Security Settings

Encryption Algorithm

Encryption is negotiated to be the same in both directions, although the Secure Shell protocol allows incoming and outgoing streams to have different encryption types. The algorithm used to select a cipher is the first algorithm that is common to both the client and server, as determined by the order of the client’s list. If you have a preference, you can modify the list.

By default, all algorithms are enabled. You can enable or disable them by selecting Specify List on the drop-down list. Use the arrow buttons to alter the order in which the algorithms are negotiated. Click the Reset All button to return to the default settings.

MAC Algorithm

Message Authentication Code (MAC) algorithms are integrity checksums used to ensure that the contents of a packet have not been altered during transmission. The Secure Shell protocol allows incoming and outgoing streams to have different MAC types. The algorithm used to select a MAC is the first algorithm that is common to both the client and server, as determined by the order of the client. If you have a preference, you can modify the list.

By default, all MAC algorithms are enabled. You can enable or disable them by selecting Specify List on the drop-down list. Use the arrow buttons to alter the order in which the algorithms are negotiated. Click the Reset All button to return to the default settings.

Authentication

Select the type of authentication you want to use to identify yourself to the remote host. Use the arrow buttons to alter the order in which the authentication methods are attempted. Click the Reset All button to return to the default settings.

The authentication methods you enabled are tried once in the order you specify. The tunnel is established with the first method that succeeds. If all authentication methods fail, the tunnel disconnects.

Use Entered Password—This method uses your password to log into the remote host. When you select this method, the Password box appears in which you can specify the password.

Use Selected User Key—This method requires you to generate a public/private key pair with Hummingbird Certificate and Key Manager. When you select this method, the Browse button appears. Click it to access the Select User Key dialog box which lets you create a key or select a previously generated key.

Allow Agent Forwarding—This option is available only if the Use Selected User Key authentication type is selected and you have selected a key. It lets remote hosts send authentication requests to Connectivity Secure Shell. For example, if you connect to a host, and then create a Secure Shell connection to a second host, the second host can send an authentication request to Connectivity Secure Shell through the original host. When the client receives a remote authentication request from the Secure Shell server, it returns all of the public keys in the user key store. The server selects a key and returns an authentication request to the client. When public key authentication is used, the client attempts to open all keys in the user key store. If each has a different passphrase, you will receive multiple prompts for keys. If you use the same passphrase for all keys, you will be prompted only once.

Keyboard Interactive—This option provides a generic keyboard method for use with supported authentication tools such as Smart Cards.

Kerberos—This method requires you to configure Kerberos settings. These settings are displayed when you select the method. To alter the settings, click the Kerberos Settings icon to open the Kerberos Settings dialog box. Select one of the following options:

GSSAPI Service Name—The name of the service principal defined on the target host. This is the default principal as specified in the standards document. Ask your system administrator if your host configuration specifies a different service principal name.

Note:

Host is commonly used for shells, while ftp is commonly used for file transfer. If you select ftp, and there is no service principal for ftp on that machine, you will not connect to the host.

Kerberos Client—You can select Hummingbird Connectivity Kerberos or MIT Kerberos if installed.

Use HMS2MIT—Imports Kerberos tickets (for Kerberos client authentication) from the Microsoft ticket store to the Kerberos ticket store.

Delegate Credentials—Exports the ticket-granting ticket (acquired at login, or via kinit or your Kerberos client) to the host. Once you are logged onto the host, you can check for the krbtgt@Realm@Realm, which is the ticket-granting ticket, in your Kerberos cache. (On a Unix host, issue the klist command.)