VShell 2.6 Beta

[res]

Welcome to the VShell 2.6 Beta test. The major new features for 2.6 are:

• FIPS -- VShell for Windows can now be installed in "FIPS Mode", which uses a FIPS 140-2 validated cryptographic library and only allow FIPS-approved algorithms.
• RADIUS -- VShell for Windows allows authentication to RADIUS servers using SecurID or other methods. RADIUS support is implemented through keyboard-interactive authentication.
• VShellConfig -- A Windows command-line utility that allows editing of SFTP roots and access control lists (ACLs).
• Deny Host File -- This feature has been added to reduce the impact of a dictionary attack. VShell for Windows now tracks failed authentications by IP address and can add these addresses to the Deny Host file after the specified threshold has been reached. Once an IP address has been added to the Deny Host file, VShell will not allow future connections from that address.

Although the new features have been decided for 2.6, you can still post feature requests and they will be considered for future versions of VShell

Please feel free to start new threads and to post polls. I'm looking forward to some good discussion about the betas. Thanks for joining us!

[toloughlin]

Quote:

Deny Host File -- This feature has been added to reduce the impact of a dictionary attack. VShell for Windows now tracks failed authentications by IP address and can add these addresses to the Deny Host file after the specified threshold has been reached. Once an IP address has been added to the Deny Host file, VShell will not allow future connections from that address.

Is this planned for Linux?

[jpv]

Quote:

Originally Posted by toloughlin

Is this planned for Linux?

Not currently. If there is sufficient interest in this feature under Linux, Solaris, etc., it could be added.

--Jeff

[Ken]

DenyHosts file is great. But how about adding an AllowHosts file or specify entries in the AllowHosts file that do NOT get denied.
I'd be hesitant to turn this function on as it could deny connections from a VALID ip. Especially if port forwarding from another machine.

[jpv]

Quote:

Originally Posted by Ken

DenyHosts file is great. But how about adding an AllowHosts file or specify entries in the AllowHosts file that do NOT get denied.
I'd be hesitant to turn this function on as it could deny connections from a VALID ip. Especially if port forwarding from another machine.

This is something we had considered.

If we added this functionality, would you prefer to see this in the same file, a separate file, or configurable through the control panel?

--Jeff

[kelli.burki]

Quote:

Originally Posted by jpv

Not currently. If there is sufficient interest in this feature under Linux, Solaris, etc., it could be added.

--Jeff

I'll put a vote in for supporting on *nix -- mac specifically. I also like Ken's suggestion for the allow host config option. You might at least consider revising the announcement from:

Deny Host File -- This feature has been added to reduce...

to

...has been added to VShell for Windows...

In my haste (and excitement) i read the announce and quickly downloaded 2.6 for the Mac expecting it to be in *nix without reading the next sentance.

--kelli

[Ken]

One way of doing it would be to allow Any Connection Filter of type IP Address would never be entered into the Deny Host file.

If your Connection Filter was Allow/0.0.0.0 then everything would be suspect to the Deny Host if enabled.

If your Connection Filter was Allow/1.2.3.4, Allow/0.0.0.0 then everything other than IP 1.2.3.4 would be suspect to the Deny Host if enabled.

And of course..If your Connection Filter was Allow/1.2.3.4, Deny/0.0.0.0 then there is no reason to even use the "Deny Host" function since ony that 1.2.3.4 will be allowed.

Ken

[toloughlin]

Quote:

Originally Posted by kelli.burki

I'll put a vote in for supporting on *nix

I'm all for a Linux version.
I had to change my ssh port to over 24000 to stop the brute dictionary attacks.

[Chris]

Quote:

Originally Posted by Ken

One way of doing it would be to allow Any Connection Filter of type IP Address would never be entered into the Deny Host file.

Ken,

This functionality has been added to VShell. If you would like to try a pre-release version, please send a request via e-mail to support@vandyke.com with a subject of "Vandyke Forum thread 1262"

Thanks,
Chris

[toloughlin]

Have there been any config file parameters added to the Linux (3AS) version, from version 2.3.5?
I noticed some naming changes (ListenAddresses / ListenV4Addresses etc.), but other than that, is the config file pretty much the same?

[tnygren]

Hi Toloughlin,

There were a couple additions to the config file in VShell 2.6

Here are the new additions from VShell 2.3.5 to 2.6 that were made to the config file:

Code:

#IdleNOOPTimeout 0  # Idle NOOP timeout is disabled by default. 
#SFTPDownloadCommand #Defines the command to be triggered when an SFTP file is downloaded.
#FireFileTriggersOnError true #Defines whether or not to fire file transfer triggers on error.

################################################################################
# The following parameters are for X.509 (digital certificate) authentication.
#
# Note: X.509 authentication is not currently supported on FreeBSD or OS X.
################################################################################
#
#CertificateTrustedRootsDirectory #Specifies a directory that contains trusted root certificates (and CRLs).
#CertificateIntermediatesDirectory #Specifies a directory that contains intermediate certificates (and CRLs).
#CertificatePathPKIXLevel 2 #Specifies the PKIX level used when attempting to validate a certificate chain.
#CertificateUsernameMapFilename #Specifies a file that maps certificate thumbprints to usernames.
#CRLCheckingEnabled true #Specifies whether to check client certificates against CRLs.

There were other options that had their name changed slightly.

Did you also want a list of those?

[toloughlin]

No thanks, I know the name changes. Thanks!