Pragma Fortress SSH Client Frequently Asked Questions

This is a collection of answers to Frequently Asked Questions about Pragma Systems Inc.’s Pragma SSH Client for the Windows Mobile \ Windows CE platform. Please check here before sending email or calling Pragma Systems in regards to problems with the SSH Client package product.

Thank you,

Pragma Systems, Inc.

1. Will SSH Client package run on my particular operating system?
2. What is bundled with the SSH Client package?
3. What is Kerberos authentication?
4. How does SSH Client generate keys for FortressCL & FortressFX?
5. What is the difference between telnet & telnetc?
6. How much does the SSH Client package cost?
7. How much does technical support cost for the SSH Client package?
8. I get errors when using the runas program.
9. I get syntax errors when running the command line utilities, but I know the syntax is correct.
10. I cannot view the help files for the command line utilities.
11. How do I use FortressCL X.509 authentication with Cisco RADIUS.

1. Will SSH Client run on my particular operating systems?

SSH Client package has been designed to run on Windows 2012/2008 R2/2008/8/7/Vista/2003/XP operating systems. Remote telnet, ssh,  and sftp connections can be made using the clients to “telnet/ssh/sftp servers” running on Windows,  Unix, or Linux platforms.


2. What is bundled with SSH Client package?

The SSH Client package consists of a GUI SSH & Telnet Client (FortressCL), GUI SFTP Client (FortressFX), Console SSH Client (ssh), Console SFTP Client (sftp) and Console Telnet Client (telnetc). Additionally, the Client package includes the following useful command line utilities:

pragmaftp -- console ftp client
rsh – remote shell client for executing a single command on the server
rexec – remote execute daemon to execute a single command on the server
runas – runs a program as a different user
protan -- protocol analyzer, a trouble shooting tool
osinfo – displays operating system information such as version, build # etc
pragmareg – command line registration tool
ps -- process listing tool. Prints active processes with name and ID
kill -- process  termination tool
key – provides the user with information about a particular key input event
which – allows the user to find file in the PATH, INCLUDE, and LIB environments
console – allows the user to customize current console window’s colors
getgroup – take a valid username and a valid machine name and finds the local the global group that user belongs to


3. What is Kerberos authentication?

Kerberos is a highly secure authentication method that uses secret-key cryptography. During Kerberos authentication, the client proves its identity to the server and vice versa. A SSH user’s identity is authenticated cryptographically by a Kerberos server without the user having to provide a password. A GSSAPI (Kerberos) supported SSH client must be used to connect with this authentication method. 

Kerberos supports authentication across a wide variety of platforms like Microsoft Windows, Linux, HP-UX, Solaris and AIX using credentials obtained from the operating system. Starting with Windows 2000, all Microsoft Windows operating systems (2000, XP, 2003, Vista) use Kerberos as the standard authentication method and Microsoft Active Directory is built with Kerberos and fully supports it.

4. How do I generate keys for FortressCL & FortressFX?

Pragma’s key generation program, the sshkeygen, can be used to generate private and public keys for FortressCL and FortressFX. Sshkeygen is installed with the SSH Client package under \Program Files\Pragma\Clients directory.


5. What is the difference between telnet & telnetc?

The “telnet” client is Microsoft’s console telnet client and comes bundled with all Microsoft operating systems. “Telnetc” is Pragma’s own console telnet client.  The Microsoft Client is a very basic console telnet client that supports minimum configuration and VT emulation. Our Console Telnet Client supports up to VT420 emulation as well as scripting and other enhanced features.

6. How much does SSH Client package cost?

Please see our pricing page at www.pragmasys.com/products/pricing for current pricing.

7. How much does technical support cost for SSH Client package?

The Pragma Systems, Inc. Support Plan is a cost-effective annual plan that provides participating Pragma customers with major software release upgrades, minor revision releases, and unlimited access to Pragma’s customer support staff.   Purchasing a Pragma Support Plan can help you maintain a stable secure connectivity environment and provide a cost-effective means to stay up-to-date on the latest Pragma software.  

Please visit our website at http://www.pragmasys.com/products/support for more details on our support program.

8. I get errors when using the runas program.

The user running runas.exe must have the following privileges.

·         Act as part of the operating system
·         Replace a process level token

The machine must be rebooted after setting these privileges.

9. I get syntax errors when running the command line utilities, but I know the syntax is correct.

Make sure that another utility with the same name does not exist on the system in a directory earlier in the path. Use the ‘which’ utility to make sure that the Pragma SSH Client package utility is being used. If you cannot reach the ‘which’ utility, then check that the Path environment contains the Clients subdirectory.

10. I cannot view the help files for the command line utilities.

Pragma SSH Client package must be installed on a system for the utilities to be able to find the help files. To view the files without installing, the help files should be installed in a Help subdirectory of the Clients directory.

11. How do I use FortressCL X.509 authentication with Cisco RADIUS.

Here’s the cisco reference:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-cfg-auth-rev-cert.html

specifically:

If the RADIUS protocol is used, the password that is configured for the username in the AAA server should be set to “cisco,” which is acceptable because the certificate validation provides authentication and the AAA database is only being used for authorization. When the TACACS protocol is used, the password that is configured for the username in the AAA server is irrelevant because TACACS supports authorization without requiring authentication (the password is used for authentication).

The problem is that although RADIUS is only being used for authentication and not authorization for Cisco network devices, many users use the same backend for both authentication and authorization for other devices. A common example is using Active Directory using NPS. In this scenario, the Active Directory is used to authenticate/authorize all windows computer on the network. Organizations wishing to add cisco devices supporting 2FA have to create additional users that have hard coded passwords. It CAN be safely done, but you have to be exceedingly careful to limit these accounts to the cisco devices. This also means that the same accounts cannot be used for both windows authentication and cisco authentication. Government orgs often have their employee CAC cards set up to map to an active directory account and wish to authenticate using their CAC card. The Cisco limitation makes this problematic since the users password need to be hard coded to a known value.

Navigation

Social Media