Registry Keys

Configuration options for SFTP Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\SFTPServer\20. This registry key holds settings that are available for SFTP Server globally. Additional registry keys are available to store authorized keys or user-specific configuration.

The tree structure of these registry keys is described below:

The following values can be configured within the root HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\SFTPServer\20 registry key:

NameTypeDescription
AdminServiceEnabledDWORDWhether the administrative service for management is enabled. The default value is 0 (false).
AdminServicePortDWORDPort to be used for administrative service connection. The default value is 8122.
AdminServiceUserStringUsername for administrative service connection. The default value is randomly generated during setup.
AdminServicePasswordStringPassword for administrative service connection. The default value is randomly generated during setup.
AllowedClientsStringThis setting defines a comma-separated list of host names or IPv4 addresses that may access the server. When a client connects, the client's address is checked against the list defined here. If there is no match, the client will be disconnected.

The wildcard character "*" is supported. The default value is "*" and all connections are accepted.
AuthMaxAttemptsDWORDSpecifies the maximum number of connection retries allowed from a client with invalid login credentials. By default this value is set to 3.
DataEncryptionPasswordStringThe DPAPI encrypted data encryption password (base64 encoded).
DataEncryptionSaltStringThe hex encoded 16 byte data encryption salt. This value is created automatically and should not be modified.
DeleteLogDaysDWORDThe number of days after which old log files will be deleted. This is only applicable when RotateLogDays is set to a positive value.
EnableCompressionDWORDCan be used to enable use of the zlib compression algorithm on SSH connections.

  • 0 - Off: No compression will be used (Default).
  • 1 - On: Zlib compression will be enabled, if requested by the SSH client.

EnableSessionManagementDWORDCan be used to enable sessions management.

  • 0 - Off
  • 1 - On (default)

FirewallTypeDWORDThe type of firewall for the SSH Tunnel to connect through. Applicable values include the following:

  • 0 - No firewall (default setting)
  • 1 - Connect through a tunneling proxy.
  • 2 - Connect through a SOCKS4 proxy.
  • 3 - Connect through a SOCKS5 proxy.

FirewallHostStringThe name of IP address of the firewall that the SSH Tunnel will connect through.
FirewallPortDWORDThe TCP port for the FirewallHost.
FirewallUserStringA user name if authentication is to be used when connecting through a firewall.
FirewallPasswordStringPassword to be used if authentication is to be used when connecting through a firewall.
IdleSessionTimeoutDWORDThe number of minutes after which an idle connection should be terminated
InBufferSizeDWORDThe size in bytes of the incoming queue of the socket. This is the size of an internal queue in the TCP/IP stack. You can increase or decrease its size depending on the amount of data that you will be receiving. Increasing the value of the InBufferSize setting can provide significant improvements in performance in some cases. The default size is 0x10000 (65536).

Some TCP/IP implementations do not support variable buffer sizes. If that is the case, the InBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.

InBufferSize is shared among incoming connections. When this value is set, the corresponding value is set for incoming connections as they are accepted. Existing connections are not modified.

KerberosSPNStringThe Service Principal Name for the Kerberos Domain Controller. If the Service Principal Name cannot be automatically determined, it should be set here. This will usually be in the form "host/fqdn.of.sshhost[@REALM]" where REALM is the fully qualified (DNS) name of the Kerberos realm (or Windows Active Directory domain name).
LocalHostStringThe local IP address of the interface to which the server will bind. By default the server will listen on the default interface for the system.
LogSSHPacketsDWORDSpecifies whether or not raw SSH packets are included in the log.

  • 0 - Off (default)
  • 1 - On

LogToFileStringThe full path to the log file.
MatchSSHPublicKeyToUsernameDWORDWindows users only. Controls whether public keys in the file specified by SSHPublicKeyFileName setting are tied to a specific user name. Possible values are:

  • 0 - Off: Public keys are not tied to a specific username (Default).
  • 1 - On: Public keys are tied to a specific username.

This setting can be used to validate that the correct public key was used to grant access to a particular user. If this setting is enabled the server will check the comment of the public key to verify it matches the username provided during authentication. This check is not case sensitive.

To specify a username to be associated with a specific key, include the username in place of the comments in the public key. For instance:

Unmodified public key: ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Public key modified to be associated with a specific username: ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= DOMAIN\Username

MaxConnectionsDWORDSpecifies the maximum number of connections that are allowed. By default the number of allowed connections is determined by the license that is installed. This setting may be specified to further restrict the number of connections. The server will restrict the number of connections to whichever is the lesser value between this setting and the number of allowed connections for the license.
MaxNumRowsInLogDWORDControls how many lines will be shown in the Status window in the Service tab of the SFTP Server User Interface. If this value is exceeded, the oldest lines will be removed as new lines are added. The default value is 1000.
OutBufferSizeDWORDThe size in bytes of the outgoing queue of the socket. This is the size of an internal queue in the TCP/IP stack. You can increase or decrease its size depending on the amount of data that you will be sending. Increasing the value of the OutBufferSize setting can provide significant improvements in performance in some cases. The default size is 0x10000 (65536).

Some TCP/IP implementations do not support variable buffer sizes. If that is the case, the OutBufferSize reverts to its defined size. The same happens if you attempt to make it too large or too small.

OutBufferSize is shared among incoming connections. When this value is set, the corresponding value is set for incoming connections as they are accepted. Existing connections are not modified.

PreserveFileTimeDWORDDetermines if filetime preservation is supported. If a client requests filetime preservation (typically by setting a "-p" parameter) this setting controls whether or not it is respected.

  • 0 - Off: Filetime preservation options are ignored.
  • 1 - On: Filetime preservation is supported (Default).

PromptForRegPermissionsDWORDWhen the server is running under an account that does not have write permissions to the registry location where these settings are stored the user will be prompted to change the permissions. If this value is set to 0 the user will not be prompted again. Possible values are:

  • 0 - Off: The user will not be prompted to modify registry permissions.
  • 1 - On: The user is prompted to modify registry permissions when needed (Default).

PSTraceLevelDWORDControls the trace level of the logging from the application. Possible values are:

  • 0 - Off: Nothing is logged.
  • 1 - Error: Only errors are logged.
  • 2 - Warning: Errors and warnings are logged.
  • 3 - Info: Errors, warnings and informational messages are logged (default value).
  • 4 - Verbose: All messages, including those useful for debugging and troubleshooting are logged.

RotateLogDaysDWORDThe number of days after which the log file will be rotated. Old log files will be renamed to the format "logname-yyyy-MM-dd". When set to a positive value DeleteLogDays is applicable.
RunAsAServiceDWORDIndicates if the server needs to be executed as a windows service (1) or in-process inside the SFTP User Interface (0).
SFTPHomeDirMapStringWindows users only. A map defining user-specific SFTP home directories. This setting allows for a user to be assigned a specific default directory. The value should be a semicolon-separated list of username and home directory pairs in the format:
DOMAIN\user1=C:\user1;DOMAIN\user2=C:\user2
The user value must include the domain or machine name as appropriate (DOMAIN\user1 or MACHINE\user1). If the directory specified does not exist the user will be placed into the default SFTPRootDir.

Note: If mappings are present in this setting and a user without a mapping tries to authenticate to the server, access will be denied.

SFTPRootDirStringThe absolute path of the root directory for SFTP users. By default the "windir" environment variable will be used to determine the root directory (typically "C:\").

The special value "$user" may be included in the path which will be resolved to the username of the authenticated user (without Domain or Machine information). When "$user" is included in the path if the directory does not exist it will be automatically created.

ShowHiddenFilesDWORDWhether hidden files and folders are displayed during directory listings. The default is false.
SSHCertSubjectStringSubject of the SSH certificate used by the server. Example: "CN=NEWTON".
SSHStoreTypeDWORDIndicates where to find the SSH certificate. Can be one of the following values:

  • 0 - User store
  • 1 - Machine Store
  • 2 - PFX File
  • 4 - PEM File

SSHStoreStringIf SSHStoreType is either 0 or 1, the SSHStore value defines the specific store where the certificate can be found. Possible values include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.
SSHStorePasswordStringThe password for the specified certificate store.
SSHEncryptionAlgorithmsStringSpecifies a name-list of the allowed SSH encryption algorithms. This list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred. To disable an encryption algorithm, remove it from this list. Note: The algorithm which is actually selected during key exchange is the first algorithm to appear in the client's list that the server supports.

Valid values are:

aes256-ctr256-bit AES encryption in CTR mode
aes256-cbc256-bit AES encryption in CBC mode
aes192-ctr192-bit AES encryption in CTR mode
aes192-cbc192-bit AES encryption in CBC mode
aes128-ctr128-bit AES encryption in CTR mode
aes128-cbc128-bit AES encryption in CBC mode
3des-ctr192-bit (3-key) triple DES encryption in CTR mode
3des-cbc192-bit (3-key) triple DES encryption in CBC mode
cast128-cbcCAST-128 encryption
blowfish-cbcBlowfish encryption
arcfourARC4 encryption
arcfour128128-bit ARC4 encryption
arcfour256256-bit ARC4 encryption
aes256-gcm@openssh.com256-bit AES encryption in GCM mode.
aes128-gcm@openssh.com128-bit AES encryption in GCM mode.
chacha20-poly1305@openssh.comChaCha20 with Poly1305-AES encryption.

The default is:

aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,arcfour256,arcfour128,arcfour,cast128-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
SSHKeyExchangeAlgorithmsStringSpecifies the Key Exchange algorithms presented during the SSH handshake. Algorithms not on this list will be disabled on the server. The list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred.

Valid values are:

  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
The default is:

curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp384,ecdh-sha2-nistp521
SSHKeyRenegotiationThresholdDWORDThis property allows the threshold to be specified, in the number of bytes, for the SSH Key Renegotiation. The default value for this property is set to 1 GB (1073741824).

For example, to set the threshold to 500mb use the value 524288000.

SSHMacAlgorithmsStringSpecifies the SSH MAC algorithms presented during the SSH handshake. Algorithms not on this list will be disabled on the server. The list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred.

Valid values are:

  • hmac-sha1
  • hmac-md5
  • hmac-sha1-96
  • hmac-md5-96
  • hmac-sha2-256
  • hmac-sha2-256-96
  • hmac-sha2-512
  • hmac-sha2-512-96
  • hmac-ripemd160
  • hmac-ripemd160-96
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
The default is:

hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
SSHPortDWORDThe TCP port the server will listen in for connections.
SSHPublicKeyEnabledDWORDWindows users only. Controls if file based public key authentication is enabled or not. When enabled, the server will grant access to users based on the public keys in the file specified by the SSHPublicKeyFileName setting.

  • 0 - Off: File based public key authentication is disabled. (default)
  • 1 - On: File based public key authentication will be allowed.

SSHPublicKeyFileNameStringWindows users only. Specifies the location on disk of the file containing authorized public keys. The server will grant access to users that authenticate with a private key associated with one of the public keys in this file.

The authorized keys file should contain a list of public keys in SSH public key format separated by newlines. Empty lines and lines starting with a # are ignored as comments. Additionally, you can control the IP addresses from which the key may be used by using the "from" keyword in the authorized keys file.

Example:


ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAqs5hvGvJ3CM2Ink93x...tW3yw== rsa-key-20191008
ssh-rsa AAAAB3NzaC1kc3MAAAEBAK5qBqJnjNH7KH0bJR61vc+JuX...wOE8A== rsa-key-20200515

Only accept connections using the specified public key from 192.168.1.12:

from="192.168.1.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.30 - 192.168.1.39:

from="192.168.1.3?" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.100 - 192.168.1.199:

from="192.168.1.1??" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.0.12 - 192.168.255.12 (must end in .12):

from="192.168.*.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.0 - 192.168.1.255 EXCEPT 192.168.1.12:

from="192.168.1.*,!192.168.1.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

As demonstrated above, the special characters "?", "!", and "*" may be used to specify an IP address pattern that is to be matched.

The value data in this registry setting may contain the %USERNAME% macro, which the server will substitute with the name of the user when they attempt to authenticate. This allows you to load an authorized keys file stored separately for each user.

Only IPv4 addresses are currently supported. Hostname matching and IPv6 address matching are currently not supported.

SvcLogFileStringIf present, the trace information generated by the server will be written to the specified file.
SyslogDaemonHostStringWhen running as a Windows service the SSH process will send log messages to the UI process. These are the messages which are logged in the Service tab. By default this communication happens on the loopback adapter of the system. To send these log messages to a different host instead of the UI process set this to the hostname or IP address of the destination to which the Syslog messages will be sent. Syslog facility 23 is used to identify messages from SFTP Server and filter out any other syslog traffic.
SyslogDaemonPortDWORDWhen running as a Windows service the SSH process will send log messages to the UI process. These are the messages which are logged in the Service tab. By default this communication happens on the loopback adapter of the system on port 514. If this port is in use or another port is desired, set it here. This specifies the port on which the UI process will listen for incoming log messages and also the port from which the log messages are sent from the SSH process.
UseFIPSCompliantAPIDWORDDetermines if only FIPS compliant algorithms and API calls are made during SSH or SSL sessions. This is false by default. Possible values:

  • 0 - Off: Non-FIPS compliant algorithms are allowed (default).
  • 1 - On: Only FIPS compliant algorithms are allowed, and cryptographic calls are made only to FIPS compliant APIs.

UseIPv6DWORDControls whether IPv4 or IPv6 is used when listening. Connecting clients will need to connect using the appropriate IP version. Possible values are:

  • 0 - Off: IPv4 is used (default).
  • 1 - On: IPv6 is used.

UserAuthBannerStringSets the User Authentication Banner, which is displayed to the client before they provide authentication, for example before a password prompt. This can also be set in the interface using the "Login Banner" field.
WireEncodingStringControls the encoding used by the server on the wire for text sent and received by the server. By default, the server will use ISO-8859-1 (Latin-1) encoding.

Copyright (c) 2022 /n software inc. - All rights reserved.
SFTP Server 2020 - Version 20.1 [Build 8304]