PowerShell Server 2016
PowerShell Server 2016
Questions / Feedback?

SSH Reverse Tunnels

Configuration options for the SSH Reverse Tunnel functionality included in PowerShell Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16\SSHReverseTunnels. This location will hold a registry key for each SSH Reverse Tunnel that is created. The registry key for each tunnel can be configured with the following options:

TunnelEnabledDWORDCan be used to enable or disable the SSH Reverse Tunnel.

0 - Disabled.

1 - Enabled. (default)

TunnelForwardingHostStringIndicates the host that the tunneled traffic will be forwarded.
TunnelForwardingPortDWORDIndicates the port on which the tunneled traffic will be forwarded.
TunnelListeningAddressStringIndicates the interface on the remote SSH server where the tunnel will be listening.
TunnelListeningPortDWORDIndicates the port on which the remote SSH server should listen for traffic.
TunnelNameStringA friendly name for the SSH Reverse Tunnel.
SSHReverseTunnelServerHostStringThe SSH server that PowerShell Server will connect to in order to establish the SSH Reverse Tunnel.
SSHReverseTunnelServerPortDWORDThe port on which communication with the SSH server will take place. By default, port 22 will be used.
SSHReverseTunnelUserStringThe username PowerShell Server will use to authenticate to the SSH server.
SSHReverseTunnelPasswordStringThe password PowerShell Server will use to authenticate to SSH server during Password authentication.
SSHReverseTunnelCompressionAlgorithmsStringA comma-separated list containing all allowable compression algorithms. During the SSH handshake, this list will be used to negotiate the compression algorithm to be used between the client and server. This list is used for both directions: client to server and server to client. When negotiating algorithms, each side sends a list of all algorithms it supports or allows. The algorithm chosen for each direction is the first algorithm to appear in the sender's list that the receiver supports, so it is important to list multiple algorithms in preferential order. If no algorithm can be agreed upon, the component will raise an error and the connection will be aborted.

At least one supported algorithm must appear in this list. The following compression algorithms are supported by the component:

  • zlib
  • zlib@openssh.com
  • none

The default value is: "none,zlib".
SSHReverseTunnelEncryptionAlgorithmsStringSpecifies the allowed SSH Encryption Algorithms in a comma-delimited list. During the SSH handshake, this list will be used to negotiate the encryption algorithm to be used between the client and server. This list is used for both directions: client to server and server to client. When negotiating algorithms, each side sends a list of all algorithms it supports or allows. The algorithm chosen for each direction is the first algorithm to appear in the sender's list that the receiver supports, so it is important to list multiple algorithms in preferential order. If no algorithm can be agreed upon, the component will raise an error and the connection will be aborted. Valid values are:

aes256-ctr256-bit AES encryption in CTR mode
aes256-cbc256-bit AES encryption in CBC mode
aes192-ctr192-bit AES encryption in CTR mode
aes192-cbc192-bit AES encryption in CBC mode
aes128-ctr128-bit AES encryption in CTR mode
aes128-cbc128-bit AES encryption in CBC mode
3des-ctr192-bit (3-key) triple DES encryption in CTR mode
3des-cbc192-bit (3-key) triple DES encryption in CBC mode
cast128-cbcCAST-128 encryption
blowfish-cbcBlowfish encryption
arcfourARC4 encryption
arcfour128128-bit ARC4 encryption
arcfour256256-bit ARC4 encryption
aes256-gcm@openssh.com256-bit AES encryption in GCM mode.
aes128-gcm@openssh.com128-bit AES encryption in GCM mode.

The default is:

aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,arcfour256,arcfour128,arcfour,cast128-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com
SSHReverseTunnelCertStoreTypeDWORDSpecifies the type of certificate store where the public key can be found for Public Key Authentication. Can be one of the following values:

0 - User store

1 - Machine Store

2 - PFX File

4 - PEM File

SSHReverseTunnelCertStorePasswordStringThe password for the specified certificate store.
SSHReverseTunnelCertStoreStringThe certificate store where the public key can be found for Public Key Authentication.

If SSHReverseTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk.

Possible values when SSHReverseTunnelCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.

SSHReverseTunnelCertSubjectStringThe subject of the certificate used during Public Key Authentication. Example: "CN=NEWTON".
SSHReverseTunnelAutoReconnectDWORDWhether PowerShell Server will attempt to re-establish the SSH Reverse Tunnel in the event that it is disconnected. Possible values are:

ValueDescription
0Off
1 (default)The connection will be retried the number of times defined by SSHReverseTunnelAutoRetryCount.

SSHReverseTunnelAutoRetryCountDWORDThe number of times PowerShell Server will attempt to reestablish the SSH Reverse Tunnel in the event that it is disconnected. This value is only used when SSHReverseTunnelAutoReconnect is set to 1.
SSHReverseTunnelAutoRetryIntervalDWORDThe number of seconds PowerShell Server will wait between attempts to reestablish the SSH Reverse Tunnel.

This value is only used when SSHReverseTunnelAutoReconnect is set to 1.
The default value is 5.

TunnelFirewallTypeDWORDThe type of firewall for the SSL Tunnel to connect through. Applicable values include the following:

0 - No firewall (default setting)

1 - Connect through a tunneling proxy.

2 - Connect through a SOCKS4 proxy.

3 - Connect through a SOCKS5 proxy.

TunnelFirewallHostStringThe name of IP address of the firewall that the SSH Tunnel will connect through.
TunnelFirewallPortDWORDThe TCP port for the TunnelFirewallHost.
TunnelFirewallUserStringA user name if authentication is to be used when connecting through a firewall.
TunnelFirewallPasswordStringPassword to be used if authentication is to be used when connecting through a firewall.

 
 
Copyright (c) 2017 /n software inc. - All rights reserved.
PowerShell Server 2016 - Version 16.0 [Build 6240]