This is a collection of answers to frequently asked questions about Pragma SSH Server for Windows. Please check here before sending email or calling Pragma Systems in regards to problems with the SSH Server product.
Also check our forums pages for common questions and answers, https://forums.pragmasys.com.
Many issues can be resolved by viewing the Event Logs, where we record all errors and informational events. In Version 7, Build 9, Revision 1815 and later, all events are recorded under Windows Applications and Services -> Pragma SSH Server. In earlier versions, events are recorded in the Application log.
Pragma Systems, Inc.
List of Pragma SSH Server Support Questions by Topic1. Certificate Authentication
The free evaluation copy of Pragma SSH Server will timeout 14 days from when it is installed. The greeting message and copyright messages cannot be changed or removed. Other than that, there is no difference.B. How Pragma SSH Server works and interacts with Windows
Pragma SSH Server is a standard UNIX secure shell ported to Windows. Secure Shell (SSH) is a de-facto industry standard for remote access of systems over a secure connection using strong cryptography. A serious problem with current popular tools like telnet and FTP is that they transfer password and data in clear text on the net thus compromising security. As a result, most secure UNIX and LINUX systems are managed over ssh sessions which encrypts password and all data exchanges. With Pragma SSH Server, Windows systems can now be managed over secure ssh sessions just like high end UNIX or LINUX systems are. Use of Pragma SSH Server virtually eliminates the risk of remote management as all session data are encrypted using strong ciphers with keys exchanged dynamically using RSA public key algorithms.
SSH does not support graphical programs that open separate windows, it will run any program that will run in your Windows console window. It runs as a Windows service and allows access to those machines from any ssh client and protects the system by using the internal security mechanisms.
With Pragma SSH Server, you receive our fully functional InetD product. InetD is another program we brought over from the UNIX world. It allows us to run programs only when they are really needed. InetD runs as a service and watches TCP/IP ports for which it has been configured. Using InetD allows us to use less memory and processor time while awaiting a TCP/IP connection. When a ssh client attempts a connection to your system, it uses a TCP/IP Port. InetD is configured to watch this port and start the server application at that time. At that point, the user is questioned for his/her login information. The login information consists of a User ID, Password and optional Domain. Pragma SSH Server then takes this information and asks the system if this user is okay or not. If the user fails the authentication, he/she is notified and is given a configurable number of retries before being disconnected. If the user passes authentication, the user is logged onto the system just as if they were sitting at the computer.C. Hardware needed
Pragma SSH Server will run on any system able to run Windows. Therefore, all you need is the minimum requirements set by Microsoft. As for how many users can ssh to a machine at the same time and performance not be degraded, we say that you need about 5MB per user above the minimum needed for Windows.
Here's a guideline to follow for connecting 200 ssh sessions:
2 GHz processor
1 GB RAM
NOTE: The above recommendation is for ssh sessions running cmd.exe only. If the session will run additional programs, then the resources should be increased accordingly for each session. Additional resources will be needed as the number of sessions increase, or for sessions that will be running additional processes.D. Installation Problems with Pragma SSH Server
Answers to support questions:Where do I store keys for user authentication?
The location for authentication files is configured by the Local Server Configuration program. Under the Authentication -> Public Key Options, an administrator can set a designated location for the authentication files. The file will be named authorized_keys2 in the configured directory. The directory will need to be unique for each user. For example, the environment variable %USERNAME% or %APPDATA% can be used to make each directory unique. A single directory cannot be used for all users, since the server looks for the authorized_keys2 file for all users.How do I specify a x.509 certificate as an authentication key?
To pass a x.509 certificate, a special ssh option has been added to our command line client. Use the following syntax:
ssh -oCertHash=b86258bba6a65878329ac3a142e60e51a895f273 user@somehost
or for sftp
sftp -oCertHash=b86258bba6a65878329ac3a142e60e51a895f273 user@somehost
There should be no space between the -o option specifier and the option name "CertHash"How do I pass a identity certificate to the command line sftp client?
To pass a certificate for authentication via sftp, you need to pass it to the ssh client as an option. Use the following syntax:
sftp -oIdentityFile=key_name username@host
There should be no space between the -o option specifier and the option name "identityfile"Using Pragma clients: FortressCL; FortressFX; and command line clients; with certificate authentication fails when connecting to Cisco routers.
Check that the public keys are loaded to the username in Cisco router/switch. Issue "show run | b ip ssh pu" to see the public keys loaded for various user accounts. Cisco allows 2 keys to be loaded for each user account. "config t" followed by "ip ssh pubkey-chain" command is used in Cisco to load a public key for login.I cannot get a certificate to store using the auto-store features.
The auto-store features can fail for multiple reasons:
Pragma SSH Server has the ability to grant or deny users to press Control-G to make the server beep. If Control-G is not working, check the Users -> Keyboard page of the Local Server Configuration program to make sure the option is on.Pressing Control-C doesn't do anything?
Pragma SSH Server has the ability to grant or deny users to press Control-C to break out of the current application. If Control-C is not working, check the Users -> Keyboard page of the Local Server Configuration program to make sure the option is on.Does Pragma SSH Server support function keys?
Yes, if you use our Console ssh Client, all of the keyboard keys work. However, if you use another client, make sure that it supports VT420 or allows you to define what it sends for the keyboard.Is it possible to get mouse support in a ssh session?
For mouse support, both the client and the server need to be in "WindowsTerm" mode. To do this, follow these instructions:
To set the client side, you need to set your term environment variable to WindowsTerm in your local machine first and then run our ssh client.
You can change the environment variable for all sessions by modifying the variable for from Control Panel.
Or you can set the variable from a just for a single session, by typing "term=WindowsTerm" at the command prompt before starting the ssh session in the same command prompt session.User has account on system but is unable to login.
The most common cause of a user being rejected is that they do not the necessary permissions to access the server or run the configured user shell and/or startup program. All users must have "Log on Locally" access permissions to be granted access via ssh.It seems to take long time to login.
The most common cause of delayed access, is authentication by a trusted domain. Pragma SSH Server authenticates in the following order: local, current domain, trusted domains. If the user is a member of a trusted domain, entering the domain at the domain prompt will speed up authentication.
Overall network lag can be the cause as well. Test an authentication of the same user outside of ssh, such as mapping or drive or some group membership configuration for the operating system. If this is slow as well, then see a network administrator.How do I execute a batch file when a user logs on?
You can assign a logon batch file for users using one of the following methods. Select only one choice. Errors could occur if the batch file is assigned in multiple locations.
This is normally caused by a failure to run the command shell. Check the Event Log for an error launching the user shell program. If there is none, then check security access to all necessary items to run the user shell, including directories and mapped drives.How do I get rid of the Character Map prompt?
Beginning with Version 6.0, the Character Map prompt is only displayed when an unknown terminal type is used, or if the server administrator requests it. If you need to assign a character map enter the value in the Default Character Map exactly as it appears in the prompt. For example, enter [vtxxx] for our default option.How do I set a users home directory?
Pragma SSH Server supports the user settings in Windows, including home directory and logon script. You may also set up a home directory for each user for ssh only, by setting the Home Directory on the Users General Setting tab.How do I set a users home directory on a network drive?
Before a network drive can be accessed it must be either mapped or referenced by a UNC name. If using a mapped drive, on the User -> Logon page of the Local Server Configuration program, please make sure that the option to Mapped Network Drives is on and not being performed in the background.What versions of Windows are supported?
All servers are full compatible with Windows 2022/2019/2016/2012/ R2/2012 servers and Windows 11/10/8/7
All clients can also run on Windows XP and Vista.
Pragma crypto libraries obtained US NIST FIPs certification for Windows 10, Windows Server 2016 and Windows server 2012R2.
Pragma products are fully compatible and tested for use in in Windows Server 2019 and are used in thousands of customer sites worldwide.
Pragma SSH Server uses the Windows User Database and API for user authentication.Could you tell me the limitations, if any, to run Pragma SSH Server on Windows?
Limitations are those imposed on the User's access rights and what you can do in a console window. Also, you are limited by the file system to only having one set of drive letters for the entire system. This causes an error when 2 users try to map the same drive letter.Pragma SSH Server doesn't seem to have the same path as Windows.
This can occur if the ssh user does not have the path configured under the OS. The path is a setting of the system and the users path. If a different user is logged on to the desktop, the path may be different than the path a different user would get under in the ssh session.Can I run Pragma SSH Server on a Windows Workstation OS instead of a Server OS?
Yes, we are not limited to running on a Windows Server operating system. Any version of Windows will work.Does Pragma SSH Server run on virtual servers?
Pragma SSH Server has been tested on all Windows operating systems running on multiple virtual server applications. The connections behave just as they would if installed on a stand alone system.Can I add/edit users from a command line ?
Yes, you can accomplish this by using the Windows NET.EXE command line application. The NET command has many important functions that can be helpful at the command line. Many useful utilities are also shipped with the Pragma SSH Server product. Microsoft Resource Kits and Server Support Kits contain many other useful command line tools.Can I see users that are logged on from command line?
Yes, we ship a command line version of the Pragma Session Manager, called TELMC.EXE.I need to be able to change my password from command line.
Included with the server is a utility, password.exe, that will enable you to change your password from the command line.I wish to be able to scroll my screen back using a buffer and view my previous commands.
Advanced Console mode allows a user to run console commands and have a scroll back history. This is a only available from Pragma Systems. Stream Mode is still available for any application that handles all emulation for the client, or a session that does not require any console features.Why don't I get a color display?
The most common cause of no color display is that the client does not support color. Included with the server are multiple clients, GUI and command line that support color. A second possibility is that the server is running in monochrome or has the checkbox on for "Slow network connections", which will turn on monochrome support. Check the Console Settings page of the Local SSH Server Configuration program.My terminal only supports 24 lines, this causes the last line to not display correctly.
Because DOS programs support a minimum of 25 lines, we have re-mapped the last 25th line to the 24th line. This enables the last line to be seen, which in most cases is very important. We do not recommend using a client that does not support at least 25 lines.How do I get reverse video?
For versions earlier than 5.0, use the Console Settings tab, turn on the User Monochrome option and set the Default Background color to any value other than Black. Version 5.0 includes a check box to use Reverse Video.How can I use InetD to enable my console application to be TCP/IP network enabled?
This is a very simple task. All you must do is use our socket instead of STDIN and STDOUT. So, you can use the following code snippet to get the socket handle and allow your program to read and write to the socket just as if it were in a regular console.
int hOutput = 0, hInput = 0;
if ( (pSock = getenv("PRAGMASYS_INETD_SOCK")) != NULL )
/* code for in ssh session */
hOutput = hInput = atoi( pSock );
// From here you can use Windows NT ReadFile and WriteFile
// for input and output
/* code for not in ssh session */
For version 7.0 and later, the following registry string value entry must also be added:
HKEY_LOCAL_MACHINE\SOFTWARE\PragmaSystems\sshd\Users\ for each configured user\CustomAppSupport, with a value of "yes".How do I START and STOP the InetD Service?
Some programs that are compiled for Windows and run in a console window use the Win32 Console API functions that switch the active screen buffer being used. Not only does Pragma SSH Server have no way of knowing that these functions are being used and that the screen buffer has been changed, but because of process boundaries set by Windows, the SSH Server process has no access to these screen buffers. These applications will work in Advanced Console or with the wrap.exe program.Known applications that need our Wrapper technology because of the above issue:
VI from the Windows NT Resource Kit
PMON from the Windows NT Resource Kit
VIM - a popular enhanced version of VI
Computer Associates Interactive SQL command processor, Open Ingres
You can download a 64-bit version of Emacs from Sourceforge at https://sourceforge.net/projects/emacsbinw64.Using IBM's DB2 product with Pragma SSH Server.
Two environment variables need to be set for the DB2 Command Line processor to work within a ssh session, DB2RQTIME and DB2CLP.
DB2RQTIME: This is a timeout variable used by DB2, it represents milli-seconds so it will be very large.
DB2CLP: This is an internal value set per session, it is unique to each session. See you DB2 help for more information on setting this variable.
We recommend that you use a shell initializer on the server to set these values at the start of you ssh session.How do I make Pragma SSH Server stop any child process when a ssh session ends?
Use the "Monitor Child Process" feature to make sure all child processes are removed when a session ends. If there is a known exit that will exit the process from any spot in the program, then configure the exit sequence under the Graceful Termination page of the Local SSH Server Configuration program.Users are unable to print.
In order for printing to work, users that wish to print must have Change access to the SpoolDir.
Take a look at the documentation on Printing Monitoring. It has a step-by-step setup and troubleshooting tips.I can only get a small number of sessions connected, then I start getting errors.
Resources may limit the number of sessions. If a large number of sessions are active, and users begin to experience process issues or are unable to logon, increase the InetD Desktop Count. If that does not allow more sessions then check the Win32 system setup. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows registry value. There is a substring value of SharedSection. For best results this value should be SharedSection=1024,3072,512. After changing the value, reboot the system.
If the problem persist change the SharedSection value to 1024,3072,1024, then reboot. This setting is system dependent, so some systems have better results with 512, while some perform better with 1024.
Windows has a system limitation of 48 MB of memory for non-interactive services, such as ssh sessions. This limit will be reached if InetD cannot create all of the requested desktops or the SharedSection value is set too high.I am getting a getpeername failure in the Event Log.
My session immediately exits without error.
Another application with a Layered Service Provider might be conflicting with the Pragma Server. Uninstall the other application and re-boot.
Other applications known to cause a conflict:
McAfee VirusScan 7.0
Diamond Port Monitor
Server and user shell processes left after a client exits are called orphan sessions. These sessions are left because the client does not notify the server that they have exited. There are 2 features included that can be used to clean up orphan sessions.
The first is the Server to Client Heartbeat under the User -> Handheld page of the Local Server Configuration program. This will send a signal to the client after the configured period of time, and then disconnect the session, if it does not receive a response from the client.
The other is the Idle Session Timeout under the User General Settings page of the Local Server Configuration program. This will shut the session down after a fixed period of inactivity. This value will shut down the session whether the connection is good, so it should be configured high enough not to interfere with an expected idle period.