The Tectia server is implemented by a program, ssh2master, that runs as a daemon and listens for incoming connections. A separate program, ssh2server, is run to handle each connection when it is accepted. The sftp server is implemented by the program sftp_server2.

Stopping the ssh2master program doesn’t affect existing connections, since ssh2server continues to run. The Tectia server can even be restarted by a session that uses an SSH connection!

Normally, the Tectia server is run as a Windows service that is automatically started whenever the system boots. Several mechanisms can be used to start or stop the service manually:

ssh2master also understands the options -install and -remove to add or delete the Tectia server from the list of Windows services.

In addition, ssh2master accepts a few options that we have discussed previously for sshd2 on Unix platforms:

The server’s configuration files are stored in the installation folder (nothing is stored in the Windows registry):

sshd2_config has the same format as for Unix systems, and almost all of the keywords have exactly the same meaning for Windows, so we’ll just discuss the differences.

The server administration program, ssh2admin, also known as the Server Configuration tool (Figure 16-15), can display and change some keywords, but many features can be customized only by editing the file.

ssh2admin can be either run directly, or accessed by selecting the SSH Tectia Server Administration item within the menu Start/Programs/SSH Tectia Server. The Tools/View Configuration item displays the sshd2_config file in the Notepad editor.

Configuration changes take effect for each new session, as they are read by ssh2server. Only a few configuration keywords are used by ssh2master. If any of these are changed, the service should be restarted:

FIPS mode is controlled by the FIPSmode keyword, with a value of yes or no (the default): [5.3.5]

    FIPSMode    yes

When a command has been specified by an SSH client, it is run directly by the Tectia server. For commands that are built into the Windows command interpreter cmd.exe, specify cmd explicitly for the ssh command:

    $ ssh winserver.example.com cmd /c type readme.txt

Figure 16-15. Server configuration with ssh2admin

Otherwise, if no command is given, then the server runs cmd.exe by default for the interactive session. An alternate program can be specified by the TerminalProvider keyword:

    # Tectia
    TerminalProvider    "some-other-cmd.exe"

This provides the same functionality as the login shell for Unix systems, except that it applies to all users. User-specific subconfiguration files can specify different programs for individual users. [11.6.2]

Users can run graphical applications from SSH sessions, but the applications have no access to the display, so this has limited usefulness. Full-screen text applications don’t work correctly, because they expect to run in a real console window, and the SSH connection doesn’t provide information about the window dimensions, etc.

By default, the Tectia server creates terminals for interactive sessions in a fully private window station. This is controlled by the PrivateWindowStation keyword:

    # Tectia
    PrivateWindowStation    yes

The DoubleBackSpace keyword copes with Japanese Windows systems, which require double backspaces to be sent by the server in response to single backspaces from the client, for each two-byte Japanese character. The value is either yes (to enable this behavior) or no (the default):

    # Tectia
    DoubleBackSpace     yes

Child processes that are launched from SSH sessions are not automatically terminated when the session ends. This could be construed as a bug or a feature, depending on the circumstances: beware.

The user profile folder is used as the home folder for commands and interactive sessions.

Windows passwords are used for password authentication. The password authentication method is always required for domain user accounts. Public-key authentication works only for local user accounts, not domain user accounts.

The %D pattern for the UserConfigDirectory keyword refers to the user profile folder. [5.3.1.5] The user configuration folder contains the authorization file and public keys.

Accounts that use the SSH server for logins must possess the right to “log on locally.” This is disabled by default on some servers, such as domain controllers. Keywords like PermitRootLogin that refer to the Unix superuser affect any Windows accounts with administrative privileges.

In the server configuration, domain user accounts should be specified as domain/user (with a forward slash). The usual Windows backslash separator cannot be used.

Windows groups are not supported by the server, so keywords and values that refer to groups must not appear in the configuration files.

The Tectia server supports only TCP port forwarding on Windows, and enforces the restriction that only privileged users can use privileged port numbers (less than 1024).^[182] X forwarding and agent forwarding are not supported.

To support SFTP, the Tectia server configuration must include the sftp subsystem definition:

    Subsystem-sftp      "sftp_server2.exe"

No internal implementation is built into the SSH server, as it is for the Tectia servers on Unix systems.

The SFTP server restricts access to a set of folders. This is controlled by the Sftp-DirList keyword:

    # Tectia
    Sftp-DirList    "HOME=%D, SCRATCH=S:\scratch\%U"

The value is a comma-separated list (with optional whitespace), where each element has the format virtual=real. Virtual folder names are arbitrary, and are presented to the SFTP clients. These are mapped to the specified real folders on the server. The folder names can contain the patterns %D and %U, representing the user profile folder and the username, respectively. The default value is HOME=%D.

A set of administrative (or power) users can be defined to use an alternate list of folders:

    # Tectia
    Sftp-AdminUsers     "administrator, backup.*, rebecca"
    Sftp-AdminDirList   "HOME=%D, BACKUP=Z:\backup, C:=C:, D:=D:"

The value for Sftp-AdminUsers is a comma-separated list (with optional whitespace) of username patterns. By default, only the administrator account is included.

The Sftp-AdminDirList value has the same format as for Sftp-DirList. The default is HOME=%D, C:=C:, D:=D:.

SFTP sessions start in a home folder, which is specified by the Sftp-Home keyword:

    # Tectia
    Sftp-Home           "S:\sftp\%U"

The SFTP home folder must be accessible, according to Sftp-DirList or Sftp-AdminDirList. The folder can use the same patterns, %D and %U. The default is %D (the user profile folder).

The server records log messages in the Windows event log, instead of using the standards syslog service found on Unix systems. The event log can be viewed using the Tectia server administration program, or using the Control Panel, by selecting Administrative Tools/Event Viewer.

The verbosity of the messages is controlled by the EventLogFilter keyword:

    # Tectia
    EventLogFilter      error, warning

Values are a comma-separated list (with optional whitespace) consisting of one or more of the following levels:

Note that the higher levels do not include the lower levels, as they do for syslog on Unix systems. Each Windows event log level must be specified explicitly.

The SFTP server’s log messages are controlled by a separate keyword, SftpLogCategory, that specifies the kinds of messages that are sent to the event log:

    # Tectia
    SftpLogCategory     31

The numeric value is the sum of any of the following:

The ssh2admin program provides more convenient checkboxes to specify the value for SftpLogCategory.

The ssh2master -d option works the same way as it does for sshd2 on Unix systems to enable debug mode and specify the debug log level: [5.9.2]

    # Tectia
    ssh2master -d4

Debug output is written to the console window by default, but this can be redirected to a file:

    # Tectia
    ssh2master -d4 2> debug.txt

The scripts debug-ssh.bat and debug-ssh-file.bat run ssh2master with debug level 4, as shown earlier. In addition, the debug-ssh-file.bat script redirects output to the file sshd2_debug_output.txt in the installation folder, and then displays the file in the Notepad editor after the server exits. These scripts can also be run by selecting the items Troubleshoot Server or Troubleshoot Server and Save Debug Output from the menu Start/Programs/SSH Tectia Server/Tools.