Secure Shell and AnzioWin

What is Secure Shell?

Secure Shell, also known as SSH, is a common protocol for encryption of data coming across a wire during a remote access session. This is commonly used for SSH server access, which is similar to an encrypted telnet session, utilizing a secure server access and different network ports on the host.

What we support

With the release of AnzioWin 12.5, we began supporting Secure Shell for remote secure access to SSH servers running on remote hosts. This includes support for SSH1 (version 1), SSH2 (version 2 and 3) and OpenSSH. We also support a number of encryption methods, available to these versions of SSH.

Using AnzioWin's SSH

There are a number of SSHD (SSH server) implementations available to various UNIX/Linux and Windows Server systems. These follow the standard protocol for one of the versions of SSH and should work with AnzioWin.

The communications setup dialog allows you to select SSH as the default communications method. This dialog appears when you run a new connection through AnzioWin (the first time or from the Start : Programs : Anzio : AnzioWin (new connection) menu item. You can also get to this when AnzioWin is running by going to the Communicate : Setup menu item.

From here, you select SSH and enter the host name or host IP address you wish to access., very similar to how a simple telnet session would work.

Configuring SSH

There are several options that you have to set your client up for with SSH, to match what the host system expects. Right out of the box, AnzioWin should work fine with a basic server installation. However, your system administrator may have changed the default settings for SSH at the server and you need to match these setting here. You can do so by pressing the "Setup" button under SSH in the Communications Setup dialog.

Note: Use ssh2 for OpenSSH if you have problems.

Authentication

There are two standard types of authentication for SSH, password and PKI (use of public & private keys). SSH also supports various other devices such as smart cards, biometric devices and more, but these really do not apply here. Of course the host server could be set up for multiple authentication methods, requiring more than just one.

Password Authentication

Instead of logging in on the live screen (as you would with a telnet session), you are prompted for login and password through a dialog box.

Once you have entered a valid login, you are attached to the host, and from then on, the session appears just as a regular telnet session would, with the exception that you have been authenticated to the server and your data is now encrypted.

PKI Authentication

A separate program, AnzKeygen.exe, can be used to generate public/private key pairs for use with SSH. This program ships with AnzioWin but not Anzio Lite, however it is available in our download area at our web site.

A program must generate a private key, based on random, very large prime numbers. The private key is stored in a file, which is placed on the client machine (in this case, on the PC). The program will then generate a public key based on the private key; the public key goes on the host machine (the server). At the time of establishing a connection, the client uses the private key to prove (authenticate) who it is. The server can verify this using the public key, without ever knowing the private key.

The private key file may require a passphrase (a long password), which the user must enter. This proves that both the user and the PC are legitimate. A private key file that does NOT require a passphrase means anyone using that PC will have access. Note that Anzio will not automatically supply a private key's passphrase, although it can be made to supply the password for simple password-only authentication.

It is important to note that the internal format of the private key is NOT standardized. You can not assume that the private key created by one key generation program will work with a different SSH client program.

For the format of a public key, there is a standard proposed but not yet adopted.

Anzio is able to use a private key file that is created by AnzKeygen.exe, or one created by PuTTY.
To create a key pair, run the AnzKeygen.exe program. Fill in the blanks as follows:

a) Under "Type of Key", chose "SSH1" to create a key for version 1 of the SSH protocol, or chose an RSA or DSA SSH2 key.

b) The "Number of bits" field (default 1024) indicates the security level of the key. More bits is more secure, but takes longer to work with.

c) If you want the private key file to be passphrase-protected, enter a passphrase in that field, and again in the confirmation field.

d) You may enter a comment to embed in the key file.

e) Click the "Generate" button. It may take a few minutes for the program to generate a key.

f) The program will display a box containing the public key in semi-readable form. If you are running OpenSSH on your server, you will need to insert this data into a file on the server. To make this easy, you can click on "Copy to Clipboard", which will cause the program to store the public key data in the Windows clipboard as one long string. Later, you could paste it into an editor running on the server. Click "OK".

g) The program will present a dialog titled "Save public key as". If you wish to create a public key file, enter a file name and click "Save". This is useful for SSH daemons that require a separate key file. Otherwise, click "Cancel".

h) The program will present a dialog titled "Save private key file as". Tell it the name and location of the private key file to be created, and click "Save". This completes the key generation process.

To tell Anzio to use a private key, go to Communicate:Setup. Click the "Setup" button next to "SSH". Under "Private key file", enter the full path name of the private key file.

To tell your SSH daemon to allow use of one or more public keys, you will need to follow instructions provided with your particular sshd. For more information, try doing

man sshd

at the Unix or Linux shell prompt.

Automated Login in SSH

When connecting via SSH, many people want to automate the login, using the username and password defined in Communicate:Login Wizard. This is possible beginning in version 15.

Because this subverts to a degree the security purposes of SSH, we have separated the control of this feature. Go to Edit:Advanced Options:Security, and click "Allow saved password in SSH".

Note that this applies to password-type authentication only. If you are using a private key that has a passphrase, you will still have to enter that passphrase manually. It is an option, however, to create an SSH key without a passphrase.

Notes on various SSH installs

We recommend that you always verify what defaults are set in your SSHd configuration file. Different systems ship with different defaults which can a) open up security holes or b) shut out all access from password-based authentication programs such as AnzioWin and Anzio Lite. Never depend on the defaults installed when the O/S is installed.

SuSe Linux

By default, SuSe ships with OpenSSH already installed. However it does also ship with its configuration to not allow password authentication. If you do not have a public/private key pair set up, Anzio may fail to authenticate correctly. A simple line change to the sshd config file will fix this problem. Give us a call.

Red Hat Linux

Various versions of Red Hat ship with various versions of SSH and may not be configured by default. Similar to SuSe Linux, there may also be issues with the default configuration file, so always check the configuration first.

SCO UNIX and other UNIX systems

Later version of SCO UNIX ship with OpenSSH, whereas earlier versions do not ship with anything. This is similar to other UNIX systems, such as AIX, HP-UX, etc.

You can always download the latest version in source form from the Internet and compile and install. Also be sure to configure your SSHd configuration file the way you would like. Do not depend on the defaults.

SSH FTP

Beginning with AnzioWin version 15, we now ship both a graphical user interface (GUI), as well as macro and script command forms for SFTP (Secure Shell FTP). Check out the AnzioWin manual on using FTP and SFTP for more information.

SSH back-channel Printing

Beginning with AnzioWin version 15, limited support for back-channel printing is available. This works in the background over the current SSH session to do local printing to the client's attached printer. If you are interested in this, give us a call and we can discuss the various options available and the setup necessary to make this work.

Additional information can be found in our SSH printing with AnzioWin document.

SSH port forwarding

At present AnzioWin does not support SSH port-forwarding. However we are looking for companies with needs in this area as we have this under development. Please contact us with your needs and we will discuss what can be done.