When you install Reflection for Secure IT on systems with a Reflection 6.x server or F-Secure server, supported settings are migrated to the newer XML configuration file format. This table provides a summary of which settings are supported and how settings are migrated to the newer XML format.
NOTE:Settings for configuring certificate authentication are migrated when you install Reflection PKI Services Manager. For details, see Table of Migrated PKI Settings.
sshd2_config Keyword |
rsshd_config.xml Setting |
---|---|
AddGroupToToken |
Not supported |
AllowedAuthentications |
Authentication.<xxx>.<xxx> Values: allow = 2, require = 3, deny = 1
publickey > PublicKey.AllowPublicKeyAuthentication
password > Password.AllowPasswordAuthentication |
AllowedPasswordAuthentications |
Authentication.Radius.UseRadius |
AllowGroups |
GroupAccessControl.GroupEntry.GroupName.AllowAccess sets AllowAccess to true |
AllowTcpForwardingForGroups |
Not supported |
AllowTcpForwardingForUsers |
Not supported |
AllowUsers |
Sets AllowAccess to true |
AllowHosts |
Sets AllowAccess to true |
AllowTcpForwarding |
Permission.PermitC2SPortForwarding Permission.PermitS2CPortForwarding |
AuthFailureErrorMessages |
Authentication.AuthFailureErrorMessages |
AuthImmediateDisconnect |
Authentication.AuthImmediateDisconnect |
AuthInteractiveFailureTimeout |
Authentication.Password.Password-AttemptDelay |
AuthKbdInt.NumOptional |
Not supported |
AuthKbdInt.Optional |
Authentication.RSASecurID.RSASecurIDAuthentication Set to '2' if 'securid' is present in the migrated setting |
AuthKbdInt.Plugin |
Not supported |
AuthKbdInt.Required |
Authentication.RSASecurID.RSASecurIDAuthentication Set to '3' if 'securid' present in the migrated setting |
AuthKbdInt.Retries |
Not supported |
AuthorizationFile |
Authentication.PublicKeys.Authorization-File |
AuthPublicKey.MaxSize |
Authentication.PublicKeys.PublicKey-MaxSize |
AuthPublicKey.MinSize |
Authentication.PublicKeys.PublicKey-MinSize |
BadKeyName |
Not supported |
BannerMessageFile |
General.BannerMessageFile |
CachePasswords |
Authentication.UsePasswordCache |
Cert.RSA.Compat.HashScheme |
Not supported |
Ciphers |
Encryption.Ciphers.<xxx>
none > NoEncryption Any > aes128-cbc, aes192-cbc, aes256-cbc, des3-cbc, blowfish-cbc, cast128-cbc, aes128-ctr, aes192-ctr, aes256-ctr, NoEncryption AnyStd > aes128-cbc, aes192-cbc, aes256-cbc, des3-cbc, blowfish-cbc, aes128-ctr, aes192-ctr, aes256-ctr AnyCipher > aes128-cbc, aes192-cbc, aes256-cbc, des3-cbc, blowfish-cbc, cast128-cbc, aes128-ctr, aes192-ctr, aes256-ctr AnyStdCipher > aes128-cbc, aes192-cbc, aes256-cbc, des3-cbc, blowfish-cbc, cast128-cbc, aes128-ctr, aes192-ctr, aes256-ctr NOTE:If only unsupported ciphers are set, migration of ciphers setting will fail. |
CRLFile |
Not supported |
DefaultDirectory |
Permission.TerminalDefaultDirectory |
DenyGroups |
Sets AllowAccess to false |
DenyHosts |
Sets AllowAccess to false |
DenyTcpForwardingForGroups |
Not supported |
DenyTcpForwardingForUsers |
Not supported |
DenyUsers |
Sets AllowAccess to false |
DisableVersionFallback |
SSH1 not supported by Reflection for Secure IT |
DoubleBackspace |
Not supported |
EmulationType |
Not supported |
EmulationTypeForCommands |
Not supported |
EmulationTypeForForcedCommand |
Not supported |
EnableLegacySubauthentication |
Not supported |
EventLogFilter |
EventLogging.EventLoggingLevel DebugLogging.DebugLoggingLevel
|
FipsMode |
Encryption.FipsMode |
ForwardACL |
Not supported |
GSSAPI.AllowedMethods |
Not supported |
GSSAPI.DelegateToken |
Not supported |
HostCertificateFile |
Identity.HostCertificateFile |
HostKeyFile |
Identity.HostKeyFile |
HostKeyEkInitString |
Not supported |
HostKeyEkProvider |
Not supported |
HostKeyEkTimeOut |
Not supported |
HostSpecificConfig |
Not supported |
IdleTimeOut |
General.IdleTimeout |
IsPasswordChangeAllowed |
Authentication.Password.Permit-PasswordChange |
KeepAlive |
Network.Binding.TCPKeepAlive |
LDAPServers |
Not supported |
LocalPki |
Not supported |
ListenAddress |
Network.Binding.ListenAddress (first binding) |
LogCertificateSubject |
Not supported |
LoginGraceTime |
Authentication.GraceLoginTimeout |
LogPublicKeyFingerPrint |
Not supported |
MACs |
Encryption.MACs.<xxx>
none > NoProtection Any > hmac-sha1, hmac-sha256, hmac-sha512, hmac-md5, hmac-ripemd160, NoProtection AnyStd > hmac-sha1, hmac-sha256, hmac-sha512, hmac-md5, NoProtection AnyMac > hmac-sha1, > hmac-md5, hmac-ripemd160 AnyStdMac > hmac-sha1, hmac-md5 |
MapFile |
Not supported |
MaxBroadcastsPerSecond |
Not supported |
MaxConnections |
General.MaximumConnection |
NoDelay |
Not supported |
OCSPResponder |
Not supported |
PasswdPath |
Not supported |
PasswordGuesses |
Authentication.Password.Maximum-PasswordAttempts |
PermitEmptyPasswords |
Authentication.Password.Permit-EmptyPassword |
PermitRootLogin |
Not supported |
PermitUserTerminal |
Permission.PermitTerminalShell |
Pki |
Not supported |
PkiDisableCrls |
Not supported |
PkiOcspMode |
Not supported |
Port |
Network.Binding.Port |
PrivateWindowStation |
Not supported |
ProtocolVersionString |
Identity.ProtocolVersionString |
PublicHostKeyfile |
Public key is copied – no XML setting |
QuietMode |
Not supported |
RadiusKey |
Authentication.Radius.RadiusServer.ServerSecret |
RadiusServer |
Authentication.Radius.RadiusServer.ServerName |
RandomSeedFile |
Not supported |
RekeyIntervalSeconds |
Encryption.KeyExchange.Rekey-IntervalSeconds |
RemoteCommandPrefix |
Permission.ExecutionRequestPrefix |
RequiredAuthentications |
Values: allow = 2, require = 3, deny = 1 gssapi-with-mic > GSSAPI.Allow-GSSAPIAuthentication publickey > PublicKey.AllowPublic-KeyAuthentication keyboard- > KeyboardInteracitve.Allow-KeyboardInteracitveAuthentication password > Password.AllowPassword-Authentication |
RequireReverseMapping |
Network.Binding.RequireDNSLookup |
ResolveClientHostName |
Not supported |
RevocationCa |
Not supported |
SettableEnvironmentVars |
Not supported |
Sftp-AdminDirList |
Not migrated |
Sftp-AdminUsers |
Not migrated |
Sftp-DirList |
Note:If a “/” chroot is defined, then this accessible directory will be marked allowed and others will be marked not allowed. Also, ‘Allow all’ setting will be unchecked.If multiple “/” chroot is found, migration only migrate the first entry of “/”. If no “/” chroot is defined, all accessible directory(s)will be marked allowed. Also, ‘Allow all’ setting will be checked. If the first entry of “/” chroot contains “$Drive”, migration will NOT migrate ANY accessible directory(s). If a non-chroot accessible directory contains “$Drive”, migration will skip this directory. |
Sftp-Home |
SFTPDirectories.UserLoginDirectory If Sftp-Home is empty, the server uses the first entry on Sftp_DirList, provided it is not a chrooted entry (forward slash). Note: If a “/” chroot is defined, then the user login directory will be set to “/” value. If multiple “/” chroot is found, then the first entry of “/” wins. If Sftp-Home directory is not one of accessible directory(s) or a child of one of the accessible directory(s), then user login directory will be set to “/”. |
SftpLogCategory |
EventLogging.EventLoggingLevel DebugLogging.DebugLoggingLevel error,warning,info - 3 NOTE:All SFTP log categories are now part of overall event/debug logging. By default, Error Warning Information logging levels provide at least the same or more information. User Login/Logout > error,warning,info - 2 Uploads > error,warning,info - 2 Downloads > error,warning,info - 2 Directory Listings > error,warning,info - 2 Modifications > error,warning,info - 2 |
SocksServer |
Not supported |
Ssh1Compatibility |
SSH1 not supported by Reflection for Secure IT |
Sshd1ConfigFile |
SSH1 not supported by Reflection for Secure IT |
Sshd1Path |
SSH1 not supported by Reflection for Secure IT |
SubAuthId |
Not supported |
Subsystem |
Not applicable |
Subsystem-sftp |
Not applicable |
TerminalProvider |
Permission.TerminalShell |
TryReverseMapping |
Not supported |
UserConfigDirectory |
Authentication.PublicKeys.UserKey-Directory |
UserSFTPDirectory |
Pre 6.0 F-Secure keyword setting maps to SFTPDirectories.UserLoginDirectory Uses same logic as Sftp-Home |
UserSpecificConfig |
Not migrated |
VerboseMode |
Not supported |