This page is a part of ProSSHD online Help Manual.
ProSSHD is an SSH client for Windows providing maximum security from PC to Host over a Company Lan/Wan/Intranet or Internet. It brings you typical remote system administration, file transfers, and access to corporate resources over the Internet. Visit Home of ProSSHD for more information.



The XwpSSHD service Tab

This tab allows you to install and uninstall XwpSSHD as MS Windows service. Also, you can manage XwpSSHD as MS Windows service on your system.

XwpSSHD is a server program (daemon) for the SSH Secure Shell protocol version 2, or SSH2, that you can run as a standard MS Windows Service (MS Windows 2K/2003/XP/Vista).

The SSH protocol server/client programs provide secure encrypted communications between two untrusted hosts over an insecure network. An SSH client can connect securely to an SSH server, and then use the resulting secure link to access the server's resources.

A new daemon is spawned for each incoming connection instance. These daemons handle key exchange, encryption, client and server authentication, command execution, data exchange and data integrity verification.

Server authentication is performed using the DSA or the RSA public key algorithm. Client authentication can be performed using a public key algorithm such as DSA or RSA, a MS Windows Username/Password, as well as a variety of other methods.

To provide the remote console service, a channel is created in the SSH session, and the channel is used to exchange data using a terminal emulation protocol such as ANSI or AT386-type. The SSH-client displays to the user a console window (with a command interpreter) within which the user can execute commands or run programs on the SSH-server as if the user were logged on locally.

Among other things, the SSH-client can transfer files (using the SFTP protocol) and forward (local-to-remote and remote-to-local using Dynamic Forwarding (SOCKS4)) other TCP/IP connections over the secure link.


Services overview

A service is an application type that runs in the background and is similar to UNIX daemon applications. Service applications typically provide features such as client/server applications, Web servers, database servers, and other server-based applications to users, both locally and across the network.

You can use MS services to:

  • Start, stop, pause, resume, or disable services on remote and local computers (including remote computers running Windows NT 4.0.). You must have the appropriate permissions to start, stop, pause, restart, and disable services.
  • Manage services on local and remote computers (on remote computers running Windows XP, Windows 2000, or Windows NT 4.0 only).
  • Create custom names and descriptions for services so that you can easily identify them (on computers running Windows XP or Windows 2000 only).
  • Configure startup options for MS services.
  • Set up recovery actions to take place if a service fails, for example, restarting the service automatically or restarting the computer (on computers running Windows XP or Windows 2000 only).
  • Enable or disable services for a particular hardware profile.
  • View the status and description of each service.

Services permissions

Each service has special permissions that you can grant or deny for each user or group. You can set permissions for individual services by using Security Templates.

According to MS Windows Help Manual, Services must log on to an account in order to access resources and objects on the operating system. Some services are configured by default to log on to the Local System account, which is a powerful account that has full access to the system. If a service logs on to the Local System account on a domain controller, that service has access to the entire domain. Other services are configured to log on to LocalService or NetworkService accounts, which are special built-in accounts that are similar to authenticated user accounts. These accounts have the same level of access to resources and objects as members of the Users groups. This limited access helps safeguard your system if individual services or processes are compromised.

Services running as the LocalService account access network resources as a null session with no credentials. Services running as the NetworkService account access network resources using the credentials of the machine account.


Main Features of XwpSSHD

SSH is a very flexible protocol, and many different types of services can run on top of it. Additionally, the open architecture of SSH allows these services to run all at the same time without impeding each other. The advantage of services is that they can be started at boot time independently of any logon session, and will continue to run as users log on and off of the machine.

  • The SSH Secure Shell 2 protocol, or SSH2, specifies how an SSH client can connect securely to an SSH server, and then use the resulting secure link to access the server's resources. Among other things, the SSH client can run programs, transfer files, and forward other TCP/IP connections over the secure link. SSH version 2 was designed in response to security faults discovered in SSH version 1 (i.e., to eliminate the risk of an insertion attack).
    XwpSSHD supports SSH version 2 only.


  • The SSH protocol server/client programs provide secure encrypted communications between two untrusted hosts over an insecure network. The SSH server forks a new daemon for each incoming connection instance. The forked daemons handle key exchange, encryption, client and server authentication, command execution, data exchange and data integrity verification.
    Server authentication is performed using the DSA (Digital Signature Algorithm) or the RSA public key algorithm. Each host has a key using DSA encryption and is usually 1024 bits long (although, the user may create a different-sized key, if desired). The same key may be used on multiple machines.
    Client authentication can be performed using a public key algorithm such as DSA or RSA, a MS Windows Username/Password, as well as a variety of other methods.
    For encryption and data integrity verification, a number of algorithms are provided which every SSH2 product can implement in a modular fashion.


  • One service that is used very often is the remote console. To provide this service, a channel is created in the SSH session, and the channel is used to exchange data using a terminal emulation protocol such as ANSI or AT386-type. The SSH-client displays to the user a console window (with a command interpreter) within which the user can execute commands or run programs on the SSH-server as if the user were logged on locally.


  • SSH also provides a service known as the exec request, which is conceptually very similar to a remote console, only without the console. The exec request executes a program on the server like a remote console does, but the program's input and output are sent raw, without any terminal encoding. Exec requests are very useful for network automation purposes.


  • A very popular service is port forwarding, or TCP/IP connection tunneling over the secure link (local-to-remote and remote-to-local using Dynamic Forwarding (SOCKS4)). With SSH port forwarding, it is possible to secure a TCP/IP connection established by an independent application that would otherwise be vulnerable to network attacks.
    At present time XwpSSHD does not support X11 Forwarding (not yet implemented).


  • Transferring files between the SSH client and server can also be performed using protocols such as SCP and SFTP, both of which run on top of SSH. While SCP is essentially the old Unix rcp utility transplanted onto a different transport, SFTP is a very flexible remote file manipulation protocol that can be used for a wide variety of purposes.

Installing the XwpSSHD service

Click Install to install XwpSSHD and to add the service to the Services list on your system.

The service name of the XwpSSHD service is XWP SSH server.

When started, XwpSSHD will be listening on port 22 (default) for SSH clients' requests.

To configure how XwpSSHD is started (Automatic or Manual), you should choose the Startup type and then press Set.


Uninstalling the XwpSSHD service

You can remove XwpSSHD from the Services list on your system by pressing Uninstall in the XwpSSHD service tab.

Click Yes to confirm removing XwpSSHD from the Services list on your system. You need not restart your PC.

Note that XwpSSHD correctly stops and disconnects active SSH clients, and closes the port used for communications on your computer when uninstalling XwpSSHD.


Using the XwpSSHD service

This section describes how to start and use XwpSSHD as a standard MS Windows service.

Trace Level

A slider position defines a tracing level for output network tracing log information into the LogData field for your XwpSSHD session.

LogData

In this field, network tracing log information between XwpSSHD and (remote) SSH clients is output (according to the Trace Level setting).


Using XwpSSHD

When a SSH client connects to the SSHD daemon:

  • The client and server together, using the Diffie-Hellman key-exchange method, determine a 256-bit random number to use as the "session key". This key is used to encrypt all further communications in the session.

  • The server informs the client which encryption methods it supports.

  • The client selects the encryption algorithm from those offered by the server.

  • The client and the server then enter a user authentication dialog. The server informs the client which authentication methods it supports, and the client then attempts to authenticate the user by using some or all of the authentication methods.

  • If the client authenticates itself successfully, then the session is prepared. At this time the client may request things like:
    - forwarding TCP/IP connections
    - forwarding the authentication agent connection over the secure channel.

  • Finally, the client either requests an interactive session or execution of a command. The client and the server enter session mode. In this mode, either the client or the server may send data at any time. Such data is forwarded to/from the virtual terminal or command on the server side, and the user terminal in the client side. When the user program terminates and all forwarded and other connections have been closed, the server sends command exit status to the client, and both sides exit.

Preparing Key-files

Before using XwpSSHD, key-files (for authentication and authorization SSH clients) should be generated and put properly on SSH clients' computers and on SSH server's one.

The authentication and authorization files must be located in the ssh subdirectory in the home directory of the package.

The default names for the files are as follows:
public/private DSA host keys ssh_host_dsa_key.pub, ssh_host_dsa_key,
public/private RSA host keys ssh_host_rsa_key.pub, ssh_host_rsa_key,
authorized_keys, authorized_keys2.

XwpSSHD comes with pregenerated (sample) key-files, so these files are ready to be used if you want.


Configuring XwpSSHD

XwpSSHD comes preconfigured, so that after installation it can use the preset configuration to communicate with SSH clients.

When started, XwpSSHD reads a set of runtime configuration directives from the configuration file. These configuration directives control XwpSSHD behavior for various functions. The file contains keyword value pairs, one per line. Lines starting with # and empty lines are interpreted as comments. Keywords are case insensitive.

The SSHD configuration file must be located in the ssh subdirectory in the home directory of the package.

You can use the default values for the configuration directives listed in the file, or you can modify these values according to your needs. (The Settings button is not yet implemented.) If you make a change to the SSHD configuration file after you have enabled SSH, you must restart SSHD for these changes to take effect.

Note that when restart SSHD, all active SSH server sessions are terminated. Active SSH client sessions are not affected.

Refresh

This button refreshes the status of the service.


The Properties Box

If you have a typical installation, many services are configured as Automatic (that is, they start automatically when the system starts or when the service is called for the first time). If a service is configured as Manual, you must start the service manually before it can be loaded by the operating system and made available for use. If a service is configured as Disabled, it cannot be started automatically or manually.

To configure how XwpSSHD is started, you can choose the Startup type and press Set. Then you can manage the service session by pressing the Start/Stop and Pause/Resume buttons with watching the Service status.

To start, stop, pause, resume, or restart a service (as administrator), you can also open the Services window (clicking Start/Settings/Control Panel/Administrative Tools/Services), right-click your service, and then click Start, Stop, Pause, Resume, or Restart.


The Windows Firewall Box

Windows Firewall monitors all aspects of the communications that are sent and received, and inspects the source and destination address of each message that it handles. In Microsoft Windows XP Service Pack 2 (SP2), Windows Firewall is turned on by default for all Internet and network connections. If you choose to install and run another firewall, turn off Windows Firewall.

When Windows Firewall is On, it blocks all unsolicited requests to connect to your computer, except for requests to programs or services selected on the Exceptions tab. When your computer gets an unsolicited request, Windows Firewall blocks the connection. If you choose to unblock the connection, Windows Firewall creates an exception. You can add a service as an exception so that the firewall will allow client's information to reach your computer and the service (through open ports for it). For programs that open ports automatically as needed to connect to your computer, Windows Firewall must allow the program to open the correct port. For these programs to work correctly, they must be listed on the Exceptions tab in Windows Firewall.

You can add a new service to your network by installing the service software on one of your network computers and then adding the service definition so that Internet Connection Sharing (ICS), if enabled, will allow the service to be accessed from the Internet. The information that you must enter to add a service definition includes: the description of the service (a name that you can easily recognize), the name or IP address of the computer hosting the service, and the TCP or UDP port number for the service (the port number that external computers use to contact this service).

Add

This button adds the XwpSSHD definition (i.e., the description of the service) to the Exceptions tab in Windows Firewall to allow the service to be accessed from SSH clients' computers.

When you add or change settings for a service or program, you must choose whether to open the port to any computer or only to computers on your network. If you choose Any computer in the Advanced tab of Windows Firewall, anyone from the Internet or your network can connect to your computer. If you choose My network only, only computers on your local network can connect. If you prefer, you can click Custom, and then type a custom list of IP addresses and subnets that should be allowed access.

Delete

This button removes the XwpSSHD definition from the Exceptions tab in Windows Firewall.






Home | Product | Download | Order Now | Upgrade | Support | Pricing | Company Information | Contact Us


Labtam Copyright 1999 - 2009 LabtamTM Inc.