Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document>>
    Installing SSH Tectia Client >>
    Getting Started >>
    Configuring SSH Tectia Client >>
        Defining Profile Settings >>
        Defining Global Settings >>
        Editing the Configuration Files >>
        Using Command-Line Options
        Customizing the User Interface>>
    Connecting to a Remote Host Computer>>
    Transferring Files>>
    Tunneling Applications>>
    GUI Reference>>
    Troubleshooting >>
    Command-Line Tools >>


The system-wide configuration file of the command-line client, ssh2_config, can be found in the installation directory (by default C:\Program Files\SSH Communications Security\SSH Secure Shell). Copy the ssh2_config file to directory %ALLUSERSPROFILE%\Application Data\SSH, from where the program reads it.

To make your personal settings to the file, you should copy it to the %USERPROFILE%\Application Data\SSH directory.


To use the FIPS-certified cryptographic library with the command-line clients, edit the ssh2_config file and add the following option as the first item in the file (after the comments):

FIPSmode                 yes

GSSAPI Configuration

Both the client and the server use similar configuration data format.

The name of the GSSAPI method is gssapi. It can be specified with the AllowedAuthentications keyword in ssh2_config and sshd2_config configuration files.

There are two additional GSSAPI-related keywords: GSSAPI.AllowedMethods and GSSAPI.DelegateToken.

GSSAPI.AllowedMethods specifies the actual mechanisms that are to be used through GSSAPI. Windows implements both the Kerberos5 and NTLM mechanisms. The default value is Kerberos,NTLM.

GSSAPI.DelegateToken is a boolean variable (with possible value of yes and no), which specifies whether the client requests delegating the GSSAPI authentication over several connections. The default value is no.

The following is a sample GSSAPI configuration from the ssh2_config configuration file:

AllowedAuthentications   "gssapi,password"
GSSAPI.AllowedMethods    "ntlm,kerberos"
GSSAPI.DelegateToken     yes

GSSAPI is an option in the Connect to Remote Host dialog and in the Authentication page. The configuration is stored separately for each profile.

Strict Modes

The StrictModes option can be used to make the client check the permissions and ownership of the credentials used during public-key authentication. Specifically, this checks the user's configuration directory (by default %USERPROFILE%\Application Data\SSH) and private keys. The files and directories must be accessible only by the user, the Administrators group, and the SYSTEM account. The owner must be the user or the Administrators group.

To enable strict modes, add the following line in the ssh2_config file:

StrictModes              yes

User Configuration Directory

The UserConfigDirectory option can be used to specify where user-specific configuration data is found for the command-line clients. It is equal to the -k command-line option of ssh2.exe, scp2.exe, and sftp2.exe.

The value is given as a pattern string which is expanded by ssh2. %D is "%USERPROFILE%/Application Data/SSH" and %U is the user's login name. The default is %D.

To use an alternate location, specify it in the system-wide ssh2_config file, for example by adding the following line:

UserConfigDirectory      "c:/alternate_directory/%U/"

Note that any configuration set in ssh2_config affects only the command-line clients and this setting is configurable in ssh2_config only. The GUI client uses always the "%USERPROFILE%\Application Data\SSH" directory.

Disabling SSH1 Emulation

To disable SSH1 emulation with the command-line client, add the following line to your %USERPROFILE%\Application Data\SSH\ssh2_config file:

Ssh1InternalEmulation    no

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more