Show Contents / Index / Search

Table of Migrated Settings

When you install Reflection for Secure IT on systems with a Reflection 6.x server or F-Secure server, supported settings are migrated to the newer XML configuration file format This table provides a summary of which settings are supported and how settings are migrated to the newer XML format.

Note: Settings for configuring certificate authentication are migrated when you install Reflection PKI Services Manager. For details, see Table of Migrated PKI Settings.

sshd2_config Keyword

rsshd_config.xml Setting

AddGroupToToken

Not supported

AllowedAuthentications

 

Authentication.<xxx>.<xxx>

Values: allow = 2, require = 3, deny = 1

gssapi-with-mic > GSSAPI.
AllowGSSAPIAuthentication

publickey > PublicKey.AllowPublicKeyAuthentication

keyboard-interactive > KeyboardInteracitve.
AllowKeyboardInteracitveAuthentication

password > Password.AllowPasswordAuthentication

AllowedPasswordAuthentications

Authentication.Radius.UseRadius

AllowGroups

GroupAccessControl.GroupEntry.GroupName.AllowAccess

sets AllowAccess to true

AllowTcpForwardingForGroups

Not supported

AllowTcpForwardingForUsers

Not supported

AllowUsers

UserAccessControl.UserEntry.UserName.
AllowAccess

Sets AllowAccess to true

AllowHosts

ClientHostAccessControl.ClientHostServer.
ClientDomain.AllowAccess

Sets AllowAccess to true

AllowTcpForwarding

Permission.PermitC2SPortForwarding

Permission.PermitS2CPortForwarding

AuthFailureErrorMessages

Authentication.AuthFailureErrorMessages

AuthImmediateDisconnect

Authentication.AuthImmediateDisconnect

AuthInteractiveFailureTimeout

Authentication.Password.Password-AttemptDelay

AuthKbdInt.NumOptional

Not supported

AuthKbdInt.Optional

Authentication.RSASecurID.RSASecurIDAuthentication

Set to '2' if 'securid' is present in the migrated setting

AuthKbdInt.Plugin

Not supported

AuthKbdInt.Required

Authentication.RSASecurID.RSASecurIDAuthentication

Set to '3' if 'securid' present in the migrated setting

AuthKbdInt.Retries

Not supported

AuthorizationFile

Authentication.PublicKeys.Authorization-File

AuthPublicKey.MaxSize

Authentication.PublicKeys.PublicKey-MaxSize

AuthPublicKey.MinSize

Authentication.PublicKeys.PublicKey-MinSize

BadKeyName

Not supported

BannerMessageFile

General.BannerMessageFile

CachePasswords

Authentication.UsePasswordCache

Cert.RSA.Compat.HashScheme

Not supported

Ciphers

 

Encryption.Ciphers.<xxx>

aes128-ctr > aes128-ctr
aes128-cbc > aes128-cbc
aes128 > aes128-cbc
aes192-ctr > aes192-ctr
aes192-cbc > aes192-cbc
aes192 > aes192-cbc
aes256-ctr >aes256-ctr
aes256-cbc > aes256-cbc
aes256 > aes256-cbc
3des-ctr > not supported
3des-cbc > des3-cbc
3des > des3-cbc
blowfish-ctr > not supported
blowfish-cbc > blowfish-cbc
blowfish > blowfish-cbc
twofish > not supported
arcfour >arcfour-128,arcfour-256,arcfour
cast128-ctr > not supported
cast128-cbc > cast128-cbc
cast128 > cast128-cbc
des-cbc@ssh.com > not supported
des > not supported
rc2-cbc@ssh.com > not supported

none > NoEncryption

Any > aes128-cbc, aes192-cbc, aes256-cbc, des3-cbc, blowfish-cbc, cast128-cbc, aes128-ctr, aes192-ctr, aes256-ctr, NoEncryption

AnyStd > aes128-cbc, aes192-cbc, aes256-cbc, des3-cbc, blowfish-cbc, aes128-ctr, aes192-ctr, aes256-ctr

AnyCipher > aes128-cbc, aes192-cbc, aes256-cbc, des3-cbc, blowfish-cbc, cast128-cbc, aes128-ctr, aes192-ctr, aes256-ctr

AnyStdCipher > aes128-cbc, aes192-cbc, aes256-cbc, des3-cbc, blowfish-cbc, cast128-cbc, aes128-ctr, aes192-ctr, aes256-ctr

Note: If only unsupported ciphers are set, migration of ciphers setting will fail.

CRLFile

Not supported

DefaultDirectory

Permission.TerminalDefaultDirectory

DenyGroups

GroupAccessControl.GroupEntry.GroupName.
AllowAccess

Sets AllowAccess to false

DenyHosts

ClientHostAccessControl.ClientHostServer.
ClientDomain.AllowAccess

Sets AllowAccess to false

DenyTcpForwardingForGroups

Not supported

DenyTcpForwardingForUsers

Not supported

DenyUsers

UserAccessControl.UserEntry.UserName.
AllowAccess

Sets AllowAccess to false

DisableVersionFallback

SSH1 not supported by Reflection for Secure IT

DoubleBackspace

Not supported

EmulationType

Not supported

EmulationTypeForCommands

Not supported

EmulationTypeForForcedCommand

Not supported

EnableLegacySubauthentication

Not supported

EventLogFilter

EventLogging.EventLoggingLevel

DebugLogging.DebugLoggingLevel

error - 1
error,warning - 2
error,warning,info - 3

FipsMode

Encryption.FipsMode

ForwardACL

Not supported

GSSAPI.AllowedMethods

Not supported

GSSAPI.DelegateToken

Not supported

HostCertificateFile

Identity.HostCertificateFile

HostKeyFile

Identity.HostKeyFile

HostKeyEkInitString

Not supported

HostKeyEkProvider

Not supported

HostKeyEkTimeOut

Not supported

HostSpecificConfig

Not supported

IdleTimeOut

General.IdleTimeout

IsPasswordChangeAllowed

Authentication.Password.Permit-PasswordChange

KeepAlive

Network.Binding.TCPKeepAlive

LDAPServers

Not supported

LocalPki

Not supported

ListenAddress

Network.Binding.ListenAddress (first binding)

LogCertificateSubject

Not supported

LoginGraceTime

Authentication.GraceLoginTimeout

LogPublicKeyFingerPrint

Not supported

MACs

 

Encryption.MACs.<xxx>

hmac-sha1 > hmac-sha1
hmac-sha256 > hmac-sha256
hmac-sha512 > hmac-sha512
hmac-md5 > hmac-md5
hmac-sha256 > Not supported
hmac-ripemd160 > hmac-ripemd160

none > NoProtection

Any > hmac-sha1, hmac-sha256, hmac-sha512, hmac-md5, hmac-ripemd160, NoProtection

AnyStd > hmac-sha1, hmac-sha256, hmac-sha512, hmac-md5, NoProtection

AnyMac > hmac-sha1, > hmac-md5, hmac-ripemd160

AnyStdMac > hmac-sha1, hmac-md5

MapFile

Not supported

MaxBroadcastsPerSecond

Not supported

MaxConnections

General.MaximumConnection

NoDelay

Not supported

OCSPResponder

Not supported

PasswdPath

Not supported

PasswordGuesses

Authentication.Password.Maximum-PasswordAttempts

PermitEmptyPasswords

Authentication.Password.Permit-EmptyPassword

PermitRootLogin

Not supported

PermitUserTerminal

Permission.PermitTerminalShell

Pki

Not supported

PkiDisableCrls

Not supported

PkiOcspMode

Not supported

Port

Network.Binding.Port

PrivateWindowStation

Not supported

ProtocolVersionString

Identity.ProtocolVersionString

PublicHostKeyfile

Public key is copied – no XML setting

QuietMode

Not supported

RadiusKey

Authentication.Radius.RadiusServer.ServerSecret

RadiusServer

Authentication.Radius.RadiusServer.ServerName

RandomSeedFile

Not supported

RekeyIntervalSeconds

Encryption.KeyExchange.Rekey-IntervalSeconds

RemoteCommandPrefix

Permission.ExecutionRequestPrefix

RequiredAuthentications

Values: allow = 2, require = 3, deny = 1

gssapi-with-mic > GSSAPI.Allow-GSSAPIAuthentication

publickey > PublicKey.AllowPublic-KeyAuthentication

keyboard- > KeyboardInteracitve.Allow-KeyboardInteracitveAuthentication

password > Password.AllowPassword-Authentication

RequireReverseMapping

Network.Binding.RequireDNSLookup

ResolveClientHostName

Not supported

RevocationCa

Not supported

SettableEnvironmentVars

Not supported

Sftp-AdminDirList

Not migrated

Sftp-AdminUsers

Not migrated

Sftp-DirList

SFTPDirectories.AccessibleDirectories.
AccessibleDirectory

Note:If a “/” chroot is defined, then this accessible directory will be marked allowed and others will be marked not allowed. Also, ‘Allow all’ setting will be unchecked.If multiple “/” chroot is found, migration only migrate the first entry of “/”.

If no “/” chroot is defined, all accessible directory(s)will be marked allowed. Also, ‘Allow all’ setting will be checked.

If the first entry of “/” chroot contains “$Drive”, migration will NOT migrate ANY accessible directory(s).

If a non-chroot accessible directory contains “$Drive”, migration will skip this directory.

Sftp-Home

SFTPDirectories.UserLoginDirectory

If Sftp-Home is empty, the server uses the first entry on Sftp_DirList, provided it is not a chrooted entry (forward slash).

Note: If a “/” chroot is defined, then the user login directory will be set to “/” value. If multiple “/” chroot is found, then the first entry of “/” wins. If Sftp-Home directory is not one of accessible directory(s) or a child of one of the accessible directory(s), then user login directory will be set to “/”.

SftpLogCategory

EventLogging.EventLoggingLevel

DebugLogging.DebugLoggingLevel

error,warning,info - 3

Note: All SFTP log categories are now part of overall event/debug logging. By default, Error Warning Information logging levels provide at least the same or more information.

User Login/Logout > error,warning,info - 2

Uploads > error,warning,info - 2

Downloads > error,warning,info - 2

Directory Listings > error,warning,info - 2

Modifications > error,warning,info - 2

SocksServer

Not supported

Ssh1Compatibility

SSH1 not supported by Reflection for Secure IT

Sshd1ConfigFile

SSH1 not supported by Reflection for Secure IT

Sshd1Path

SSH1 not supported by Reflection for Secure IT

SubAuthId

Not supported

Subsystem

Not applicable

Subsystem-sftp

Not applicable

TerminalProvider

Permission.TerminalShell

TryReverseMapping

Not supported

UserConfigDirectory

Authentication.PublicKeys.UserKey-Directory

UserSFTPDirectory

Pre 6.0 F-Secure keyword setting maps to SFTPDirectories.UserLoginDirectory

Uses same logic as Sftp-Home

UserSpecificConfig

Not migrated

VerboseMode

Not supported