Pragma FortressSSH Frequently Asked Questions (FAQs)

This is a collection of answers to Frequently Asked Questions about Pragma Systems Inc.'s FortressSSH (Secure Shell Server) for Windows. Please check here before sending us an email or calling Pragma Systems in regards to problems with the FortressSSH product. Thank you, Pragma Systems, Inc. A. Pragma FortressSSH - Limitations of the evaluation version B. Pragma FortressSSH - Interaction with Windows C. Pragma FortressSSH - Hardware requirements D. Pragma FortressSSH - Installation Problems E. Pragma FortressSSH - Contact Us F. Answers to Support Questions A. Pragma FortressSSH - Limitation of evaluation version The free evaluation copy of Pragma FortressSSH will time out 14 days from when it is initially installed. The greeting message and copyright messages cannot be changed. Other than that, there is no difference between our full use version and the trial version of Pragma FortressSSH. B. Pragma FortressSSH - Interaction with Windows Pragma FortressSSH is a standard UNIX secure shell that has been ported to Windows. Secure Shell (SSH) is a de-facto industry standard for remote access of systems over a secure connection using strong cryptography. A serious problem with current popular tools like telnet and FTP is that they transfer password and data in clear text over the internet thus compromising security. As a result, most secure UNIX and LINUX systems are managed over ssh sessions which encrypts password and all data exchanges. With Pragma's FortressSSH product,  Windows 2000/XP/Longhorn/Vista systems can now be managed over secure ssh sessions similar to high end UNIX or LINUX systems. The use of FortressSSH virtually eliminates the risk of remote management as all session data are encrypted using strong ciphers with keys exchanged dynamically using RSA public key algorithms. SSH does not support graphical programs that use Windows but it will run any program that will run in your Windows DOS Window. It runs on top of your Server or Workstation and allows access to those machines from any ssh client and protects the system by using the internal security mechanisms. With Pragma FortressSSH, you receive our fully functional InetD product. InetD is a program we brought over from the UNIX world. It allows us to run programs only when they are really needed. InetD runs as a Service and watches TCP/IP ports for which it has been configured. Using InetD allows us to use less memory and processor time while awaiting a TCP/IP connection. When a ssh client attempts a connection to your System, it uses a TCP/IP Port. InetD is configured to watch this port and start the server application at that time. At that point, the user is questioned for his/her login information. The login information consists of a User ID, Password and optional Domain. Pragma FortressSSH then takes this information and asks the System if this user is authorized to use the system. If the user fails the authentication, he/she is notified and is given a configurable number of retries before being disconnected. If the user passes authentication, the user is logged onto the system just as if they were sitting at the computer. C. Pragma FortressSSH - Hardware Requirements Pragma FortressSSH will run on any system able to run Windows. Therefore, all you need is the minimum requirements set by Microsoft. In terms of addressing the question as to how many users can connect to a machine at the same time before suffering performance degradation, we recommend 2MB per user above the minimum needed for Windows. Here's a guideline to follow for connecting 100 ssh sessions: 2 GHz processor 1 GB RAM NOTE: The above recommendation is for ssh sessions running cmd.exe ONLY. Additional resources will be needed as the number of sessions increase, or for sessions that will be running additional processes. Four megabytes of RAM should be added for each ssh session. D. Pragma FortressSSH - Installation Problems Pragma Systems no longer supports Windows NT 4.0 operating system for its software products. If you experience problems with the installation, please follow these steps: 1.) If the installation stops running, exit all programs that are running and try again. Known programs that might interfere with the installation of Pragma FortressSSH: Microsoft Exchange Server Microsoft SQL Server Virus Detection software Backup software 2.) If you encounter a missing file error when you run the self extracting executable, remove all temporary files under the following directory: "C:\Documents and Settings\<YourUserProfileName>\Application Data\Temp". If you still encounter the missing file error, please download the self-extracting executable file again from our website. 3.) If installing from the setup created by a self-extracting file, and a missing file error occurs, remove all temporary files, and run the self-extracting file again. If it continues to miss the file, download a new self-extracting file or contact Pragma Systems for support. 4.) If installation occurs due to the InetD Service failing to start, check the Event Log for an InetD error describing the failure. E. Pragma FortressSSH - Contact Us You can contact us via email at support@pragmasys.com or reach us at the following location: Pragma Systems, Inc. 13809 Research Boulevard, Suite 675 Austin, Texas 78750 Telephone: 512-219-7270 Toll Free: 1-800-224-1675 Fax: 512-219-7110   F. Answers to Support Questions What is Pragma Configuration Server? Answer: Pragma Configuration Server is a master configuration server to deploy server settings to remote machines installed with any of the Pragma servers. The master configuration can be modified locally or pulled from the settings of the local machine if one of Pragma servers is also installed on these machines. Pragma Configuration Server is installed with Pragma FortressSSH server. The Configuration Server dialog can be launched from the desktop shorcut icon (under the Pragma folder on the desktop) or from the Windows Start menu shortcut. Once the Pragma Configuration Server dialog is up, click on the "Help" button to learn more about Pragma Configuration Server. I am using an application that requires me to use the Alt key on the keyboard, how is this done? Answer 1) You can use our Pragma FortressSSH Client Suite which allows you to use the Alt key just as you normally would, by mapping the ALT key to the same value as the server. See the telnetc.txt file for help on mapping the ALT key for the client. The default value is CTRL-A. Answer 2) You can re-map the Alt key to to any key desired for each user, using the TelnetServer User Configuration. The default value is CTRL-A. Why does Control-G not work? Answer: Check to make sure that Allow Control-G is checked for the user session. Is it possible to get mouse support in a ssh session? Answer: Yes. Using Pragma's FortressSSH Client Suite and the WindowsTerm terminal emulation software. Does Pragma FortressSSH support function keys? Answer: Yes, if you use our Pragma FortressSSH Client Suite, all of the keyboard keys work. However, if you use another client, make sure that it supports VT420 or allows you to define support for specific function keys. How can I get mouse access over a ssh session? Answer: The client must be configured for the WindowsTerm emulation. To do this, follow these instructions: 1. On the client machine, you need to set your term environment variable to WindowsTerm, then run our ssh client. You can change the environment variable from Control Panel. Go to the User Environment settings. This is in different areas, based on the operating system. Check your documentation for the specific location. Choose or Add "Term"; Change value to WindowsTerm; Click on "Set" & "Apply"; Begin session Or you can locally set the variable from a DOS prompt. Type the following at the command prompt: set term=WindowsTerm Begin ssh session in the same DOS prompt window What if a user has an account on the system but is unable to login? Answer: Make sure that all users you wish to ssh into the system have "Log on Locally" access permissions. What if only the Administrator is allowed to login? Answer: You must set the access rights in your User Administrator for those users to have "Log on Locally" access to the computer. If they have "Log on Locally" access right set, you need to make sure that the user has correct access to the directory that Pragma FortressSSH is installed. What if it seems to take a longer time than normal to login? Answer: One answer is to add the hostnames to your hosts file supplied with your operating system. This file can be found in the %SystemRoot%\system32\drivers\etc directory. Another possibility is network performance. Use diagnostic tools to check the network performance between the FortressSSH machine and the authenticating machine. Also, entering a specific domain at the domain prompt will increase login time. How do I execute a batch file when a user logs on? Answer: You can assign a logon batch file for users using one of the following methods. Select only one choice. Errors could occur if the batch file is assigned in multiple locations. Option 1) Setup the batch file using Windows User Management program. Option 2) Enter your batch file in the Startup Program edit box under the Full Console Settings or Stream Settings tab, depending on the console mode. The location of this box depends on the version of FortressSSH. Check your index for these box locations. If cmd.exe or command.com is the User Shell then choose whether the command shell should continue to run after executing the Startup Program. Older versions require a /K or /C after the program name in the User Shell edit box. A /K will return to the command prompt after running the batch file, whereas a /C will close the session after completion. What if my client is rejected by the server? Answer: Check the Windows Application Event Log on the server for detailed information on the cause of the rejection. What if I get logged off as soon as I log on? Answer: This is normally caused by a failure to run the command shell. Check the Application Event Log for an error launching the user shell program. If there is none, then check security access to all necessary items to run the user shell, including directories and mapped drives. Does Pragma FortressSSH use the Windows User Database or have its own? Answer: Pragma FortressSSH uses the Windows User Database and API for user authentication. Could you tell me the limitations, if any, to run Pragma FortressSSH on Windows? Answer: Limitations are those imposed on the user's access rights and what you can do in a console window. Also, you are limited by the file system to only having one set of drive letters for the entire system. This causes an error when two or more users try to map the same drive letter. Windows XP and higher does not have this limitation. Pragma FortressSSH does not seem to have the same path as Windows? Answer: The path for any FortressSSH session is the same as the System path. If the FortressSSH user has logged on interactively to the server machine and has a profile with additional path values, this profile will be used during the FortressSSH session. Can I run Pragma FortressSSH on a Windows 2000 Professional WorkStation instead of a Server? Answer: Pragma Systems, Inc. no longer supports the Windows NT operating system. However, Windows 2000 is still supported. Can I add/edit users from a command line? Answer: Yes, you can accomplish this by using the NET.EXE command line application. The Help for the command is: NET USER [username [password | ] [options]] [/DOMAIN] username {password | } /ADD [options] [/DOMAIN] username [/DELETE] [/DOMAIN] Can I see users that are logged on from the command line? Answer: Yes, we ship a command line version of the Pragma Session Manager, called TELMC.EXE. I need to be able to change my password from command line? Answer: We have included a utility in our Pragma FortressSSH Client Suite package that will enable you to change your password from the command line. I wish to be able to scroll my screen back using a buffer and view my previous commands? Answer: To do this in older versions, you must run our server in Stream Mode. When you log in, you may be given a choice to run in Full Console Mode; answer NO to this question. If you are not asked this at login time, go to FortressSSH Configuration Program and turn on the option to ask for Console Mode. In versions since 4.0, the Advanced Console screen mode can be used. Advanced Console allows a console window for console applications, and a scroll back history of all previously used commands. It is important to understand that a screen buffer is a feature of the client and not the server. Why do I not get a color display? Answer: The reason you are not seeing colors is probably because your client does not support colors. If you are looking for a client that does support colors, try our Pragma FortressSSH ClientSuite. Why do I not see the 24th line in the output when I am running a DOS program within a ssh session? Answer: If the client you are using communicates the terminal window size larger than 80*24, Pragma FortressSSH will support that window size. if no window size is communicated by the client, then the default window size is 80*24 lines. PC programs are typically written to output 80*25 lines. If you scroll down with the arrow key you can see the 24th and 25th line. The line we show or hide will be configurable. Our Pragma FortressSSH Client supports window sizes of 80*25 or higher. It is better to use our client or any other client that communicates the window size. My terminal only supports 24 lines, which causes the last line to not display correctly? Answer: Because DOS programs support a minimum of 25 lines, we have re-mapped the last 25th line to the 24th line. This enables the last line to be seen, which in most cases is very important. We do not recommend using a client that does not support at least 25 lines. How do I get reverse video? Answer: Under the User Full Console Settings tab, turn on the User Monochrome option and set the Default Background color to any value other than Black. In version 5.0 and later, there is a check box to use Reverse Video on the Console Settings page. I wish to have each user's home directory mapped to a network drive, however, when a user is set to use a networked drive, that drive is not available to other users? Answer: This is due to the fact that early versions of Windows were not multi-user operating system and is limited to the drive letters A - Z. Windows versions since XP do not have this problem. We would like to find out the possibility of your product supporting either HPTERM or XTERM emulation? Answer: We currently support VT100 to VT420, WYSE 50, IBM 3151, ANSI and our own proprietary WindowsTerm. We find that these fit all clients, however, if you have a special terminal you wish us to add, please contact us. How do I share NetWare drives between sessions? Answer: In order to use NetWare drives without disconnecting them after you exit from a session, you must install "Gateway (and Client) Services for NetWare". You can do this from "Control Panel" - "Network" - "Services" tab and select the "Add" button. A list of services will appear and you should select and install the "Gateway (and Client) Services for NetWare". You will then be able to share NetWare drives as if they were Microsoft Windows drives. Refer to your Windows Server documentation for more information. My NetWare drives are not accessible in a session? Answer: This is a known problem with the NetWare security provider and our server. One solution is to logon to the telnet session as the same user who mapped the NetWare drive. Another solution is to have the NetWare drives mapped from within the ssh session, which can be done easily with a login script. Another solution is to install the Novell Client for Windows on the FortressSSH machine; drives mapped outside of ssh sessions are available to all priviledged users. This has been tested with Version 4.3 of the Novell Client, which can be downloaded from www.novell.com. How can I use InetD to enable my console application to be TCP/IP network enabled? Answer: This is a very simple task. All you must do is use our socket instead of STDIN and STDOUT. So, you can use the following code snippet to get the socket handle and allow your program to read and write to the socket just as if it were in a regular console. char *pSock; int hOutput = 0, hInput = 0; if ( (pSock = getenv("PRAGMASYS_INETD_SOCK")) != NULL ) { /* code for in session */ hOutput = hInput = atoi( pSock ); // From here you can use Windows ReadFile and WriteFile // for input and output } else { /* code for not in session */ } How do I START and STOP the InetD Service? Answer 1: From the "Pragma Manager" on the InetD Settings page. Answer 2: From the "Control Panel - Services" Program 1. Select the item "InetD" from the list, it should now be highlighted 2. Select the "Start" button to start the InetD Service 3. Select the "Stop" button to stop the InetD Service Answer 3: From a Command Prompt 1. Type "NET START INETD" to start the InetD Service 2. Type "NET STOP INETD" to stop the InetD Service How can I execute a graphical program on Pragma FortressSSH without hanging the process? Answer: Although Pragma FortressSSH does not allow the client to view graphical programs run on the server, you can start a graphical program from the client, using the GUIStart program included with the FortressSSH server. I have some programs that run well in a local DOS Window; however when I run them in a session, the window is not updating? Answer: Try running the program in Advanced Console mode or using the Wrapper Technology included with the server. What are the known applications that require our wrapper technology because of non updating window issue with DOS Windows? o VI from the Windows Resource Kit o PMON from the Windows Resource Kit o VIM - a popular enhanced version of VI o Computer Associates Interactive SQL command processor, Open Ingres Where can I get Emacs for Windows that works in a session? Answer: If you are looking for a port of Emacs that works with our FortressSSH Server, go to University of Washington Windows port of Emacs. You will need to get at least version 19.34.2, it has been modified for our Pragma Telnet Server, which uses a similar implementation. Can I use IBM's DB2 product with Pragma FortressSSH? Answer: Two environment variables need to be set for the DB2 Command Line processor to work within a session, DB2RQTIME and DB2CLP. DB2RQTIME: This is a timeout variable used by DB2, it represents milli-seconds so it will be very large. DB2CLP: This is an internal value set per session; it is unique to each session. See your DB2 help for more information on setting this variable. We recommend that you use a shell initializer on the server to set these values at the start of your session. Why is the ftp session forwarded through the FortressSSH SSH session hanging? Answer: The ftp client is not in passive mode. Make sure the client supports passive mode, and put the client in passive mode. The ftp client included with the Windows operating systems does not support passive mode. Pragma FortressSSH ships with a ftp client, Pragma FTP Client, that does support passive mode. How can you limit the CPU usage of a NTVDM process? Answer: On NT 4.0 or higher, increasing the Idle Sensitivity will decrease the CPU usage of a 16-bit process. The Idle Sensitivity can be set under the properties of the 16-bit executable Misc tab. How do I make Pragma FortressSSH stop any ntvdm.exe process when a session ends? Answer: When a 16 bit application is run within a session, a ntvdm.exe is started and may not be killed when the user exits out of the session. Pragma FortressSSH is automatically configured to stop all processes started during a session. If you have a program that requires that the "Monitor Child Process" feature be Off, you may use the Graceful Termination feature. Go to the User Management, Graceful Termination tab, and setup the exit keys. Why are users unable to print? Answer: In order for printing to work, users that wish to print must have Change access to the SpoolDir. Take a look at the documentation on Printing Monitoring. It has step-by-step setup and troubleshooting tips. How do I set a users home directory? Answer: Pragma FortressSSH supports the user settings in Windows, including home directory and logon script. You may also set up a home directory for each user for secure shell sessions only, using the FortressSSH User Management. For the specified user, set the Home Directory on the Users General Setting tab. I can only get a small number of sessions connected, and then I start getting errors? Answer: First make sure that you do not have orphan sessions on the server. If there are no orphan sessions, resources may limit the number of sessions. Try increasing the Desktop Count for the InetD Service under the InetD page. This will increase the amount of resources available to the server sessions and user shell. If the Desktop Count does not increase the number of sessions, then you will need to change the system setup. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows registry value. There is a substring value of SharedSection. For best results this value should be SharedSection=1024,3072,512. After changing the value, reboot the system. If the problem persists, change the SharedSection value to 1024,3072,1024, then reboot. This setting is system dependent, so some systems have better results with 512, while some perform better with 1024. Windows has a system limitation of 48 MB of memory for non-interactive services, such as telnet sessions. Most systems will begin to see errors eventually, usually around 100 sessions. To get a larger number of sessions, the "Allow service to interact with Desktop" checkbox should be turned on for the InetD service. The side effect is that a small flash will occur on the server each time a telnet session is connected. Do I have to use Pragma FortressSSH ClientSuite? Answer: You can use any client that supports SSH2 level protocol. We have had successful sessions with Linux, HP, and some commercial Windows ssh clients, such as F-Secure and SecureCRT. I am getting a getpeername failure in the Event Log? Answer: Another application with a Layered Service Provider might be conflicting with the Pragma Server. Uninstall the other application and re-boot. Other applications known to cause a conflict: McAfee VirusScan 7.0 Diamond Port Monitor   My server process immediately exists without error? Answer: Another application with a Layered Service Provider might be conflicting with the Pragma Server. Uninstall the other application and re-boot. Other applications known to cause a conflict: McAfee VirusScan 7.0 Diamond Port Monitor I have server processes left on the machine after the client exits? Answer: Server and user shell processes left after a client exits are called orphan sessions. These sessions are left because the client does not notify the server that they have exited. There are two features included that can be used to clean up orphan sessions. The first is the Server to Client Heartbeat under the General Settings tab. This will send a signal to the client after the configured period of time, and then disconnect the session, if it does not receive a response from the client. The other is the Idle Session Timeout under the User General Settings tab. This will shut the session down after a fixed period of inactivity.