SSH

General

The General page contains the general server settings, for example, the maximum number of connections and processes, settings for load control, FIPS mode, and banner message.

Tectia Server Configuration - General page

Figure 4.4. Tectia Server Configuration - General page


Maximum number of connections / Total number of connections / Maximum number of processes

Tectia Server uses a distributed architecture where the master server process launches several servant processes that handle the actual client connections. The server's total number of connections is the number of connections multiplied by the number of processes.

Limiting the maximum number of connections is useful in systems where system overload may be caused by a high load in the server program when opening new connections.

Maximum number of connections defines the maximum number of client connections allowed per servant. The default (and recommended) value is 256.

Total number of connections defines the maximum number of connections that a servant will handle before the server should start a new servant in its place. The allowed value range is 1-4,000,000,000. If no value is given (default), the servant-lifetime functionality will be disabled and the servants are never retired. This corresponds to the servant-lifetime element in the server configuration file (see servant-lifetime).

Maximum number of processes defines the maximum number of servant processes the master server will launch. The value range is 1 to 2048. The default (and recommended) value is 40.

The maximum number of connections a server can handle depends on system resources, including the maximum number of open file descriptors, the maximum number of processes available to a single user, the maximum number of available PIDs, and the amount of memory available.

Load Control / Discard limit / White list size

Load Control defines settings for keeping Tectia Server working when the load is high, that is, the number of current connections is near the maximum allowed number of connections. High load might be caused by a connection flood denial-of-service attack that tries to make the server unavailable to its intended users by using so much of its resources that normal service is disrupted. Load control is enabled by default. To disable load control, clear the Enable check box.

[Note]Note

If Maximum number of connections is set to 1, load control will be disabled.

Load control is implemented by keeping a "white list" of the IP addresses of connections that have had a successful authentication. When Tectia Server starts, the white list is empty. When the server's load is high, connections from IP addresses that are not on the white list (that is, connections that have not recently had a successful authentication) are discarded.

When the number of a servant's concurrent connections is not higher than the value of Discard limit, the servant accepts connections from any IP address. When the number of a servant's concurrent connections exceeds the Discard limit, only connections from IP addresses that are on the server's white list are accepted. If existing servants cannot accept any more connections, but the Maximum number of processes (that is, the maximum number of servant processes the master server will launch) limit has not been reached, the server launches a new servant process which will accept new connections.

The allowed value range for Discard limit is 1 to Maximum number of connections - 1. The default value is 90 percent of the value of Maximum number of connections.

White list size specifies the number of IP addresses on the server's white list. The allowed value range is 1 to 10000. The default value is 1000.

Cryptographic library

Tectia products can be operated in FIPS mode, using a version of the cryptographic library that has been certified according to the Federal Information Processing Standard (FIPS) 140-2.

The full OpenSSL cryptographic library is distributed with Tectia Server. However, only the algorithms provided by the fipscanister object module in the library are used by Tectia Server. The OpenSSL FIPS-certified cryptographic library is used to provide the classes of functions listed in the following tables.

The functions from the OpenSSL library version 1.0.2a used on Linux, Windows, Solaris and HP-UX Itanium (IA-64) are listed in Table 4.1. On these platforms, the fipscanister object module version 2.0.9 is used.

The functions from the OpenSSL library version 0.9.8 used on HP-UX PA-RISC and IBM AIX are listed in Table 4.2. On these platforms, the fipscanister object module version 1.2 is used.

Table 4.1. APIs used from the OpenSSL cryptographic library version 1.0.2a
(used on Linux, Windows, Solaris and HP-UX Itanium)

APIDescriptionFunctions from OpenSSL
Random numbersAES/CTR DRBG based on NIST SP800-90A is used from the OpenSSL library.RAND_get_rand_method()
AES ciphersVariants: ecb, cbc, cfb, ofb, ctrEVP_aes*
3DES ciphersVariants: ecb, cbc, cfb, ofbEVP_des_ede3_*
Math libraryBignum math library used by OpenSSL.BN_*
Diffie Hellman DH_*, ECDH_*
Hash functionsVariants: sha1, sha-224, sha-256, sha-384, sha-512EVP_sha*
Public KeyVariants: rsa, dsa, ecdsaRSA_*, DSA_*, ECDSA_*

Table 4.2. APIs used from the OpenSSL cryptographic library version 0.9.8
(used on HP-UX PA-RISC and IBM AIX)

APIDescriptionFunctions from OpenSSL
Random numbersFIPS-approved AES PRNG based on ANSI X9.32 is used from the OpenSSL library.FIPS_rand_*
AES ciphersVariants: ecb, cbc, cfb, ofb, ctrAES_*
DES ciphersVariants: ecb, cbc, cfb, ofbDES_*
3DES ciphersVariants: ecb, cbc, cfb, ofbDES_*
Math libraryBignum math library used by OpenSSL.BN_*
Diffie Hellman DH_*
Hash functionsVariants: sha1, sha-224, sha-256, sha-384, sha-512SHA1_*, SHA256_*, SHA512_*
Public KeyVariants: rsa and dsaRSA_*, DSA_*

No certificate functions are used from the OpenSSL library. Tectia provides its own certificate libraries.

Select the Operate in FIPS Mode check box to use the FIPS-certified version of the SSH cryptographic library. Clear the check box to use the standard (default) SSH cryptographic library.

[Note]Note

Tectia Server has to be restarted after changing the FIPS-mode setting. Extra checks are done when starting Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS crypto library health check. This will lead to a noticeable delay in the start of the process on slow machines.

Banner message file

To define a banner message file, click the Browse button on the right-hand side of the text field. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and file name directly into the text field.

The message file is sent to the client before authentication. Note, however, that the client is not obliged to show this message.

Login grace time

Specify a time after which the server disconnects if the user has not successfully logged in. If the value is set to 0, there is no time limit. The default is 600 seconds.

User configuration directory

Specify a path to a directory from where Tectia Server looks for user-specific authorized public keys, if they are not stored to the default location. With this setting the administrator can control options that are usually controlled by the user. If no setting is given, the default setting will be used.

The default setting is %D/.ssh2, which expands to %USERPROFILE%\.ssh2 (usually "C:\Documents and Settings\<username>\.ssh2").

Enter the path as a pattern string which will be expanded by Tectia Server. The following pattern strings can be used:

  • %D or %homedir% is the user's home directory

  • %U or %username% is the user's login name

    For Windows domain users:

    • %U is expanded to domain.username

    • %username% is expanded to domain\username

    For local server machine users:

    • %U is expanded to username

    • %username% is expanded to username (without the domain prefix)

  • %username-without-domain% is the user's login name without the domain part.

[Note]Note

The User configuration directory setting will be read only if the Authentication view does NOT have anything set in the following settings under Public-Key Authentication:

  • Authorization file

  • Authorized-keys directory

  • OpenSSH authorized-keys file

For reference, see Parameters

Windows logon type

Specify what kind of user logon methods for the local host are accepted by Tectia Server. The defined logon type affects password authentication. Select a suitable value from the drop-down list: Batch, Interactive, Network, or Network-Cleartext. The default value is Interactive. Note that this setting only affects password-based authentication methods.

For example, to enable accounts that do not have the access right to log on locally, select Network.

For information on the attribute values, refer to Microsoft documentation on Windows logon types.

Resolve client hostname

Define whether Tectia Server should try to resolve the client host name from the client IP address during connection setup. By default, yes is selected and DNS lookups are used to resolve the client host name at connection time.

If you select no, client host name resolution is not attempted, but the IP address is used as the returned client host name. This is useful when you know that the DNS cannot be reached, and the query would cause just additional delay in logging in.

[Note]Note

This attribute does not affect the resolution of TCP tunnel endpoints and Tectia Server will try to resolve the client host name when creating a TCP tunnel.

Windows terminal mode

Define the mode of operation of a terminal session on the server side. The available values are Console and Stream.

If set to Console (default), the server reads the screen buffer in a loop and detects modifications based on current cursor location. If set to Stream, the server reads the stdout and stderr of cmd.exe as a stream of data, while providing basic facilities for command-line editing.

Network address family

Define the address family Tectia Server will use for incoming connections.

If set to inet (default), the server will accept only IPv4 incoming connections. If set to inet6, the server will accept only IPv6 incoming connections. If set to Any, the server will accept both IPv4 and IPv6 incoming connections, will resolve addresses of both families, and opens both IPv4 and IPv6 listeners for remote port forwarding.

User started processes

Select the Terminate on session close check box to have all processes started by the user on the SSH terminal session terminated when the user logs off from the session. By default this is not enabled.

User Access Control

If Allow elevation is selected, users logging in with password authentication may retain any admin privileges associated with their accounts.