Secure Shell (SSH) → Options for SSH Connections

If you need to connect to your SSH host through a proxy (typical proxies are HTTP, SOCKS), you can enter the type, the name/ip and optional port (default port is 1080) in the proxy field of the SSH options dialog, e.g. 192.168.1.1 or myproxy.somewhere.com:8080

If the proxy is a SOCKS5 or HTTP type, you can also provide username and password in the form user:pass@host:port.

A jump server or bastion host is a ssh host, that is used as a gateway to the final destination. Technically this involves an initial ssh connections to the jump server. After being logged in there, a ssh command to connect to the final server is executed on the jump server. If the jump server requires a different username than the file host, you can provide it in the form user@host:port

As an additional security feature, ZOC's SSH implementation offers a function to check the remote host's encryption key with that of earlier sessions with the same host. The list of known keys is stored in the files named known_hosts (for SSH V1) and known_hosts2 (for SSH V2) in ZOC's SSH directory. These files are compatible with the respective files of various Unix implementations of SSH.

Enabling the 'keep alive' option is intended to prevent the server from terminating the connection due to inactivity. When the option is set, ZOC will configure the TCP connection with SO_KEEPALIVE and will also send application level SSH keepalive packets (this is equivalent to setting both keepalives and ServerAliveInterval=60 in OpenSSH).

When the server requires passwords or passphrases ZOC normally shows a pop-up dialog to enter those. With this option, the prompts are instead shown in the terminal area in the same way as it happens in the OpenSSH ssh command.

As an alternative to the username/password authentication, it is possible to use global authentication files. Authentication files contain public and private keys and can be used to authenticate you when logging on to a host. If you specify global authentication files, these will be used for all SSH connections. This is useful if you use the same authentication file for all your hosts. Additionally you will be able to specify authentication files on a per connection basis (this can be done in the Quick Connect dialog or in the host directory). See also: SSH Communication→Global Authentication Files

The available authentication methods can be enabled or disabled. ZOC Terminal and the SSH server will then try to find common methods and will see if the user can authenticate through one of them. The order in which the methods are tried (if enabled) is: gssapi, publickey, keyboard-interactive, password. If one of the options is set to "Preferred", it will be moved to the front of the list.

Enables or disables the public-key authentication method. This method is based on public-private key file pairs to prove your identity.

If one of these options is active, ZOC will contact an internal or outside agent to provide private keys for login or for ssh connections which are initiated from within the original session (the latter is called agent-forwarding).

When the choice internal is enabled, the private-key which is used to log into the host (if private-key authentication is use at all) will be offered to also authenticate further ssh commands that are issued within the original session. This is (in a limited way) similar to what OpenSSH's -A option does in combination with ssh-agent, but doesn't require keys to be loaded into an external agent.

The other options let you choose, if either Putty-Agent (pageant.exe), or the ssh-agent (Windows OpenSSH or macOS), or the zoc-agent (ZOC' Tools menu) should be contacted to provide private keys for login and/or for inner ssh sessions (as in OpenSSH's -A agent-forwarding option).

Enables or disables the GSSAPI authentication method. This method is usually used for an authentication type, where the ssh server contacts a central host to determine if the user has permission to log in.

When GSSAPI authentication is active, you can choose between two implementations: Kerberos GSSAPI (using the GSSAPI library from the original MIT Kerberos packet) or Microsoft-SSPI (which refers to the Microsoft implementation of the Kerberos protocol, which usually goes along with a Windows Domain account and Active-Directory).

Enables or disables the keyboard-interactive authentication method. This method is normally used for challenge-response authentication (e.g. with SecureID cards). Sometimes it simply prompts for the password.

Enables or disables the password authentication method.

If you need port forwarding (tunneling) you can use the push button to define so called tunnel profiles. These profiles allow you to build combinations of local and remote port numbers which will be forwarded to a host on the other side of the connection. You will then be able to select such a profile when making a SSH connection (see also Manage Tunnel Profiles).

Creates a tunnel that will forward X11 data from server to client. This option is required if you want to run X11 commands on the remote shell. Equivalent of OpenSSH's -X parameter.

A command that will be executed remotely instead of connecting to a shell. This is equivalent to the 'command' parameter in the OpenSSH ssh command.

Since ZOC's SSH implementation is based on OpenSSH, command line parameters from OpenSSH could be added here, e.g. -4 to limit connectivity to IpV4 or -C to use gzip compression on the data channel. Please be aware that not all options are supported, especially if they are related to more advanced features like configuration files, proxy commands, multiplex masters, etc.