Modify an SSHd advanced configuration

Configure additional SSH parameters that allow you to fine tune the connection. These settings are global and apply to all sessions. All of the parameter settings are optional. The connection will operate with default settings if you do not modify them.Typically, these parameters do not need to be modified.

There are two methods for applying SSH vendor patches required by SSH client applications: you can configure patches manually, or you can set the system to apply known patches automatically. The system first checks for manually configured patches. If none are found, it checks the internal patch database for known fixes. If you have manually repaired client connection problems for your SSH vendor, you may want to turn off the auto-patch capability for that vendor to prevent the system from applying patches. Consult your SSH client documentation to determine if you require patches.

Access mode

enable

Syntax

switchServices sshd advanced

Arguments

Field Name	Description
sshdPort integer	Optional: The port the system uses for SSH sessions. Valid values are from 1 to 65535; the default setting is "22".
maximumAuthenticationTime integer	Optional: The maximum number of seconds allowed for the user authentication phase to complete. If the timer expires, the system cancels the request. A value of 0 disables the timeout timer. Valid values are from 0 to 180; the default setting is "30".
globalEventInterval integer	Optional: The number of seconds allowed between similar SSH global events. This allows you to limit the frequency with which the system reports similar events to avoid flooding the network. Valid values are from 0 to 600; the default setting is "10".
handleErrors enumeration	Optional: Sets the sshd applications to attempt handling system errors whenever possible. The default setting is "enabled". Valid values: `enabled`, `disabled`
executionMonitorMode enumeration	Optional: The system monitors its own internal processes. The default setting is "active". Valid values: `active` : Auto-detection of internal loops is enabled. `passive` : Auto-detection of internal loops is disabled.
clientKeepAliveInterval integer	Optional: The number of seconds between 'keep alive' messages sent to the client. If the client does not respond after three keep alives, the system destroys the session. Keep alive messages are not universally supported across client applications. Because of this, the system instead sends a channel request to an invalid service. This function is just like a keep alive, as an error response indicates an active client. If the client application doesn't support error response properly, disable this feature by setting the clientKeepAliveInterval to 0. Valid values are from 0 to 3600; the default setting is "0".
patchVendorIds enumeration	Optional: The name of any SSH vendors that should have known patches applied. If that vendor has known problem clients, the system automatically applies patches for known issues. The default setting is "sshcomFsecureVandyke". Valid values: `none` : Disables the auto-patch feature. `sshcommunications` : Applies SSH Communication patches. `fsecure` : Applies FSecure patches. `sshCommFsecure` : Applies SSH Communication and FSecure patches. `vandyke` : Applies VanDyke patches. `sshcommVandyke` : Applies SSH Communication and VanDyke patches. `fsecureVandyke` : Applies FSecure and VanDyke patches. `sshcomFsecureVandyke` : Applies SSH Communication, FSecure, and VanDyke patches.
testPatchVersion text	Optional: The version string of the client requiring the patch. Enter the exact string of the client's version. To determine the version information, either see the event log or use a sniffer for line monitoring. This setting works in conjunction with the testPatchValue to identify vendor patches.
testPatchValue text	Optional: The number representing the bit values of patches used to repair client connection applications. To add multiple patches, enter the sum of the patch IDs you want to apply. Supported patch identifiers and values are as follows: Name (SSH Patch Identifier), Bit Value SigBlob-fix (SSH_BUG_SIGBLOB), 1 HMAC-fix (SSH_BUG_HMAC), 4 OldSessionId (SSH_OLD_SESSIONID), 16 DebugMsg-fix (SSH_BUG_DEBUG), 64 DeriveKey-fix (SSH_BUG_DERIVEKEY), 262144 SecureFX-NoUserAuth (SSH_VDFX_NOUSERAUTH), 2097152 To determine which patch bit values to set, read the Sun Secure Application Switch debug events and the client events. The information may point to which bit values will resolve well known problems.
cliInheritsSshLoginCredentials enumeration	Optional: Allows automatic CLI login if password authentication was used. The default setting is "disabled". Valid values: `enabled` : Attempt to use username/password for CLI login (if supplied). `disabled` : Do not attempt to automatically login to the CLI.

Field Name

Description

sshdPort integer

Optional: The port the system uses for SSH sessions.

Valid values are from 1 to 65535; the default setting is "22".

maximumAuthenticationTime integer

Optional: The maximum number of seconds allowed for the user authentication phase to complete. If the timer expires, the system cancels the request. A value of 0 disables the timeout timer.

Valid values are from 0 to 180; the default setting is "30".

globalEventInterval integer

Optional: The number of seconds allowed between similar SSH global events. This allows you to limit the frequency with which the system reports similar events to avoid flooding the network.

Valid values are from 0 to 600; the default setting is "10".

handleErrors enumeration

Optional: Sets the sshd applications to attempt handling system errors whenever possible.

The default setting is "enabled".

Valid values: enabled, disabled

executionMonitorMode enumeration

Optional: The system monitors its own internal processes.

The default setting is "active".

Valid values:

active : Auto-detection of internal loops is enabled.
passive : Auto-detection of internal loops is disabled.

clientKeepAliveInterval integer

Optional: The number of seconds between 'keep alive' messages sent to the client. If the client does not respond after three keep alives, the system destroys the session.

Keep alive messages are not universally supported across client applications. Because of this, the system instead sends a channel request to an invalid service. This function is just like a keep alive, as an error response indicates an active client. If the client application doesn't support error response properly, disable this feature by setting the clientKeepAliveInterval to 0.

Valid values are from 0 to 3600; the default setting is "0".

patchVendorIds enumeration

Optional: The name of any SSH vendors that should have known patches applied. If that vendor has known problem clients, the system automatically applies patches for known issues.

The default setting is "sshcomFsecureVandyke".

Valid values:

none : Disables the auto-patch feature.
sshcommunications : Applies SSH Communication patches.
fsecure : Applies FSecure patches.
sshCommFsecure : Applies SSH Communication and FSecure patches.
vandyke : Applies VanDyke patches.
sshcommVandyke : Applies SSH Communication and VanDyke patches.
fsecureVandyke : Applies FSecure and VanDyke patches.
sshcomFsecureVandyke : Applies SSH Communication, FSecure, and VanDyke patches.

testPatchVersion text

Optional: The version string of the client requiring the patch. Enter the exact string of the client's version. To determine the version information, either see the event log or use a sniffer for line monitoring. This setting works in conjunction with the testPatchValue to identify vendor patches.

testPatchValue text

Optional: The number representing the bit values of patches used to repair client connection applications. To add multiple patches, enter the sum of the patch IDs you want to apply. Supported patch identifiers and values are as follows:

Name (SSH Patch Identifier), Bit Value
SigBlob-fix (SSH_BUG_SIGBLOB), 1
HMAC-fix (SSH_BUG_HMAC), 4
OldSessionId (SSH_OLD_SESSIONID), 16
DebugMsg-fix (SSH_BUG_DEBUG), 64
DeriveKey-fix (SSH_BUG_DERIVEKEY), 262144
SecureFX-NoUserAuth (SSH_VDFX_NOUSERAUTH), 2097152

To determine which patch bit values to set, read the Sun Secure Application Switch debug events and the client events. The information may point to which bit values will resolve well known problems.

cliInheritsSshLoginCredentials enumeration

Optional: Allows automatic CLI login if password authentication was used.

The default setting is "disabled".

Valid values:

enabled : Attempt to use username/password for CLI login (if supplied).
disabled : Do not attempt to automatically login to the CLI.