SSH2
The SSH2 category of the Global Options dialog allows you to configure your SSH2 The second version of the SSH protocol which provides a way to encrypt network traffic between a client and a server, with a slightly different set of security features than the SSH1 protocol provides. public-key and Agent settings.
Public Key
Use identity or certificate file
Selecting this option instructs SecureCRT to use the identity file Identity files are two files containing the public-private key pair used to connect to an SSH server using RSA or DSA authentication. The Identity file contains the public and private key pair and is used by SecureCRT. The Identity.pub file contains only the public key which is usually appended to the authorized_keys file. or PKCS #12 file A PKCS #12 file is a file that contains your X.509 certificate and its associated private key. stored on the local system as your method of authentication The process of verifying that an individual truly is who he or she claims to be. Supplying a password is a very common method of authentication. The most secure method of authentication supported in SecureCRT is public-key authentication. See also: identity file, public-private key pair. . For more information on configuring your system to use identity files, see Public-Key Authentication for SSH2.
SecureCRT also supports accessing X.509 certificates through PKCS #11 An API defining a generic interface to cryptographic tokens. . The locator prefix (e.g., “pkcs11::”) and suffix (e.g., “::standard”) specify which public-key algorithm to use. To use this feature, enter a string similar to one of the following examples but pointing to your PKCS #11 .dll file in the text box:
pkcs11::prov=c:\windows\system32\opensc-pkcs11.dll
pkcs11::prov=c:\windows\system32\pkcs11.dll::cert
The above examples use the x509v3-sign-rsa algorithm.
pkcs11::prov=c:\windows\system32\opensc-pkcs11.dll::standard
The above example uses the x509v3-sign-rsa-sha1 algorithm.
pkcs11key::prov=c:\windows\system32\pkcs11.dll
The above example uses the ssh-rsa algorithm, which can be used to send the certificate as a raw key.
Fingerprint
This entry box will be filled in automatically when an identity file is entered above.
Create Identity File
Press this button to start the Generate Key wizard and create identity files which contain your public/private key pair.
Note: SecureCRT supports both DSA and RSA key types.
Change Passphrase
Press this button to change the passphrase A password used to protect a private key from unauthorized use. It is recommended that a passphrase be assigned to all private keys to prevent unauthorized use, especially in environments where multiple individuals have access to the machine on which the private key files are stored. When using public-key authentication, a private key with an assigned passphrase will not be available if the correct passphrase is not supplied during the authentication process. for your global SSH2 identity file.
Note: Passphrases for specific session A session is a set of options that are assigned to a connection to a remote machine. These settings and options are saved under a session name and allow the user to have different preferences for different hosts. identity files can be changed using that session's Public Key Properties dialog which is opened by pressing the Properties button on the Connection/SSH2 category of the Session Options dialog.
Use personal store certificate (CAPI)
Selecting this option instructs SecureCRT to use X.509 certificates from your Microsoft CAPI personal store as your method of authentication. For more information on X.509 certificates, see Using X.509 Certificates.
Advanced group
Add keys to agent
Check this option to enable the SSH2 Agent. Agents are programs that work in the background gathering information or performing small processing tasks. In SecureCRT, the implemented agent temporarily holds private keys for use with public-key authentication to multiple remote hosts. For more information on agents, see Using the Agent.
Enable OpenSSH agent forwarding
Check this option to use the agent to connect to a remote machine through another remote machine (see Using the Agent). This option can be overridden on a per-session basis from the Session Options/Connection/SSH2/Advanced category.
Enable deprecated GSSAPI
Check this option to have SecureCRT first attempt to connect using GSSAPI with MIC and then, if that is not successful, try regular GSSAPI. If this box is not checked, SecureCRT will only try to connect using GSSAPI with MIC.
Note: When using Kerberos host and user authentication via GSSAPI, the connection could be vulnerable to a man-in-the-middle attack. Using GSSAPI with MIC eliminates this risk. Although the GSSAPI method has been deprecated, GSSAPI with MIC is not yet widely supported. SecureCRT allows you to attempt to connect using GSSAPI with MIC if it is available on the server.
Cache session password
When this option is set, passwords will be cached while SecureCRT, SecureFX®, or the Activator is running so that when re-connecting to that session or connecting in one of the other applications, the password does not have to be re-entered.