SSH Reverse Tunnels
Configuration options for the SSH Reverse Tunnel functionality included in PowerShell Server are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\nsoftware\PowerShell\Server\16\SSHReverseTunnels. This location will hold a registry key for each SSH Reverse Tunnel that is created. The registry key for each tunnel can be configured with the following options:
| TunnelEnabled | DWORD | Can be used to enable or disable the SSH Reverse Tunnel.
0 - Disabled. 1 - Enabled. (default) | ||||||||||||||||||||||||||||||
| TunnelForwardingHost | String | Indicates the host through which the tunneled traffic will be forwarded. | ||||||||||||||||||||||||||||||
| TunnelForwardingPort | DWORD | Indicates the port on which the tunneled traffic will be forwarded. | ||||||||||||||||||||||||||||||
| TunnelListeningAddress | String | Indicates the interface on the remote SSH server where the tunnel will be listening. | ||||||||||||||||||||||||||||||
| TunnelListeningPort | DWORD | Indicates the port on which the remote SSH server should listen for traffic. | ||||||||||||||||||||||||||||||
| TunnelName | String | A friendly name for the SSH Reverse Tunnel. | ||||||||||||||||||||||||||||||
| SSHReverseTunnelServerHost | String | The SSH server that PowerShell Server will connect to in order to establish the SSH Reverse Tunnel. | ||||||||||||||||||||||||||||||
| SSHReverseTunnelServerPort | DWORD | The port on which communication with the SSH server will take place. By default, port 22 will be used. | ||||||||||||||||||||||||||||||
| SSHReverseTunnelUser | String | The username PowerShell Server will use to authenticate to the SSH server. | ||||||||||||||||||||||||||||||
| SSHReverseTunnelPassword | String | The password PowerShell Server will use to authenticate to SSH server during Password authentication. | ||||||||||||||||||||||||||||||
| SSHReverseTunnelCompressionAlgorithms | String | A comma-separated list containing all allowable compression algorithms.
During the SSH handshake, this list will be used to negotiate the compression algorithm to be used between the client and server. This list is used for both directions: client to server and server to client. When negotiating algorithms, each side sends a list of all algorithms it supports or allows. The algorithm chosen for each direction is the first algorithm to appear in the sender's list that the receiver supports, so it is important to list multiple algorithms in preferential order. If no algorithm can be agreed upon, the component will raise an error and the connection will be aborted.
At least one supported algorithm must appear in this list. The following compression algorithms are supported by the component:
| ||||||||||||||||||||||||||||||
| SSHReverseTunnelEncryptionAlgorithms | String | Specifies the allowed SSH Encryption Algorithms in a comma-delimited list.
During the SSH handshake, this list will be used to negotiate the encryption
algorithm to be used between the client and server. This list is used for both
directions: client to server and server to client. When negotiating algorithms,
each side sends a list of all algorithms it supports or allows. The algorithm
chosen for each direction is the first algorithm to appear in the sender's list
that the receiver supports, so it is important to list multiple algorithms in
preferential order. If no algorithm can be agreed upon, the component will raise
an error and the connection will be aborted. Valid values are:
aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,arcfour256,arcfour128,arcfour,cast128-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com | ||||||||||||||||||||||||||||||
| SSHReverseTunnelCertStoreType | DWORD | Specifies the type of certificate store where the public key can be found for Public Key Authentication. Can be one of the following values:
0 - User store 1 - Machine Store 2 - PFX File 4 - PEM File | ||||||||||||||||||||||||||||||
| SSHReverseTunnelCertStorePassword | String | The password for the specified certificate store. | ||||||||||||||||||||||||||||||
| SSHReverseTunnelCertStore | String | The certificate store where the public key can be found for Public Key Authentication.
If SSHReverseTunnelCertStoreType is either 0 or 1, this value defines the specific store where the certificate can be found. Otherwise, this value should be set to a path on disk. Possible values when SSHReverseTunnelCertStoreType is 0 or 1 include: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople. | ||||||||||||||||||||||||||||||
| SSHReverseTunnelCertSubject | String | The subject of the certificate used during Public Key Authentication. Example: "CN=NEWTON". | ||||||||||||||||||||||||||||||
| SSHReverseTunnelAutoReconnect | DWORD | Whether PowerShell Server will attempt to re-establish the SSH Reverse Tunnel in the event that it is disconnected.
Possible values are:
| ||||||||||||||||||||||||||||||
| SSHReverseTunnelAutoRetryCount | DWORD | The number of times PowerShell Server will attempt to reestablish the SSH Reverse Tunnel in the event that it is disconnected. This value is only used when SSHReverseTunnelAutoReconnect is set to 1. The default value is 10. A value of 0 indicates infinite reconnect attempts. | ||||||||||||||||||||||||||||||
| SSHReverseTunnelAutoRetryInterval | DWORD | The number of seconds PowerShell Server will wait between attempts to reestablish the SSH Reverse Tunnel.
This value is only used when SSHReverseTunnelAutoReconnect is set to 1.
| ||||||||||||||||||||||||||||||
| TunnelFirewallType | DWORD | The type of firewall for the SSL Tunnel to connect through. Applicable values include the following:
0 - No firewall (default setting) 1 - Connect through a tunneling proxy. 2 - Connect through a SOCKS4 proxy. 3 - Connect through a SOCKS5 proxy. | ||||||||||||||||||||||||||||||
| TunnelFirewallHost | String | The name of IP address of the firewall that the SSH Tunnel will connect through. | ||||||||||||||||||||||||||||||
| TunnelFirewallPort | DWORD | The TCP port for the TunnelFirewallHost. | ||||||||||||||||||||||||||||||
| TunnelFirewallUser | String | A user name if authentication is to be used when connecting through a firewall. | ||||||||||||||||||||||||||||||
| TunnelFirewallPassword | String | Password to be used if authentication is to be used when connecting through a firewall. |