The Kermit 95 SSH Client

ў Беларускім   Auf Deutsch

Sun Dec 8 11:01:22 2002
Most recent update: Wed Aug 31 15:05:01 2011 FTP links converted to HTTP: Mon Aug 2 16:17:54 2021

Kermit 95 2.0 (and later) for Windows includes Secure Shell (SSH) v1 and v2 clients, an FTP client (which can make secure or regular connections), and an HTTP client (ditto), in addition to the many connection methods and clients it had already.

This document does not apply to C-Kermit for Unix, which uses the external SSH client as its transport in making SSH connections, as described HERE.

CONTENTS

  1. K95 SSH OVERVIEW
  2. TYPICAL SSH SESSION
  3. SSH AUTHENTICATION OPTIONS
     3.1. Host Authentication
     3.2. User Authentication
  4. KNOWN BUGS
  5. THINGS TO WATCH OUT FOR
  6. NOT IMPLEMENTED YET
  7. NEW COMMANDS FOR SSH
     7.1. The SSH Command
     7.2. The SET SSH Command

[ Kermit Home ] [ Kermit 95 ] [ Comparison with Other SSH Clients ]

1. K95 SSH OVERVIEW

[ Top ] [ Contents ] [ Next ]

SSH was added to Kermit 95 because increasingly many sites refuse Telnet (clear-text or secure) and require SSH for virtual terminal connections. As of version 1.1.21, the Windows (not OS/2) version of Kermit 95 includes SSH v1 and v2 clients:

• K95's SSH connections are based on OpenSSH 3.0.2p1, which first had to be converted to Windows developer tools and then was heavily customized to (a) allow connections in series; (b) incorporate secure authentication methods; (c) interface with the rest of K95 (settings, etc)
• K95 can make SSH connections to any host that has sshd for SSH 1.3, 1.5, or 2.0. OpenSSH does not support SSH versions 1.2 or earlier.
• Unless you force a specific SSH version when connecting (SSH OPEN blah /VERSION:1), K95 negotiates the version automatically. The negotiated version is shown in the Terminal-screen status line, e.g. "SSH-2.0".
• As with all Kermit's other features, the SSH client is configurable by the user in every conceivable way (so anybody who doesn't like its defaults or behavior can change them) and it includes built-in key creation and management tools so no external "helper applications" are required.
• The K95 implementation of SSH has been tested in connections to Solaris, HP-UX 8.00 and above, Linux, OpenBSD, FreeBSD, and VMS ...

The OS/2 version of Kermit 95 does not include an SSH client because the OpenSSH libraries are not available for OS/2.

Kermit's SSH connections are configured and controlled by the (new) SSH and SET SSH commands. These are described by HELP SSH and HELP SET SSH (the HELP text is reproduced below).

2. TYPICAL SSH SESSION

[ Top ] [ Contents ] [ Next ] [ Previous ]

At the K-95> prompt, simply type "ssh somehost", where somehost is the IP host name or address of the host you want to connect to or, if your user ID on the destination host is different from your local user ID, "ssh somehost /user:remoteuserid". You might get some messages or questions about the hostname the first time you make a connection, for example:

  [C:\K95] K-95> ssh xyzcorp.com
  The authenticity of host 'xyzcorp.com' can't be established.
  DSA key fingerprint is 85:f9:8b:cd:23:12:01:d9:cf:7a:12:cf:b5:5d:ab:60.
  Are you sure you want to continue connecting (yes/no)?

but that's normal for any SSH client. Unless you have reason to believe the host is an imposter, say "yes" (more about this in the next section). Now K95 asks you for your password, you type it into the box, K95 sends it over the encrypted connection, and off you go.

From this point, an SSH session is like any other K95 terminal session. You can escape back to the prompt with Alt-X, return to the terminal screen with C or Alt-X, transfer files, whatever you want. When you log out from the host, K95 should pop back to its command screen automatically, but that depends on the SSH server.

A single instance of K95 presently can not manage multiple terminal sessions, SSH, Telnet, modem, or otherwise, but of course you can run multiple instances of K95. You can, however, have an FTP session and/or an HTTP session at the same time as a terminal session in a single K95 instance.

3. SSH Authentication Options

[ Top ] [ Contents ] [ Next ] [ Previous ]

SECTION CONTENTS

  3.1. Host Authentication
  3.2. User Authentication

SSH provides security (or the illusion of it) by encrypting the session. SSH can work in the absence of authentication, but it also offers several options for authentication, none of them particularly secure except for Kerberos 5 GSSAPI and SRP.

3.1. Host Authentication

There are two sides to authentication:

1. Is the host what it claims to be?
2. Is the user who s/he claims to be?

In its simplest form, SSH lets the user make encrypted connections without setting up any kind of keys or other special authentication procedures or files, and all the host administrator has to do is install the ssh server and generate host keys. No alteration of the host login system is required. This is why SSH is so popular compared to authentication methods that are more secure and manageable: it's easy to get started. However, this kind of SSH connection does not authenticate the host to the client and it authenticates the client to the host only through the password file, just like an ordinary insecure login. The only difference is that the session (including the password) is encrypted, which makes hackers do a little extra work to decode their sniffer logs and get your password. The assumption is that hackers won't bother to do this since unencrypted passwords are easier to steal (like cars without steering-wheel locks), but of course this is wishful thinking.

The most important command to know about before you try to make an SSH connection is SET SSH STRICT-HOST-KEY-CHECK. The values are ON, OFF, and ASK.

• ON means K95 won't make an SSH connection to a host whose public key is not in its known-hosts file.
• OFF means K95 will connect to any SSH host.
• ASK means K95 will ask you if it's OK to connect to a host whose key is not in its known-hosts file. This is the default.

There are two known-hosts files for each protocol version. A user file is stored in the \v(appdata)ssh directory and is automatically updated based upon the connections you make. The system-wide known-host file is (optionally) stored in the \v(common)ssh directory for the operating system and is never updated by Kermit 95. It is there to be maintained by the system administrator.

Your global known-hosts files are kept in a directory common to all users:

  SSH v1:  \v(common)ssh\known_hosts
  SSH v2:  \v(common)ssh\known_hosts2

and your user-specific (and K95-specific) known-hosts files are:

  SSH v1:  \v(appdata)ssh\known_hosts
  SSH v2:  \v(appdata)ssh\known_hosts2

(\v(appdata) is Kermit's User Application Data Directory variable. The user's application data directory is located in a system dependent manner. Windows 95/98/98SE/ME/NT store the application data with the user's profile. Windows 2000/XP/Vista/etc store the application data in the Documents and Settings directory. Tell K95 to "show var appdata" to see its definition.) Thus, on Windows XP these files are in the SSH subdirectory of your Windows APPDATA directory, e.g.:

  SSH v1:  c:\Documents and Settings\username\Application Data\Kermit 95\ssh\known_hosts
  SSH v2:  c:\Documents and Settings\username\Application Data\Kermit 95\ssh\known_hosts2

On Windows 98 with multi-user support, this would be:

  SSH v1:  c:\WINDOWS\Profiles\username\Application Data\Kermit 95\ssh\known_hosts
  SSH v2:  c:\WINDOWS\Profiles\username\Application Data\Kermit 95\ssh\known_hosts2

On Windows 98 without multi-user support, this would be:

  SSH v1:  c:\WINDOWS\Application Data\Kermit 95\ssh\known_hosts
  SSH v2:  c:\WINDOWS\Application Data\Kermit 95\ssh\known_hosts2

(\v(common) is Kermit's Common Data Directory variable. The common data directory is located in a system dependent manner. Windows 95/98/98SE/ME/NT store the common application data in the WINDOWS directory. Windows 2000/XP stores the application data in the Documents and Settings\All Users directory. Tell K95 to "show var common" to see its definition.)

Each file contains a series of (long) "lines", one per host, each line containing the hostname and aliases and then the key in Base 64; this is the host's public key. Adding a host key means appending such a line to the appropriate file.

SSH STRICT-HOST-KEY-CHECK ON gives you some assurance that the host you have connected to is the one you meant to connect to. But it also means your first connection to a particular host is likely to be refused. It's the classic chicken-and-egg situation. You're supposed to get host keys from a trusted source such as a disk or CDROM from your host administrators, but if you didn't, how do you get a key when it's on the very host you can't connect to because you don't have its key? The possibilities include:

• You can make some other kind of trusted connection to it (e.g. with Kerberos 5 Telnet) and download the key, or:
• You can tell K95 to:

    SET SSH STRICT-HOST-KEY-CHECK OFF (or ASK)
  

  and then make an SSH connection to the host, authenticate with your password, and then the host key is automatically retrieved and added to your known-hosts file, and then future connections to that host can be made with SSH STRICT-HOST-KEY-CHECK ON. But of course since you have bypassed the host authentication process to obtain the key, future authentication using this key is worthless and you might as well not have have bothered.

You might wonder if keeping host keys is a good idea. The advantage is the protection they offer against man-in-the-middle attacks and DNS spoofing (but not compromised hosts). The disadvantage is that anybody who can access your host keys (legitimately or not) knows which hosts you access, which in itself might be information you'd rather not reveal, but also tells hackers which hosts to attack in your name. As noted, Kermit 95 (like all other SSH clients) appends new host keys to your user host-key file(s). You can delete these files if you wish; you can even do it automatically in your K95 ON_EXIT macro definition.

3.2. User Authentication

Independent of how the host is authenticated to K95, is the method by which K95 authenticates you to the host:

• Password
• Public/Private Key Pair

The default method of client authentication (that is, the method that is used unless you have configured K95 to use any of the other methods described below) is by prompting you locally for a password and then sending it (encrypted) to the server. This method requires you to type your password every time you log in (unlike, say, Kerberos 5, which gives you a "single network login").

If you must use SSH to contact a particular host, we recommend simple password authentication. If this is OK with you, skip the rest of this section; otherwise keep reading.

You can also use public/private key pairs, whose purpose is to allow you to log in to the host without typing your password. THIS IS DANGEROUS because your keys are stored on your Windows disk, where they can be stolen (especially easy on Windows 9x/ME PCs that are attached to the network, yet lack any form of file-system security). If your key files are encrypted, they can be decrypted offline. (The longer the passphrase for key-file encryption, the longer it takes to perform dictionary attacks against it; a 40-character character passphrase should be considered a minimum but most people don't use such a long passphrase, so most key files are ripe for plucking.)

To use public/private key pairs you must have each host's public key in your PC's \v(APPDATA)\ssh\known_hosts (SSH v1) and/or \v(APPDATA)\ssh\known_hosts2 files (SSH v2), and you must also upload your own public key to each host and put it in the appropriate place, such as ~/.ssh/authorized_keys (SSH v1) and/or ~/.ssh/authorized_keys2 (SSH v2) when OpenSSH is the daemon. When all the right files and keys are in the right places in the appropriate formats, you can log in without a password. In order to determine the correct type of key to use you must know the configuration of the SSH daemon. If you are not the host administrator, contact the appropriate administrator for assistance. (A common error is to leave the permissions on the ~/.ssh/ directory and the files it contains world or group accessible. SSH daemons refuse to use identity files that are accessible to anyone other than the account owner.

Here's an example. I have a guest ID on a Linux machine at a remote site. If I make an SSH connection to it (logging in with a password), K95's status line shows me the SSH server's level is 2.0. If I want to be able to connect without typing a password, then (1) my end is already done, since K95 added the host's public key to my known_hosts2 file the first time I made an SSH connection to it; but (2) I must add my PC's public key to my:

  ~/.ssh/authorized_keys2

file on the host. In this case there happened to be no such file. So all I had to do was upload my public key to the host as ~/.ssh/authorized_keys2. But which public key? I have three of them (see the SSH KEY CREATE command description below):

  SSH V1 RSA key:  identity.pub
  SSH V2 DSA key:  id_dsa.pub
  SSH V2 RSA key:  id_rsa.pub

Well, since the server uses SSH v2, I can ignore the identity.pub file, which is only for SSH v1. So I began by uploading my id_dsa.pub file to my ~/.ssh directory, renaming it to authorized_keys2, logging out, and making a new ssh connection to the same host. It let me in without password, so I guessed right the first time. Maybe the id_rsa.pub key would have worked too, who knows -- it probably depends on the server.

But now, of course, anybody who can obtain a copy of the id_dsa private key file from my Windows disk can log in to that host as me, without a password. And it's easy for them to locate the host because it's listed in my known_hosts2 file, along with all the other hosts I connect to with SSH v2. So what have I accomplished? I have pretty much left the keys to all my houses in the street, each key neatly labeled with the address of the house it unlocks.

So having satisfied myself that the key-exchange mechanism works as designed (by the SSH designers, not us), I deleted the authorized_keys2 file from the host and I deleted all the private keys from my Windows disk. Unlike Kerberos identities or X.509 certificates, compromised private keys can't be revoked or even tracked down. And unlike encrypted password authentication, which must be captured in its brief moment of transit, your key files are always available to hackers, and for that matter, to a potentially infinite number of them at once.

Note, by the way, that some SSH hosts do not support public/private key pair authentication at all, so every combination you try will fail. There's no way to know this without the host administrator telling you, or by exhausting all the combinations.

Since public/private key-pair authentication is unsafe, K95 also supports two secure authentication methods for SSH v2 that do do not require public/private key pairs:

• GSSAPI (Generic Security Services Application Programming Interface), which hooks into the Kerberos 5 authentication system.
• SRP (Secure Remote Password), Stanford University

Of course, secure authentication for SSH clients requires modified SSH servers, which are available. GSSAPI does not require host keys at all since Kerberos authentication is mutual.

The complete list of K95's SSH v2 authentication methods is:

external-keyx

Use the authentication performed as a side-effect of an key exchange algorithm such as GSSAPI.

gssapi

Kerberos 5 identity (requires Kerberos 5 to be installed at the host site and an SSH server that can authenticate your K5 identity).

hostbased

Like Rlogin (.rhosts file, not secure)

keyboard-interactive

Kermit prompts you locally for authentication info such as host password (or anything else the host might require).

password

Kermit prompts you locally for a single host password.

publickey

Public/private key-pair exchange (supported but not recommended, and not supported by Columbia's SSH servers).

srp-gex-sha1

Secure Remote Password (SRP, secure; requires an SSH server on the host that performs SRP authentication).

4. KNOWN BUGS

[ Top ] [ Contents ] [ Next ] [ Previous ]

• You will almost always get a series of scary warnings if you try to make an SSH connection to a host pool; that is, to an IP hostname that stands for more than one server, which is chosen dynamically and invisibly for each incoming connection by a load balancer or somesuch. This is because the name of the SSH server host is not the same as the name that you gave to the SSH command. If you are confident that you have reached the real place you want to reach, you can ignore the warnings. Otherwise you'll have to SSH to a specific hostname, not the generic pool name.
• The result of "ssh hostname /command:{any command ...}" might be truncated.
• "show ssh" doesn't pause at the end of each screen, and it only shows your SET SSH (or default) values, not the current or negotiated ones.
• Sometimes when you log out from a host and K95 returns to its command screen, it prints the "Connection Closed" message and the prompt in the wrong order:

    [C:\K95\] K-95> Connection to blah closed.
  

5. THINGS TO WATCH OUT FOR

[ Top ] [ Contents ] [ Next ] [ Previous ]

• K95 tries to negotiate SSH v2 by default so if you try to connect to an SSH V1 server, it might take a long time. In such cases, use "ssh host /version:1" to get an immediate connection.
• Performance. Obviously performance varies with your PC's memory capacity, CPU speed, and load, but the OS itself is also a factor. Since the SSH code runs in a separate thread, the differing thread scheduling capabilities of Win9x/ME versus NT/2000/XP are significant; all else being equal, expect better performance in Windows NT/2000/XP. When comparing Kermit's performance with other SSH clients, bear in mind that Kermit is likely to negotiate a stronger and therefore more CPU-intensive encryption method than other clients, and that Kermit does more in its terminal window: emulation of many terminal types, character-set conversion, URL highlighting, preservation of attributes for each cell, true blinking, file-transfer initiation detection (autoup/download), host-initiated printing, etc. The effects are not noticeable on modern PCs, but might be on older, slower ones.
• Stairsteps. SSH servers on some Unix systems (usually old ones but reportedly also some new ones too) do not translate LF to CRLF, so lines come out on your screen in stairstep fashion. You can usually fix this by giving an "stty sane" command at the Unix host prompt, or by telling Kermit to "set terminal newline on". Other SSH clients behave exactly the same way with the same hosts. Reportedly newer OpenSSH servers (3.3 or later) resolve this problem.
• Some SSH servers do not break the connection when you log out. If you log out but Kermit stays in its terminal screen, use Alt-u to disconnect. (The same thing happens with other SSH clients.)
• SSH compression is enabled by default. It improves performance on fast machines, but might slow things down when the CPU is the bottleneck, especially on fast LAN connections. Compression is important, however, for modem connections (e.g. PPP) because the encrypted data stream can't be compressed by the modem. Use SET SSH COMPRESSION OFF to disable it.

6. NOT IMPLEMENTED YET

[ Top ] [ Contents ] [ Next ] [ Previous ]

• Kerberos autoget/destroy TGTs.
• Telnet through SSH port forwarding.
• Remote SSH agent proxies.
• Incoming SSH.
• Integration of HTTP, RDNS, DNS SRV, etc.
• SHOW SSH shows only settings, not details about current connection.

7. NEW COMMANDS FOR SSH

[ Top ] [ Contents ] [ Previous ]

SECTION CONTENTS

  7.1. The SSH Command
  7.2. The SET SSH Command

The remainder of this document lists K95's new SSH-related commands. You can also find most of this information with K95's HELP commmand (HELP SSH, HELP SET SSH, etc). Notation:

BOLD

A keyword, to be typed literally. Keywords can be abbreviated to any length that does not clash with any other keyword that can appear in the same place.

Italics

A parameter, for which you would substitute an actual value.

{ thing1, thing2, ... }

A comma-separated list inside italicized braces indicates a choice: pick one of the items.

[ anything ]

Anything within italicized square brackets is optional.

Some of these commands have counterparts in the SSH Settings dialog in the new Dialer.

7.1. The SSH Command

An ssh-agent.exe program is supplied in K95's program directory. If you run it, it acts as an SSH agent program for other applications on your PC, such as Kermit 95.

Syntax: SSH { ADD, AGENT, CLEAR, KEY, [ OPEN ], V2 } operands...

Performs the SSH-related action specified by the keyword.

Let's look at the most important and most commonly used SSH command first:

SSH [ OPEN ] host [ port ] [ /COMMAND:command /USER:username /PASSWORD:passwd /VERSION:{1,2} /SUBSYSTEM:name /X11-FORWARDING:{ON,OFF} ]

This command establishes a new connection using SSH version 1 or version 2 protocol. The connection is made to the specified host on the SSH port (you can override the port by including a port name or number after the host name). Once the connection is established the authentication negotiations begin. If the authentication is accepted, the local and remote port forwarding lists (if any) are used to establish the desired connection(s) and if X11 Forwarding is active, this results in a remote port forwarding between the X11 clients on the remote host and X11 Server on the local machine. If a /COMMAND is provided, the command is executed on the remote host in place of your default shell.

Approximate Synonym:   SET HOST /NETWORK:SSH. This is exactly like SSH OPEN, except it does not enter the Terminal screen (unless you include the /CONNECT switch). This allows SSH connections to be made in scripts, in which interactions with the host are to be automated. To see how to set up an SSH-based Kermit file-transfer and -management service (similar to SFTP but with greater flexibility, functionality, friendliness, and scriptability), CLICK HERE.

If your username on the host is not the same as K95's \v(userid) value, you must include the /USER: switch to specify the username on the host. You can find out K95's \(userid) value by typing SHOW VAR USERID at the K95 prompt. You can set this variable globally with the SET LOGIN USERID command, in which case it is used for all future network logins until you EXIT from K95. The /USER: switch, on the other hand, applies only to the command with which it is given, and leaves the global USERID setting alone.

Here are the rest of the SSH commands in alphabetical order:

SSH ADD LOCAL-PORT-FORWARD local-port host port

Adds a port forwarding triplet to the local port forwarding list. The triplet specifies a local port to be forwarded and the hostname / ip-address and port number to which the port should be forwarded from the remote host. Port forwarding is activated at connection establishment and continues until the connection is terminated.

SSH ADD REMOTE-PORT-FORWARD remote-port host port

Adds a port forwarding triplet to the remote port forwarding list. The triplet specifies a remote port to be forwarded and the hostname/ip-address and port number to which the port should be forwarded from the local machine. Port forwarding is activated at connection establishment and continues until the connection is terminated.

SSH AGENT ADD [ identity-file ]

Adds the contents of the identity-file (if any) to the SSH AGENT private key cache. If no identity-file is specified, all files specified with SET SSH IDENTITY-FILE are added to the cache.

SSH AGENT DELETE [ identity-file ]

Deletes the contents of the identity-file (if any) from the SSH AGENT private key cache. If no identity-file is specified, all files specified with SET SSH IDENTITY-FILE are deleted from the cache.

SSH AGENT LIST [ /FINGERPRINT ]

Lists the contents of the SSH AGENT private key cache. If /FINGERPRINT is specified, the fingerprint of the private keys are displayed instead of the keys.

SSH CLEAR LOCAL-PORT-FORWARD

Clears the local port forwarding list.

SSH CLEAR REMOTE-PORT-FORWARD

Clears the remote port forwarding list.

SSH KEY Commands:

The SSH KEY commands create and manage public and private key pairs (identities). There are three forms of SSH keys. Each key is stored in its own file:

Key Type	Private Key File	Public Key File
v1 RSA keys	\v(appdata)ssh/identity	\v(appdata)ssh/identity.pub
v2 RSA keys	\v(appdata)ssh/id_rsa	\v(appdata)ssh/id_rsa.pub
v2 DSA keys	\v(appdata)ssh/id_dsa	\v(appdata)ssh/id_dsa.pub

Keys are stored using the OpenSSH keyfile format. The private key files can be (optionally) protected by specifying a passphrase. A passphrase is a longer version of a password. English text provides no more than 2 bits of key data per character. 56-bit keys can be broken by a brute force attack in approximately 24 hours. When used, private key files should therefore be protected by a passphrase of at least 40 characters (about 80 bits).

SSH KEY CHANGE-PASSPHRASE [ /NEW-PASSPHRASE:passphrase OLD-PASSPHRASE:passphrase ] filename

This re-encrypts the specified private key file with a new passphrase. The old passphrase is required. If the passphrases (and filename) are not provided Kermit prompts your for them.

SSH KEY CREATE [ /BITS:bits /PASSPHRASE:passphrase /TYPE:{V1-RSA,V2-DSA,V2-RSA} /V1-RSA-COMMENT:comment ] filename

This command creates a new private/public key pair. The defaults are: BITS:1024 and TYPE:V2-RSA. The filename is the name of the private key file. The public key is created with the same name with .pub appended to it. If a filename is not specified Kermit prompts you for it. V1 RSA key files may have an optional comment, which is ignored for other key types.

SSH KEY DISPLAY [ /FORMAT:{FINGERPRINT,IETF,OPENSSH,SSH.COM} ] filename

This command displays the contents of a public or private key file. The default format is OPENSSH.

SSH KEY V1 SET-COMMENT filename comment

This command replaces the comment associated with a V1 RSA key file.

SSH V2 REKEY

Requests that an existing SSH V2 connection generate new session keys.

7.2. The SET SSH Command

SET SSH AGENT-FORWARDING { ON, OFF }

If an authentication agent is in use, setting this value to ON results in the connection to the agent being forwarded to the remote computer. The default is OFF.

SET SSH CHECK-HOST-IP { ON, OFF }

Specifies whether the remote host's ip-address should be checked against the matching host key in the known_hosts file. This can be used to determine if the host key changed as a result of DNS spoofing. The default is ON.

SET SSH COMPRESSION { ON, OFF }

Specifies whether compression will be used. The default is ON.

SET SSH DYNAMIC-FORWARDING { ON, OFF }

Specifies whether Kermit is to act as a SOCKS4 service on port 1080 when connected to a remote host via SSH. When Kermit acts as a SOCKS4 service, it accepts connection requests and forwards the connections through the remote host. The default is OFF.

SET SSH GATEWAY-PORTS { ON, OFF }

Specifies whether Kermit should act as a gateway for forwarded connections received from the remote host. The default is OFF.

SET SSH GSSAPI DELEGATE-CREDENTIALS { ON, OFF }

Specifies whether Kermit should delegate GSSAPI credentials to the remote host after authentication. Delegating credentials allows the credentials to be used from the remote host. The default is OFF.

SET SSH IDENTITY-FILE filename [ filename [ ... ] ]

Specifies one or more files from which the user's authorization identities (private keys) are to be read when using public key authorization. These are files used in addition to the default files:

  V1 RSA:  \v(appdata)ssh/identity
  V2 RSA:  \v(appdata)ssh/id_rsa
  V2 DSA:  \v(appdata)ssh/id_dsa

SET SSH KERBEROS4 TGT-PASSING { ON, OFF }

Specifies whether Kermit should forward Kerberos 4 TGTs to the host. The default is OFF.

SET SSH KERBEROS5 TGT-PASSING { ON, OFF }

Specifies whether Kermit should forward Kerberos 5 TGTs to to the host. The default is OFF.

SET SSH PRIVILEGED-PORT { ON, OFF }

Specifies whether a privileged port (less than 1024) should be used when connecting to the host. Privileged ports are not required except when using SSH V1 with Rhosts or RhostsRSA authorization. The default is OFF.

SET SSH QUIET { ON, OFF }

Specifies whether all messages generated in conjunction with SSH protocols should be suppressed. The default is OFF.

SET SSH STRICT-HOST-KEY-CHECK { ASK, ON, OFF }

Specifies how Kermit should behave if the host key check fails. When strict host key checking is OFF, the new host key is added to the protocol-version-specific user-known-hosts-file. When strict host key checking is ON, the new host key is refused and the connection is dropped. When set to ASK, Kermit prompt you to say whether the new host key should be accepted. The default is ASK. Strict host key checking protects you against Trojan horse attacks. It depends on you to maintain the contents of the known-hosts-file with current host keys.

SET SSH USE-OPENSSH-CONFIG { ON, OFF }

Specifies whether Kermit should parse an OpenSSH configuration file after applying Kermit's SET SSH commands. The configuration file would be located at \v(appdata)ssh/ssh_config. The default is OFF.

SET SSH V1 CIPHER { 3DES, BLOWFISH, DES }

Specifies which cipher should be used to protect SSH version 1 connections. The default is 3DES.

SET SSH V1 GLOBAL-KNOWN-HOSTS-FILE filename

Specifies the location of the system-wide known-hosts file. The default location depends on the operating system:

Operating System	File
Windows 95/98/98SE/ME	%windir%\ssh_known_hosts
Windows NT/2000/XP/Vista/7/etc	\v(common)ssh\ssh_known_hosts

SET SSH V1 USER-KNOWN-HOSTS-FILE filename

Specifies the location of the user-known-hosts-file. The default location is:

  \v(appdata)ssh/known_hosts

SET SSH V2 AUTHENTICATION { EXTERNAL-KEYX, GSSAPI, HOSTBASED, KEYBOARD-INTERACTIVE, PASSWORD, PUBKEY, SRP-GEX-SHA1 } [ ... ]

Specifies an ordered list of SSH version 2 authentication methods to be used when connecting to the remote host. The default list is:

  external-keyx gssapi hostbased publickey srp-gex-sha1
  keyboard-interactive password none

SET SSH V2 CIPHERS { 3DES-CBC, AES128-CBC, AES192-CBC, AES256-CBC, ARCFOUR, BLOWFISH-CBC, CAST128-CBC, RIJNDAEL128-CBC, RIJNDAEL192-CBC, RIJNDAEL256-CBC }

Specifies an ordered list of SSH version ciphers to be used to encrypt the established connection. "Rijndael" is an alias for "aes". The default list is:

  aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour aes192-cbc aes256-cbc

SET SSH V2 GLOBAL-KNOWN-HOSTS-FILE filename

Specifies the location of the system-wide known-hosts file. The default location depends on the operating system:

  Windows 95/98/98SE/ME: %windir%\ssh_known_hostss
  Windows NT/2000/XP:    \v(common)ssh\ssh_known_hosts2

SET SSH V2 HOSTKEY-ALGORITHMS { SSH-DSA, SSH-RSA }

Specifies an ordered list of hostkey algorithms to be used to verify the identity of the host. The default list is:

  ssh-rsa ssh-dsa

SET SSH V2 MACS { HMAC-MD5 HMAC-MD5-96 HMAC-RIPEMD160 HMAC-SHA1 HMAC-SHA1-96 }

Specifies an ordered list of Message Authentication Code algorithms to be used for integrity protection of the established connection. The default list is:

  hmac-md5 hmac-sha1 hmac-ripemd160 hmac-sha1-96 hmac-md5-96

SET SSH V2 USER-KNOWN-HOSTS-FILE filename

Specifies the location of the user-known-hosts file. The default location is:

  \v(appdata)ssh/known_hosts2

SET SSH VERBOSE level

Specifies how many messages should be generated by the OpenSSH engine. The level can range from 0 to 7. The default value is 2.

SET SSH VERSION { 1, 2, AUTOMATIC }

Specifies which SSH version should be negotiated. The default is AUTOMATIC which means use version 2 if supported; otherwise to fall back to version 1.

SET SSH X11-FORWARDING { ON, OFF }

Specifies whether X Windows System Data is to be forwarded across the established SSH connection. The default is OFF. When ON, the DISPLAY value is either set using the SET TELNET ENV DISPLAY command or read from the DISPLAY environment variable.

SET SSH XAUTH-LOCATION filename

Specifies the location of the xauth executable (if provided with the X11 Server software.)

[ ў Беларускім ] [ Top ] [ Contents ] [ K95 Home ] [ Kermit Home ]

---

K95 SSH Client / The Kermit Project / Columbia University / kermit@columbia.edu / 8 Dec 2002 / 25 Aug 2010