SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
ssh-broker-g3 — SSH Connection Broker - Generation 3
ssh-broker-g3 (ssh-broker-g3.exe on Windows) is a component of SSH Tectia Client and SSH Tectia ConnectSecure. It handles all cryptographic operations and authentication-related tasks for the SSH Tectia client programs sshg3, scpg3, sftpg3, and ssh-client-g3.exe (on Windows only).
ssh-broker-g3 uses the Secure Shell version 2 protocol to communicate with a Secure Shell server.
You can start the Connection Broker manually by using the ssh-broker-g3 command. This starts ssh-broker-g3 in the background and all following uses of sshg3, sftpg3, or scpg3 will connect via this instance of the Connection Broker instead of starting a new Broker session.
If a command-line client (sshg3, sftpg3, or scpg3) is started when the Connection Broker is not running in the background, the client starts the Broker in run-on-demand mode. In this mode, ssh-broker-g3 will exit after the last client has disconnected.
If there is an ssh-broker-g3 process running in the run-on-demand mode, and the Connection Broker is started from the command line, the new ssh-broker-g3 process sends a message to the old ssh-broker-g3 process to change from the run-on-demand mode to the background mode, keeping the Broker running after the clients disconnect.
The Connection Broker operates automatically as an authentication agent, storing
user's public keys and forwarding the authentication over Secure Shell
connections. Key pairs can be created with
On Solaris and AIX, the Connection Broker can also serve OpenSSH clients as an authentication agent.
The public key pairs used for user authentication are by default stored in
%APPDATA%\SSH\UserKeys on Windows).
See the section called “Files” for more information.
The Connection Broker automatically maintains and checks a database containing the
public host keys used for authenticating Secure Shell servers. When logging
in to a server host for the first time, the host's public key is stored in
%APPDATA%\SSH\HostKeys on Windows).
See the section called “Files” for more information.
The most important options of ssh-broker-g3 are the following:
Reads the Connection Broker configuration file from
FILE instead of the default location.
Sets the debug level string to
Dumps debug messages to
Make the currently running Connection Broker exit. This will terminate all connections.
Re-reads the configuration file
ssh-broker-config.xml) and takes it into use.
On Windows, starts the Connection Broker but does not start the GUI.
This option is used internally when a command-line client is started when the Connection Broker is not running.
On Windows, starts the SSH Tectia Configuration GUI if it is not already running.
Displays program version and exits.
Displays a short summary of command-line options and exits.
On Windows, the help is only shown when running
"ssh-broker-cli.exe -h" directly from the "
C:\Program Files\SSH Communications Security\SSH Tectia\SSH
Tectia AUX\Support Binaries" directory. Normally,
ssh-broker-cli.exe is never run by the user, but it is
automatically called by ssh-broker-g3.exe.
ssh-broker-g3 uses the following files:
This is the user-specific configuration file used by ssh-broker-g3 (and sshg3, scpg3, and sftpg3). The format of this file is described in ssh-broker-config(5). This file does not usually contain any sensitive information, but the recommended permissions are read/write for the user, and not accessible for others.
On Windows, the user-specific configuration file is
This file is used for seeding the random number generator. It contains sensitive data and its permissions should be read/write for the user and not accessible for others. This file is created the first time the program is run and it is updated automatically. You should never need to read or modify this file.
On Windows, the random seed file is located in
This file contains information on public keys and certificates used for user authentication when contacting remote hosts.
With SSH Tectia Client G3, using the
identification file is not
necessary if all user keys are stored in the default directory and you allow
all of them to be used for public-key and/or certificate authentication. If
identification file does not exist, the Connection Broker attempts to
use each key found in the
$HOME/.ssh2 directory. If the
identification file exists, the keys listed in it are
The identification file contains a list of private key filenames each
preceded by the keyword
CertKey). An example file is shown below:
This directs the Connection Broker to use
when attempting login using public-key authentication.
The files are by default assumed to be in the
$HOME/.ssh2 directory, but also a path to the key file can be
given. The path can be absolute or relative to the
directory. If there is more than one
IdKey, they are tried
in the order that they appear in the identification file.
On Windows, the identification file is located in
%APPDATA%\SSH\identification. Key paths
in the file can be absolute or relative to the
%APPDATA%\SSH directory. The default user
key directory is
and the default user certificate directory is
This is the user-specific default directory for storing the public
keys of server hosts. You are prompted to accept new or changed keys
automatically when you connect to a server, unless you have set
yes in the
ssh-broker-config.xml file. You should verify the key
fingerprint before accepting new or changed keys.
When the host key is received during the first connection to a remote host (or when the host key has changed) and you choose to save the key, its filename is stored by default in hashed format. The hashed host key format is a security feature to make address harvesting on the hosts difficult.
The storage format can be controlled with the
filename-format attribute of the
element in the
ssh-broker-config.xml configuration file. The
attribute value must be
If you are adding the keys manually, the keys should be named with
key_<port>_<host>.pub pattern, where
<port> is the port the Secure Shell server
is running on and
<host> is the hostname
you use when connecting to the server (for example,
If both hashed and plain-text format keys exist, the hashed format takes precedence.
Note that the identification is different based on the host and port
the client is connecting to. For example, the short hostname
alpha is considered different from the fully
qualified domain name
alpha.example.com. Also a
connection with an IP, for example
considered a different host, as is a connection to the same host but
different port, for example
On Windows, the user-specific host key files are located in
For more information on host keys, see Server Authentication with Public Keys.
This is the initialization file for hashed host key names.
On Windows, the salt file is located in
This is the configuration file used by ssh-broker-g3 (and sshg3, scpg3, and sftpg3) that contains the factory default settings. It is not recommended to edit the file, but you can use it to view the default settings. The format of this file is described in ssh-broker-config(5).
On Windows, the default configuration file is
located in "
C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\ssh-broker-ng\ssh-broker-config-default.xml".
This is the global (system-wide) configuration file used by ssh-broker-g3 (and sshg3, scpg3, and sftpg3). The format of this file is described in ssh-broker-config(5).
On Windows, the global configuration file is
If a host key is not found in the user-specific
$HOME/.ssh2/hostkeys directory, this is the next location to be
checked for all users. Host key files are not automatically put here but
they have to be updated manually by the system administrator
root) or by using SSH Tectia Manager.
If the administrator obtains the host keys by connecting to each host,
the keys will be by default in the hashed format. In this case, also the
$HOME/.ssh2/hostkeys/salt file has to be copied
On Windows, the system-wide host key files are by default located in:
C:\Documents and Settings\All Users\Application Data\SSH\HostKeys" on pre-Vista Windows.
C:\ProgramData\SSH\HostKeys" on Windows Vista.
This is the initialization file for hashed host key names. The file has to be copied here manually by the same administrator that obtains the host keys.
On Windows, the salt file for all users is by default located in:
C:\Documents and Settings\All Users\Application Data\SSH\HostKeys\salt" on pre-Vista Windows.
C:\ProgramData\SSH\HostKeys\salt" on Windows Vista.
This is the default system-wide file used by OpenSSH clients for storing the public key data of known server hosts. It is supported also by SSH Tectia ConnectSecure.
If a host key is not found in the user-specific
$HOME/.ssh/known_hosts file, this is the next
location to be checked for all users.
ssh_known_hosts file is never automatically updated
by SSH Tectia Client or ConnectSecure, since they store new host keys always in the SSH Tectia user-specific
This is the default user-specific file used by OpenSSH clients for
storing the public key data of known server hosts. The
known_hosts file is supported also by
SSH Tectia ConnectSecure.
known_hosts file contains a hashed or plain-text
format entry of each known host key and the port used on the server, in case
it is non-standard (other than 22). For more information on the format of
known_hosts file, see the OpenSSH
sshd(8) man page.
known_hosts file is never automatically updated
by SSH Tectia Client or ConnectSecure, since they store new host keys always in the SSH Tectia
$HOME/.ssh2/authorized_keys(on the server host)
This directory is the default location used by SSH Tectia Server for the user public keys that are authorized for login.
On SSH Tectia Server on Windows, the default directory for user public keys is
$HOME/.ssh2/authorization(on the server host)
This is the default file used by earlier versions of SSH Tectia Server (sshd2) that lists the user public keys that are authorized for login. The file can be optionally be used with SSH Tectia Server G3 (ssh-server-g3) as well.
On SSH Tectia Server on Windows, the authorization file is by default located in
For information on the format of this file, see the ssh-server-g3(8) man page.
$HOME/.ssh/authorized_keys(on the server host)
This is the default file used by OpenSSH server (sshd) that contains the user public keys that are authorized for login.
For information on the format of this file, see the OpenSSH sshd(8) man page.