SSHAuth Configuration
The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.SSHAuth Configuration Settings
SSHCompressionAlgorithms: A comma-separated list containing all allowable compression algorithms.During the SSH handshake, this list will be used to negotiate the compression
algorithm to be used between the client and server.
This list is used for both directions: client to server and server to client.
When negotiating algorithms, each side sends a list of all algorithms it
supports or allows. The algorithm chosen for each direction is the first
algorithm to appear in the sender's list that the receiver supports, so it is
important to list multiple algorithms in preferential order. If no algorithm
can be agreed upon, the component will raise an error and the connection
will be aborted.
At least one supported algorithm must appear in this list. The following compression algorithms are supported by the component:
|
SSHClient Configuration Settings
ClientSSHVersionString: The SSH version string used by the component.This configuration setting specifies the SSH version string used by the component. The default value is "SSH-2.0-IP*Works! SSH Client v9.0". | |
SignedSSHCert: The CA signed client public key used when authenticating.When authenticating via public key authentication this setting may be set to the CA signed client's public key.
This is useful when the server has been configured to trust client keys signed by a particular CA. For instance:
component.Config("SignedSSHCert=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB..."); | |
SSHAcceptServerCAKey: The CA public key that signed the server's host key.If the server's host key was signed by a CA, this setting may be used to specify the CA's public key. If specified
the component will trust any server's host key that was signed by the CA. For instance:
component.Config("SSHAcceptServerCAKey=ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB..."); | |
SSHAcceptAnyServerHostKey: If set the component will accept any key presented by the server.The default value is "false". Set this to "true" to accept any key presented by the server. | |
SSHAcceptServerHostKeyFingerPrint: The fingerprint of the server key to accept.This may be set to a comma-delimited collection of 16-byte MD5 fingerprints that should be accepted as the host's key. You may supply it by HEX
encoding the values in the form "0a:1b:2c:3d". Example:
SSHClient.Config("SSHAcceptServerHostKeyFingerprint=0a:1b:2c:3d");If the server's fingerprint matches one of the values supplied, the component will accept the host key. | |
SSHKeyExchangeAlgorithms: Specifies the supported key exchange algorithms.This may be used to specify the list of supported Key Exchange algorithms used during SSH negotiation. The value should contain
a comma separated list of algorithms. Supported algorithms are:
| |
SSHMacAlgorithms: Specifies the supported Mac algorithms. This may be used to specify an alternate list of supported Mac algorithms used during SSH negotiation. This also specifies the order in which the Mac algorithms are preferred.
The value should contain a comma separated list of algorithms. Supported algorithms are:
| |
SSHKeyRenegotiate: Causes the component to renegotiate the SSH keys.Once this property is set the component will renegotiate the SSH keys with the remote host.
Example: SSHClient.Config("SSHKeyRenegotiate") | |
KeyRenegotiationThreshold: Sets the threshold for the SSH Key Renegotiation.This property allows you to specify the threshold, in the number of bytes, for the SSH Key Renegotiation.
The default value for this property is set to 1 GB.
Example (for setting the threshold to 500 MB): SSHComponent.Config("KeyRenegotiationThreshold=524288000") | |
KerberosRealm: The fully qualified domain name of the Kerberos Realm to use for GSSAPI authentication.This property may be set to the fully qualified (DNS) name of the kerberos realm (or Windows Active Directory domain name) to use during GSSAPI authentication. This can be used to force authentication with a given realm if the client and server machines are not part of the same domain. | |
KerberosDelegation: If true, asks for credentials with delegation enabled during authentication.The default value is "true". If set to "false", the client will not ask for credentials delegation support during authentication. Note that even if the client asks for delegation, the server/KDC might not grant it and authentication will still succeed. | |
KerberosSPN: The Kerberos Service Principal Name of the SSH host.This property can be set to specify the Service Principal Name (SPN) associated with the SSH service on the remote host. This will usually be in the form "host/fqdn.of.sshhost[@REALM]". If not specified, the component will assume the SPN is based on the value of the SSHHost property and the kerberos realm used for authentication. | |
LogSSHPackets: If true, detailed SSH packet logging is performed.This setting can be enabled to assist in debugging. When set to True the component will fire the SSHStatus event with detailed information about the SSH level packets. The default value is False. | |
MaxPacketSize: The maximum packet size of the channel, in bytes.This setting specifies the maximum size of an individual data packet, in bytes, that can be sent to the sender. | |
MaxWindowSize: The maximum window size allowed for the channel, in bytes.This setting specifies how many bytes of channel data can be sent to the sender of this message without adjusting the window. Note that this value may be changed during the connection, but the window size can only be increased, not decreased. | |
PreferredDHGroupBits: The size (in bits) of the preferred modulus (p) to request from the server.This may be when using the diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256 key exchange algorithms to control the preferred size, in bits, of the modulus (p) prime number to request from the server. Acceptable values are between 1024 and 8192. |
IPPort Configuration Settings
ConnectionTimeout: Sets a separate timeout value for establishing a connection.When set, this configuration setting allows you to specify a different timeout value for establishing a connection. Otherwise, the component will use Timeout for establishing a connection and transmitting/receiving data. | |||||||||
FirewallAutoDetect: Tells the component whether or not to automatically detect and use firewall system settings, if available.This is the same as FirewallAutoDetect. This setting is provided for use by components that do not directly expose Firewall properties. | |||||||||
FirewallHost: Name or IP address of firewall (optional).If a FirewallHost is given, requested connections will be authenticated through the specified firewall
when connecting.
If the FirewallHost setting is set to a Domain Name, a DNS request is initiated. Upon successful termination of the request, the FirewallHost setting is set to the corresponding address. If the search is not successful, an error is returned. NOTE: This is the same as FirewallHost. This setting is provided for use by components that do not directly expose Firewall properties. | |||||||||
FirewallPassword: Password to be used if authentication is to be used when connecting through the firewall.If FirewallHost is specified, the FirewallUser and FirewallPassword settings
are used to connect and authenticate to the given firewall. If the authentication fails, the component raises an exception.
NOTE: This is the same as FirewallPassword. This setting is provided for use by components that do not directly expose Firewall properties. | |||||||||
FirewallPort: The TCP port for the FirewallHost;.Note that the FirewallPort is set automatically when FirewallType is set to a valid value.
NOTE: This is the same as FirewallPort. This setting is provided for use by components that do not directly expose Firewall properties. | |||||||||
FirewallType: Determines the type of firewall to connect through.The appropriate values are as follows:
NOTE: This is the same as FirewallType. This setting is provided for use by components that do not directly expose Firewall properties. | |||||||||
FirewallUser: A user name if authentication is to be used connecting through a firewall.If the FirewallHost is specified, the FirewallUser and FirewallPassword
settings are used to connect and authenticate to the Firewall. If the authentication fails, the component raises an exception.
NOTE: This is the same as FirewallUser. This setting is provided for use by components that do not directly expose Firewall properties. | |||||||||
KeepAliveTime: The inactivity time in milliseconds before a TCP keep-alive packet is sent.When set, TCPKeepAlive will automatically be set to true.
By default the operating system will determine the
time a connection is idle before a TCP keep-alive packet is sent. This system default if this value is not specified here is 2 hours. In many
cases a shorter interval is more useful. Set this value to the desired interval in milliseconds.
Note: This value is not applicable in Java. | |||||||||
KeepAliveInterval: The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received.When set, TCPKeepAlive will automatically be set to true.
A TCP keep-alive packet will be sent after a period of inactivity as
defined by KeepAliveTime. If no acknowledgement is received from the remote host the keep-alive packet
will be re-sent. This setting specifies the interval at which the successive keep-alive packets are sent in milliseconds.
This system default if this value is not specified here is 1 second.
Note: This value is not applicable in Java or MAC. | |||||||||
Linger: When set to True, connections are terminated gracefully.This property controls how a connection is closed. The default is True.
In the case that Linger is True (default), there are two scenarios for determining how long the connection will linger. The first, if LingerTime is 0 (default), the system will attempt to send pending data for a connection until the default IP protocol timeout expires. In the second scenario, LingerTime is a positive value, the system will attempt to send pending data until the specified LingerTime is reached. If this attempt fails, then the system will reset the connection. The default behavior (which is also the default mode for stream sockets) might result in a long delay in closing the connection. Although the component returns control immediately, the system could hold system resources until all pending data is sent (even after your application closes). Setting this property to False forces an immediate disconnection. If you know that the other side has received all the data you sent (by a client acknowledgment, for example), setting this property to False might be the appropriate course of action. | |||||||||
LingerTime: Time in seconds to have the connection linger. LingerTime is the time, in seconds, to leave the socket connection linger. This value is 0 by default, which means it will use the default IP protocol timeout. | |||||||||
LocalHost: The name of the local host through which connections are initiated or accepted.
The LocalHost setting contains the name of the local host
as obtained by the gethostname() system call, or if the
user has assigned an IP address, the value of that address.
In multi-homed hosts (machines with more than one IP interface) setting LocalHost to the value of an interface will make the component initiate connections (or accept in the case of server components) only through that interface. If the component is connected, the LocalHost setting shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multi-homed hosts (machines with more than one IP interface). | |||||||||
LocalPort: The TCP port in the local host where the component binds.
This must be set before a connection is
attempted. It instructs the component to bind to a specific
port (or communication endpoint) in the local machine.
Setting this to 0 (default) enables the system to choose a port at random. The chosen port will be shown by LocalPort after the connection is established. LocalPort cannot be changed once a connection is made. Any attempt to set this when a connection is active will generate an error. This; setting is useful when trying to connect to services that require a trusted port in the client side. An example is the remote shell (rsh) service in UNIX systems. | |||||||||
MaxLineLength: The maximum amount of data to accumulate when no EOL is found.MaxLineLength is the size of an internal buffer, which holds received data while waiting for an EOL
string.
If an EOL string is found in the input stream before MaxLineLength bytes are received, the DataIn event is fired with the EOL parameter set to True, and the buffer is reset. If no EOL is found, and MaxLineLength bytes are accumulated in the buffer, the DataIn event is fired with the EOL parameter set to False, and the buffer is reset. The minimum value for MaxLineLength is 256 bytes. The default value is 2048 bytes. The maximum value is 65536 bytes. | |||||||||
MaxTransferRate: The transfer rate limit in bytes per second.This setting can be used to throttle outbound TCP traffic. Set this to the number of bytes to be sent per second. By default this is not set and there is no limit. | |||||||||
RecordLength: The length of received data records.If set to a positive value, this setting defines the length of data records to be received. The component will accumulate data
until RecordLength is reached and only then fire the DataIn event with data of length RecordLength.
This allows data to be received as records of known length. This value can be changed at any time, including within the DataIn event.
The default value is 0, meaning this setting is not used. | |||||||||
TCPKeepAlive: Determines whether or not the keep alive socket option is enabled.If set to true, the socket's keep-alive option is enabled and keep-alive packets will be sent periodically
to maintain the connection. Set KeepAliveTime and KeepAliveInterval to
configure the timing of the keep-alive packets.
Note: This value is not applicable in Java. | |||||||||
UseIPv6: Whether to use IPv6.When set to 0 (default), the component will use IPv4 exclusively.
When set to 1, the component will use IPv6 exclusively. To instruct the component to prefer IPv6 addresses, but use IPv4 if IPv6 is not supported on the system, this setting should be set to 2. The default value is 0.
Possible values are:
| |||||||||
TcpNoDelay: Whether or not to delay when sending packets.
When true, the socket will send all data that is ready to send at once. When
false, the socket will send smaller buffered packets of data at small intervals.
This is known as the Nagle algorithm.
By default, this config is set to false. |
SSL Configuration Settings
ReuseSSLSession: Determines if the SSL session is reused.
If set to true, the component will reuse the context if and only if the following criteria are met:
| |||||||||||||||||||||||||
SSLCipherStrength: The minimum cipher strength used for bulk encryption.
This minimum cipher strength largely dependent on the security modules installed
on the system. If the cipher strength specified is not supported,
an error will be returned when connections are initiated.
Please note that this setting contains the minimum cipher strength requested from the security library. The actual cipher strength used for the connection is shown by the SSLStatus event. Use this setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities in your application. When the provider is OpenSSL, SSLCipherStrength is currently not supported. This functionality is instead made available through the OpenSSLCipherList config setting. | |||||||||||||||||||||||||
SSLEnabledProtocols: Used to enable/disable the supported security protocols.Used to enable/disable the supported security protocols.
Not all supported protocols are enabled by default (the value of this setting is 4032). If you want more granular control over the enabled protocols, you can set this property to the binary 'OR' of one or more of the following values:
When the provider is OpenSSL, SSLCipherStrength is currently not supported. This functionality is instead made available through the OpenSSLCipherList config setting. TLS 1.1 and TLS1.2 support are only available starting with Windows 7. | |||||||||||||||||||||||||
SSLProvider: The name of the security provider to use.
Change this setting to use security providers other than the system default.
Use this setting with caution. Disabling SSL security or pointing to the wrong provider could potentially cause serious security vulnerabilities in your application. The special value "*" (default) picks the default SSL provider defined in the system. Note: On Windows systems, the default SSL Provider is "Microsoft Unified Security Protocol Provider" and cannot be changed. | |||||||||||||||||||||||||
SSLSecurityFlags: Flags that control certificate verification.The following flags are defined (specified in hexadecimal
notation). They can be or-ed together to exclude multiple
conditions:
This functionality is currently not available when the provider is OpenSSL. | |||||||||||||||||||||||||
OpenSSLCADir: The path to a directory containing CA certificates.This functionality is available only when the provider is OpenSSL.
The path set by this property should point to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). OpenSSL recommends to use the c_rehash utility to create the necessary links. Please refer to the OpenSSL man page SSL_CTX_load_verify_locations(3) for details. | |||||||||||||||||||||||||
OpenSSLCAFile: Name of the file containing the list of CA's trusted by your application.
This functionality is available only when the provider is OpenSSL.
The file set by this property should contain a list of CA certificates in PEM format. The file can contain several CA certificates identified by -----BEGIN CERTIFICATE----- ... (CA certificate in base64 encoding) ... -----END CERTIFICATE----- sequences. Before, between, and after the certificates text is allowed which can be used e.g. for descriptions of the certificates. Please refer to the OpenSSL man page SSL_CTX_load_verify_locations(3) for details. | |||||||||||||||||||||||||
OpenSSLCipherList: A string that controls the ciphers to be used by SSL.
This functionality is available only when the provider is OpenSSL. The format of this string is described in the OpenSSL man page ciphers(1) section "CIPHER LIST FORMAT". Please refer to it for details. The default string "DEFAULT" is determined at compile time and is normally equivalent to "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH". | |||||||||||||||||||||||||
OpenSSLPrngSeedData: The data to seed the pseudo random number generator (PRNG).
This functionality is available only when the provider is OpenSSL.
By default OpenSSL uses the device file "/dev/urandom" to seed the PRNG and setting OpenSSLPrngSeedData is not required. If set, the string specified is used to seed the PRNG. |
Socket Configuration Settings
AbsoluteTimeout: Determines whether timeouts are inactivity timeouts or absolute timeouts.If AbsoluteTimeout is set to True, any method which does not complete within Timeout seconds
will be aborted. By default, AbsoluteTimeout is False, and the timeout is an inactivity timeout.
Note: This option is not valid for UDP ports. | |
FirewallData: Used to send extra data to the firewall.When the firewall is a tunneling proxy, use this property to send custom (additional) headers to the firewall (e.g. headers for custom authentication schemes). | |
InBufferSize: The size in bytes of the incoming queue of the socket.
This is the size of an internal queue in the TCP/IP stack.
You can increase or decrease its size depending on the amount
of data that you will be receiving. Increasing the value of the
InBufferSize setting can provide significant improvements in
performance in some cases.
Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the component is activated the InBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small. | |
OutBufferSize: The size in bytes of the outgoing queue of the socket.This is the size of an internal queue in the TCP/IP stack.
You can increase or decrease its size depending on the amount
of data that you will be sending. Increasing the value of the
OutBufferSize setting can provide significant improvements in
performance in some cases.
Some TCP/IP implementations do not support variable buffer sizes. If that is the case, when the component is activated the OutBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small. |
Base Configuration Settings
CodePage: The system code page used for Unicode to Multibyte translations.
The default code page is the Active Code Page (0).
The following is a list of valid code page identifiers:
|