Pragma Fortress SSH Server Frequently Asked Questions

  1. Pragma Fortress SSH Server
  2. FAQ

This is a collection of answers to frequently asked questions about Pragma SSH Server for Windows. Please check here before sending email or calling Pragma Systems in regards to problems with the SSH Server product.

Also check our forums pages for common questions and answers, https://forums.pragmasys.com.

Many issues can be resolved by viewing the Event Logs, where we record all errors and informational events. In Version 7, Build 9, Revision 1815 and later, all events are recorded under Windows Applications and Services -> Pragma SSH Server. In earlier versions, events are recorded in the Application log.

Thank you,

Pragma Systems, Inc.

https://forums.pragmasys.com
 

A. Limitations of the Pragma SSH Server evaluation
B. How Pragma SSH Server works and interacts with Windows
C. Hardware needed
D. Installation Problems with Pragma SSH Server

 

List of Pragma SSH Server Support Questions by Topic

1. Certificate Authentication 2. Keyboard and Mouse 3. Logging In 4. Windows Association 5. Command Line Operations 6. Display 7. InetD Service 8. Running other applications from SSH Server 9. Printing 10. Other Issues

 

A. Limitations of the Pragma SSH Server evaluation

The free evaluation copy of Pragma SSH Server will timeout 14 days from when it is installed. The greeting message and copyright messages cannot be changed or removed. Other than that, there is no difference.

back

B. How Pragma SSH Server works and interacts with Windows

Pragma SSH Server is a standard UNIX secure shell ported to Windows. Secure Shell (SSH) is a de-facto industry standard for remote access of systems over a secure connection using strong cryptography. A serious problem with current popular tools like telnet and FTP is that they transfer password and data in clear text on the net thus compromising security. As a result, most secure UNIX and LINUX systems are managed over ssh sessions which encrypts password and all data exchanges. With Pragma SSH Server, Windows systems can now be managed over secure ssh sessions just like high end UNIX or LINUX systems are. Use of Pragma SSH Server virtually eliminates the risk of remote management as all session data are encrypted using strong ciphers with keys exchanged dynamically using RSA public key algorithms.

SSH does not support graphical programs that open separate windows, it will run any program that will run in your Windows console window. It runs as a Windows service and allows access to those machines from any ssh client and protects the system by using the internal security mechanisms.

With Pragma SSH Server, you receive our fully functional InetD product. InetD is another program we brought over from the UNIX world. It allows us to run programs only when they are really needed. InetD runs as a service and watches TCP/IP ports for which it has been configured. Using InetD allows us to use less memory and processor time while awaiting a TCP/IP connection. When a ssh client attempts a connection to your system, it uses a TCP/IP Port. InetD is configured to watch this port and start the server application at that time. At that point, the user is questioned for his/her login information. The login information consists of a User ID, Password and optional Domain. Pragma SSH Server then takes this information and asks the system if this user is okay or not. If the user fails the authentication, he/she is notified and is given a configurable number of retries before being disconnected. If the user passes authentication, the user is logged onto the system just as if they were sitting at the computer.

back

C. Hardware needed

Pragma SSH Server will run on any system able to run Windows. Therefore, all you need is the minimum requirements set by Microsoft. As for how many users can ssh to a machine at the same time and performance not be degraded, we say that you need about 5MB per user above the minimum needed for Windows.

Here's a guideline to follow for connecting 200 ssh sessions:

2 GHz processor
1 GB RAM

NOTE: The above recommendation is for ssh sessions running cmd.exe only. If the session will run additional programs, then the resources should be increased accordingly for each session. Additional resources will be needed as the number of sessions increase, or for sessions that will be running additional processes.

back

D. Installation Problems with Pragma SSH Server
  • The installation must be run as with elevated privileges in Vista and higher.
  • Known programs that might interfere with the installation of Pragma SSH Server:
    Microsoft Exchange Server
    Microsoft SQL server
    Virus Detection software
    Backup software
  • If installation failure occurs due to the InetD Service failing to start, check the Event Log for an InetD error describing the failure. In Version 7, Build 9, Revision 1815 and later, all events are recorded under Windows Applications and Services -> Pragma SSH Server. In earlier versions, events are recorded in the Application log.

back

Answers to support questions:

Where do I store keys for user authentication?

The location for authentication files is configured by the Local Server Configuration program. Under the Authentication -> Public Key Options, an administrator can set a designated location for the authentication files. The file will be named authorized_keys2 in the configured directory. The directory will need to be unique for each user. For example, the environment variable %USERNAME% or %APPDATA% can be used to make each directory unique. A single directory cannot be used for all users, since the server looks for the authorized_keys2 file for all users.

back

How do I specify a x.509 certificate as an authentication key?

To pass a x.509 certificate, a special ssh option has been added to our command line client. Use the following syntax:

       ssh -oCertHash=b86258bba6a65878329ac3a142e60e51a895f273 user@somehost

or for sftp

       sftp -oCertHash=b86258bba6a65878329ac3a142e60e51a895f273 user@somehost

There should be no space between the -o option specifier and the option name "CertHash"

back

How do I pass a identity certificate to the command line sftp client?

To pass a certificate for authentication via sftp, you need to pass it to the ssh client as an option. Use the following syntax:

       sftp -oIdentityFile=key_name username@host

There should be no space between the -o option specifier and the option name "identityfile"

back

Using Pragma clients: FortressCL; FortressFX; and command line clients; with certificate authentication fails when connecting to Cisco routers.

Check that the public keys are loaded to the username in Cisco router/switch. Issue "show run | b ip ssh pu" to see the public keys loaded for various user accounts. Cisco allows 2 keys to be loaded for each user account. "config t" followed by "ip ssh pubkey-chain" command is used in Cisco to load a public key for login.

back

I cannot get a certificate to store using the auto-store features.

The auto-store features can fail for multiple reasons:

  • Keyboard-interactive authentication method is not enabled for the client.
    The client must enter a password for authentication the first time they connect with a new key for auto-storage. The server prompts for the password using the keyboard-interactive authentication method. If this is not enabled, the client will fail to authenticate.
  • The server needs to be reboot.
    If the key appears to be saved in the correct location, but the client is still prompted for password, then the server needs to be reboot for our authentication library to work properly.
  • The LocalSystem account does not have write access to either the file location or the registry.
    The keys are stored using the LocalSystem account, so if SYSTEM has been removed from either the registry or the key location directory, we will be unable to write the key.
  • The configured key directory is not unique to each user.
    The configured key directory on the Public Key Options page of the Local Server Configuration program must be unique to each user. The keys are stored using the same filename, authorized_keys2, so the directory must be unique. This can be done using an environment variable that is unique for each user, such as %USERNAME% or %USERPROFILE% or %APPDATA%.

back

How do I use certificates with FileZilla?
  • Create dsa/rsa keys using sshkeygen
    • sshkeygen -t dsa for DSA keys
    • sshkeygen -t rsa for RSA keys
    public/private key-pairs will be saved with names given in the directory specified, or current directory for blank. No passphrase needed
  • Open Filezilla, the go to Edit->Settings page. Then click on “SFTP" tab. Click on the button at the bottom “Add keyfile"
  • Point to the private key file created above. Say yes if conversion is asked. Will have to give it a new name. A .ppk file will be created
  • Go back to Filezilla site manager, create a site, set logon type to interactive, put in the user name, blank out password. Then click to connect
  • Say ok to add host if needed
  • Password will be prompted for so that the key can be autoloaded and cached
  • Answer ‘Y’ to autoload
  • Connection should be established
  • Connect to the host using Pragma Session Manager – you should see the sftp connection, including authentication method
  • Locate the unique configured directory under the Public Key Options page of the Local Server Configuration page. You will see authorized_keys2 file created in this folder
  • You can append additional keys manually to this file if you like
  • For other users, you can follow similar procedure, or manually create an authorized_keys2 to file in that user’s configured directory under the Public Key Options page of the Local Server Configuration page. Then you need to manually put the key in this file. Autoload avoids this manual step.

back

I am using an application that requires me to use the Alt key on the keyboard, how is this done?
  • You can use our Console ssh Client which allows you to use the Alt key just as you normally would, by mapping the ALT key to the same value as the server. See the ssh.txt file for help on mapping the ALT key for the client. The default value is CTRL-A.
  • You can re-mapped the Alt key to any key desired for each user, using the Local SSH Server Configuration program. The default value is CTRL-A.

back

Pressing Control-G doesn't do anything?

Pragma SSH Server has the ability to grant or deny users to press Control-G to make the server beep. If Control-G is not working, check the Users -> Keyboard page of the Local Server Configuration program to make sure the option is on.

back

Pressing Control-C doesn't do anything?

Pragma SSH Server has the ability to grant or deny users to press Control-C to break out of the current application. If Control-C is not working, check the Users -> Keyboard page of the Local Server Configuration program to make sure the option is on.

back

Does Pragma SSH Server support function keys?

Yes, if you use our Console ssh Client, all of the keyboard keys work. However, if you use another client, make sure that it supports VT420 or allows you to define what it sends for the keyboard.

back

Is it possible to get mouse support in a ssh session?
How can I get mouse access over a ssh session?

For mouse support, both the client and the server need to be in "WindowsTerm" mode. To do this, follow these instructions:

To set the client side, you need to set your term environment variable to WindowsTerm in your local machine first and then run our ssh client.

You can change the environment variable for all sessions by modifying the variable for from Control Panel.

  • Go to the User Environment settings. This is in different areas, base on the operating system. Check your documentation for location.
  • Choose or Add "Term"
  • Change value to WindowsTerm;
  • Click on "Set" & "Apply";

Or you can set the variable from a just for a single session, by typing "term=WindowsTerm" at the command prompt before starting the ssh session in the same command prompt session.

back

User has account on system but is unable to login.
Only the Administrator is allowed to login.

The most common cause of a user being rejected is that they do not the necessary permissions to access the server or run the configured user shell and/or startup program. All users must have "Log on Locally" access permissions to be granted access via ssh.

back

It seems to take long time to login.

The most common cause of delayed access, is authentication by a trusted domain. Pragma SSH Server authenticates in the following order: local, current domain, trusted domains. If the user is a member of a trusted domain, entering the domain at the domain prompt will speed up authentication.

Overall network lag can be the cause as well. Test an authentication of the same user outside of ssh, such as mapping or drive or some group membership configuration for the operating system. If this is slow as well, then see a network administrator.

back

How do I execute a batch file when a user logs on?

You can assign a logon batch file for users using one of the following methods. Select only one choice. Errors could occur if the batch file is assigned in multiple locations.

  • Setup the batch file using Windows User Management program.
  • Enter your batch file in the Startup Program edit box under the Console Settings or Stream Settings tab, depending on the console mode. The location of this box depends on the version of SSH Server. Check your index for these box locations.

back

I get logged off as soon as I log on.

This is normally caused by a failure to run the command shell. Check the Event Log for an error launching the user shell program. If there is none, then check security access to all necessary items to run the user shell, including directories and mapped drives.

back

How do I get rid of the Character Map prompt?

Beginning with Version 6.0, the Character Map prompt is only displayed when an unknown terminal type is used, or if the server administrator requests it. If you need to assign a character map enter the value in the Default Character Map exactly as it appears in the prompt. For example, enter [vtxxx] for our default option.

back

How do I set a users home directory?

Pragma SSH Server supports the user settings in Windows, including home directory and logon script. You may also set up a home directory for each user for ssh only, by setting the Home Directory on the Users General Setting tab.  

back

How do I set a users home directory on a network drive?

Before a network drive can be accessed it must be either mapped or referenced by a UNC name. If using a mapped drive, on the User -> Logon page of the Local Server Configuration program, please make sure that the option to Mapped Network Drives is on and not being performed in the background.

back

What versions of Windows are supported?

All servers are full compatible with Windows 2022/2019/2016/2012/ R2/2012 servers and Windows 11/10/8/7

All clients can also run on Windows XP and Vista.

Our Certifications

Pragma crypto libraries obtained US NIST FIPs certification for Windows 10, Windows Server 2016 and Windows server 2012R2.

Pragma products are fully compatible and tested for use in in Windows Server 2019 and are used in thousands of customer sites worldwide.

back

Does Pragma SSH Server use the Windows User Database or have it's own?

Pragma SSH Server uses the Windows User Database and API for user authentication.

back

Could you tell me the limitations, if any, to run Pragma SSH Server on Windows?

Limitations are those imposed on the User's access rights and what you can do in a console window. Also, you are limited by the file system to only having one set of drive letters for the entire system. This causes an error when 2 users try to map the same drive letter.

back

Pragma SSH Server doesn't seem to have the same path as Windows.

This can occur if the ssh user does not have the path configured under the OS. The path is a setting of the system and the users path. If a different user is logged on to the desktop, the path may be different than the path a different user would get under in the ssh session.

back

Can I run Pragma SSH Server on a Windows Workstation OS instead of a Server OS?

Yes, we are not limited to running on a Windows Server operating system. Any version of Windows will work.

back

Does Pragma SSH Server run on virtual servers?

Pragma SSH Server has been tested on all Windows operating systems running on multiple virtual server applications. The connections behave just as they would if installed on a stand alone system.

back

Can I add/edit users from a command line ?

Yes, you can accomplish this by using the Windows NET.EXE command line application. The NET command has many important functions that can be helpful at the command line. Many useful utilities are also shipped with the Pragma SSH Server product. Microsoft Resource Kits and Server Support Kits contain many other useful command line tools.

back

Can I see users that are logged on from command line?

Yes, we ship a command line version of the Pragma Session Manager, called TELMC.EXE.

back

I need to be able to change my password from command line.

Included with the server is a utility, password.exe, that will enable you to change your password from the command line.

back

I wish to be able to scroll my screen back using a buffer and view my previous commands.

Advanced Console mode allows a user to run console commands and have a scroll back history. This is a only available from Pragma Systems. Stream Mode is still available for any application that handles all emulation for the client, or a session that does not require any console features.

back

Why don't I get a color display?
Why don't I get any colors?

The most common cause of no color display is that the client does not support color. Included with the server are multiple clients, GUI and command line that support color. A second possibility is that the server is running in monochrome or has the checkbox on for "Slow network connections", which will turn on monochrome support. Check the Console Settings page of the Local SSH Server Configuration program.

back

My terminal only supports 24 lines, this causes the last line to not display correctly.

Because DOS programs support a minimum of 25 lines, we have re-mapped the last 25th line to the 24th line. This enables the last line to be seen, which in most cases is very important. We do not recommend using a client that does not support at least 25 lines.

back

How do I get reverse video?

For versions earlier than 5.0, use the Console Settings tab, turn on the User Monochrome option and set the Default Background color to any value other than Black. Version 5.0 includes a check box to use Reverse Video.

back

How can I use InetD to enable my console application to be TCP/IP network enabled?

This is a very simple task. All you must do is use our socket instead of STDIN and STDOUT. So, you can use the following code snippet to get the socket handle and allow your program to read and write to the socket just as if it were in a regular console.

char *pSock;
int hOutput = 0, hInput = 0;

if ( (pSock = getenv("PRAGMASYS_INETD_SOCK")) != NULL )
{
/* code for in ssh session */
hOutput = hInput = atoi( pSock );
// From here you can use Windows NT ReadFile and WriteFile
// for input and output
}
else
{
/* code for not in ssh session */
}

For version 7.0 and later, the following registry string value entry must also be added:

          HKEY_LOCAL_MACHINE\SOFTWARE\PragmaSystems\sshd\Users\ for each configured user\CustomAppSupport, with a value of "yes".

back

How do I START and STOP the InetD Service?
  • From the InetD Configuration tab.
  • From the Windows "Services" Program
  • From a command prompt with elevated privileges, using the NET command

back

I have some programs that run okay in a local DOS Window, however when I run them in a ssh session, the window is not updating.

Some programs that are compiled for Windows and run in a console window use the Win32 Console API functions that switch the active screen buffer being used. Not only does Pragma SSH Server have no way of knowing that these functions are being used and that the screen buffer has been changed, but because of process boundaries set by Windows, the SSH Server process has no access to these screen buffers. These applications will work in Advanced Console or with the wrap.exe program.

back

Known applications that need our Wrapper technology because of the above issue:

VI from the Windows NT Resource Kit
PMON from the Windows NT Resource Kit
VIM - a popular enhanced version of VI
Computer Associates Interactive SQL command processor, Open Ingres

back

Where can I get Emacs for Windows that works in a ssh session?

You can download a 64-bit version of Emacs from Sourceforge at https://sourceforge.net/projects/emacsbinw64.

back

Using IBM's DB2 product with Pragma SSH Server.

Two environment variables need to be set for the DB2 Command Line processor to work within a ssh session, DB2RQTIME and DB2CLP.

DB2RQTIME: This is a timeout variable used by DB2, it represents milli-seconds so it will be very large.

DB2CLP: This is an internal value set per session, it is unique to each session. See you DB2 help for more information on setting this variable.

We recommend that you use a shell initializer on the server to set these values at the start of you ssh session.

back

How do I make Pragma SSH Server stop any child process when a ssh session ends?

Use the "Monitor Child Process" feature to make sure all child processes are removed when a session ends. If there is a known exit that will exit the process from any spot in the program, then configure the exit sequence under the Graceful Termination page of the Local SSH Server Configuration program.

back

Users are unable to print.

In order for printing to work, users that wish to print must have Change access to the SpoolDir.  

Take a look at the documentation on Printing Monitoring. It has a step-by-step setup and troubleshooting tips.

back

I can only get a small number of sessions connected, then I start getting errors.

Resources may limit the number of sessions. If a large number of sessions are active, and users begin to experience process issues or are unable to logon, increase the InetD Desktop Count. If that does not allow more sessions then check the Win32 system setup. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows registry value. There is a substring value of SharedSection. For best results this value should be SharedSection=1024,3072,512. After changing the value, reboot the system.

If the problem persist change the SharedSection value to 1024,3072,1024, then reboot. This setting is system dependent, so some systems have better results with 512, while some perform better with 1024.

Windows has a system limitation of 48 MB of memory for non-interactive services, such as ssh sessions.  This limit will be reached if InetD cannot create all of the requested desktops or the SharedSection value is set too high.

back

I am getting a getpeername failure in the Event Log.

My session immediately exits without error.

Another application with a Layered Service Provider might be conflicting with the Pragma Server. Uninstall the other application and re-boot.

Other applications known to cause a conflict:

McAfee VirusScan 7.0
Diamond Port Monitor

back

I have server processes left on the machine after the client exits?

Server and user shell processes left after a client exits are called orphan sessions. These sessions are left because the client does not notify the server that they have exited. There are 2 features included that can be used to clean up orphan sessions.

The first is the Server to Client Heartbeat under the User -> Handheld page of the Local Server Configuration program. This will send a signal to the client after the configured period of time, and then disconnect the session, if it does not receive a response from the client.

The other is the Idle Session Timeout under the User General Settings page of the Local Server Configuration program. This will shut the session down after a fixed period of inactivity. This value will shut down the session whether the connection is good, so it should be configured high enough not to interfere with an expected idle period.

back 

Navigation

Social Media