryptographic library that has been validated according to the Federal Information Processing Standard (FIPS) 140-2. In this mode, the cryptographic operations are performed according to the rules of the FIPS 140-2 standard.

Select whether to use the Standard or the FIPS 140-2 certified version of the cryptographic library.


Setting the FIPS mode does not prevent using algorithms from crypto plugins. For example, CryptiCore can be used even when the main crypto library is set in the FIPS mode. To enforce that only FIPS-compliant algorithms are used, disable the non-FIPS algorithms from the configuration. For the default settings, see Defining Ciphers, Defining MACs, and for the profile-specific settings, see Defining Ciphers, and Defining MACs.

Connection Broker

Select whether to hide the SSH Tectia tray icon from the Windows task bar, and whether to show the Exit and Configuration options in the shortcut menu.

Defining Default Connection Settings

The Default Connection page allows you to edit the default settings for authentication (Defining Authentication), ciphers (Defining Ciphers), MACs (Defining MACs), server connections (Defining Server Connections), and tunneling (Defining Default Tunneling Settings).

Newly created connection profiles will inherit the default settings defined here. The values can be customized on the profile-specific tabbed pages and they override the default settings. See Defining Authentication, Defining Ciphers, Defining MACs, and Defining Server Connections.

Defining Authentication

On the Authentication tab, you can define the default user authentication methods.

Authentication methods for SSH Tectia Client

Figure 4.2. Authentication methods for SSH Tectia Client

Select the Use factory defaults check box to use the factory default authentication methods, or clear the check box to define a custom list of authentication methods.

In SSH Tectia Client 6.0, the factory default authentication methods are, in order:

  • Public-key

  • Password

  • Keyboard-interactive


To add a new authentication method to the list, click Add and select the method from the drop-down menu.

To remove an authentication method, select the method from the list and click Delete.

Use the arrow buttons to organize the preferred order of the authentication methods. The first method that is allowed by the Secure Shell server is used. Note that in some cases, the server may require several authentication methods to be passed before allowing login.

Possible methods for user authentication are:

  • Password: Users are requested to enter a password for authentication.

  • Public-key: Users are requested to use public-key authentication. See also Defining User Authentication.

  • Keyboard-interactive: Keyboard-interactive is designed to allow the Secure Shell client to support several different types of authentication methods, including RSA SecurID, and PAM. For more information on keyboard-interactive, see User Authentication with Keyboard-Interactive.

  • GSSAPI: GSSAPI (Generic Security Service Application Programming Interface) is a common security service interface that allows different security mechanisms to be used via one interface. For more information on GSSAPI, see User Authentication with GSSAPI.

Defining Ciphers

On the Ciphers tab, you can define the encryption algorithms used.

Defining a cipher list

Figure 4.3. Defining a cipher list

Select the Use factory defaults check box to use the factory default algorithms, or define a cipher list using the arrow buttons. The ciphers are tried in the order they are specified.

The factory default ciphers are, in order:

  • CryptiCore

  • AES-128-CBC

  • AES-192-CBC

  • AES-256-CBC

  • AES-128-CTR

  • AES-192-CTR

  • AES-256-CTR

  • 3DES

  • SEED

The ciphers that can operate in the FIPS mode are 3DES and the CBC-mode AES-128, AES-192, and AES-256. (The counter mode AES ciphers are not available in FIPS mode.)

Defining MACs

On the MACs tab, you can configure the message integrity algorithms used.

Defining a MAC list

Figure 4.4. Defining a MAC list

Select the Use factory defaults check box to use the factory default algorithms, or define a MAC list using the arrow buttons. The MACs are tried in the order they are specified.

The factory default MACs are, in order:

  • CryptiCore

  • HMAC-MD5


The HMAC-SHA1 algorithm can operate in the FIPS mode.

Defining Server Connections

On the Server tab, you can define advanced server connection settings.

Defining server connection settings

Figure 4.5. Defining server connection settings

Use factory defaults

Select the check box to use the default values for the server connection settings.

Transport distribution

Define the number of transport channels used by the Secure Shell connection. Using more than one transport may increase the throughput over low bandwidth connections. Currently, a value of 1 to 8 transports is supported. The default is 2 transport channels.

Idle timeout

Specify how long idle time (after all connection channels are closed) is allowed for a connection before automatically closing the connection. The default is 5 seconds. Setting a longer time allows the connection to the server to remain open even after a session (for example, SSH Tectia terminal GUI) is closed. During this time, a new session to the server can be initiated without re-authentication. Setting the time to 0 (zero) terminates the connection immediately when the last channel to the server is closed.

TCP Connection Timeout

Specify for how long a TCP connection will be attempted to a Secure Shell server. Define the timeout in seconds, and after that time the TCP connection will be released in case the remote server is down or unreachable. Setting the value as 0 (zero) means this SSH Tectia setting is disabled and the system default TCP timeout will be used. By default, the system timeout is used.

Keepalive interval

Specify an interval (in seconds) for sending keepalive messages to a Secure Shell server. The default is 0, meaning that no keepalive messages are sent.

Exclusive connection

Select this check box if you want always a new connection opened, instead of reusing a currently open connection.

Show server banner

Select this check box if you want to have the server banner message file (if it exists) visible to users before login.

Show authentication success message

Unselect this check box if you do not want to have the AuthenticationSuccessMsg messages output and logged. By default the messages are enabled.

SFTP compatibility mode

Select a suitable mode for transferring files with SFTP. This setting affects the behaviour of the get/mget/sget and put/mput/sput commands and the recursion level used by the sftpg3 client. The following options are available:

  • tectia (the default) - sftpg3 transfers files recursively from the current directory and all its subdirectories.

  • ftp - the get/put commands are executed as sget/sput meaning that they transfer a single file, and no subdirectories are copied.

  • openssh - copies only regular files and symbolic links from the specified directory, and no subdirectories are copied. Otherwise the semantics of the `get' command is unchanged.

The mode set here can can be overridden by environment variable: SSH_SFTP_CMD_GETPUT_MODE.

The recursion depth can also be overridden by using the sftpg3 client's commands get/put/mget/mput with command-line option --max-depth="LEVEL". For more information, see sftpg3(1).

Defining Default Tunneling Settings

On the Tunneling tab, you can define the default settings for X11 connections and agent forwarding (tunneling). The defaults are applied to new connection profiles and to those connection profiles that do not have their own tunneling settings defined.

Defining default tunneling settings

Figure 4.6. Defining default tunneling settings

Select the Use factory defaults check box to apply the factory defaults for X11 and agent forwarding. According to the factory defaults, both forwarding methods are disabled (off).

Select the Tunnel X11 connections check box to allow X11 forwarding on the client side.

Select the Allow Agent Forwarding check box to allow agent forwarding on the client side.

Defining Proxy Rules

On the Proxy Rules page, you can define proxy rules to be used for connections.

Defining proxy rules

Figure 4.7. Defining proxy rules

To add a new proxy rule:

  1. Click Add. The Proxy Rule dialog box opens.

  2. Select the Type of the rule. The type can be Direct (no proxy), Socks4, Socks5, or Http.

    Defining proxy settings

    Figure 4.8. Defining proxy settings

    For other types than direct, enter the proxy Server address and Port.

    Select also whether the proxy rules applies to Any connection or only to connections to the specified Network. In the Network field, you can enter one or more conditions delimited by commas (,). The conditions can specify IP addresses or DNS names.

    The IP address/port conditions have an address pattern and an optional port range (ip_pattern[:port_range]).

    The ip_pattern may have one of the following forms:

    • a single IP address x.x.x.x

    • an IP address range of the form x.x.x.x-y.y.y.y

    • an IP sub-network mask of the form x.x.x.x/y

    The DNS name conditions consist of a hostname which may be a regular expression containing the characters "*" and "?" and a port range (name_pattern[:port_range]).

    Click OK.

To edit a proxy rule, select a rule from the list and click Edit.

To delete a proxy rule, select a rule from the list and click Delete.

The rules are read from top down. Use the arrow button to change the order of the rules.

To use these general proxy rules with a connection profile, you must select to do so in the profile settings. See Defining Proxy Settings.

Defining Logging Settings

On the Logging page, you can customize the information that is logged in the event log.

Logging settings

Figure 4.9. Logging settings

Each event has an associated Action and Type. They have reasonable default values, which are used if no explicit logging settings are made.

The action can be either log or discard.

The event type can be one of the following:

  • Informational

  • Warning

  • Error

  • Security success

  • Security failure

To change whether the event is logged or not, select an event from the list and click Log/Discard. You can select multiple events by holding down the SHIFT or CTRL key while clicking.

To customize the event action and type, select an event from the list and click Edit. You can select multiple events by holding down the SHIFT or CTRL key while clicking. The Edit Audit dialog box opens. Select the Action (log or discard) and the Type (informational, warning, error, security-success or security-failure) for the event and click OK.