Quickstart Guide

CoreSSH Server offers an intuitive setup process, allowing you to start secure file transfers within minutes. Follow these steps to configure and connect to your server quickly.

Setting Up CoreSSH Server

CoreSSH Server is ready to use immediately, no initial configuration is required. Default settings are already in place. You may optionally configure Network settings or set a base directory for SFTP access in the Default Root Directory setting. After making any changes, click Save Settings to apply them.

Creating a User

Navigate to the Users page in the Admin Console and click New User.... Enter the username, password, and default directory. For more information on types of users see the User Accounts topic. For information on best practices see the Security topic.

Starting the Server

CoreSSH Server starts automatically upon installation. You can control the status using the Admin Console, the system tray controls, or the Windows Service Manager itself. To connect via SFTP, open an SSH client and enter the server's IP address and port number (default: 22). Provide valid credentials and you are ready to transfer files securely.

For Example:

sftp myuser@localhost

Troubleshooting Connectivity

If you encounter issues reaching the server, consider the following:

  • Check the network configuration to ensure that the server machine is accessible from the client machine (e.g. ping).
  • Ensure firewalls or antivirus settings are not blocking the connection and a TCP connection can be established (e.g. telnet).
  • Confirm that the user account being used for authentication has been properly configured in the Users section.

Next Steps

Once connected, you can securely transfer files using the SFTP client. For information on logging, see the Logging topic. For other advanced features please see the corresponding topic. That's it! Your CoreSSH Server is now ready to use for secure file transfers.

User Accounts

CoreSSH Server supports two types of accounts. Virtual Users and Windows Users or Groups. You can configure the server to use either Virtual Users (managed within CoreSSH) or NT User Accounts (from the local Windows system or an Active Directory domain).

Virtual Users

Users are defined directly within the CoreSSH Server application. The application is responsible for allowing the creation, renaming, and deletion of these users. During SSH authentication the application will verify the identity of these users using predefined credentials.

Supported Authentication Methods:

  • Password
  • Public Key
  • Multi-factor (Password + Public Key)

Windows Users and Groups

CoreSSH can be configured to authenticate users against the local Windows system or an Active Directory domain. When an Windows user or group member logs in via SSH, CoreSSH delegates the authentication to the Windows system or domain controller, which verifies the credentials.

Supported Authentication Methods:

  • Password (Network Logon or Interactive Logon)
  • Public Key (File-Based or Certificate Store-Based

Monitoring

CoreSSH Server provides tools to oversee and manage active connections in real-time, allowing administrators to track activity, view detailed connection information, and take immediate action when needed.

Admin Console

The Admin Console offers a user-friendly interface for monitoring and managing sessions on the Status page. View the live list of connected users, IP addresses, and session duration. Each active session can be disconnected directly from this interface by clicking the Disconnect button.

REST API Session Management

For advanced automation or integration with external systems, the CoreSSH Server also supports session management through a REST API. The API provides the /api/sessions endpoint, which supports both GET and POST operations to manage sessions.

Logging

The Logging settings allow you to control how the server logs its activities and tracks trace information. The options described below provide flexibility in how logs are written, stored, and rotated, allowing you to manage server log files effectively. Alternatively you can configure logging using the Registry Settings. Below is an overview of each setting.

Log Mode

Specifies the level of detail to log in the Log window. The available levels are detailed below for convenience. The Verbose setting will enable a large amount of logging and it is recommended to revert to a lower log mode setting when you are done using it.

  • Off - Nothing is logged.
  • Error - Only errors are logged.
  • Warning - and warnings are logged.
  • Info (default) - Errors, warnings and informational messages are logged.
  • Verbose - All messages, including those useful for debugging and troubleshooting are logged.

Log SSH Packets

When this option is enabled and Log Mode is set to Verbose, the raw SSH packets will be included in the log. The packet contents will contain file content but will not contain sensitive information such as passwords.

  • 0 - Disabled (default)
  • 1 - Enabled

Rotate Log File Interval

Specifies an interval based on a number of days. After the specified number of days have elapsed, the log will be rotated meaning the log will be written to a different file. When a log is rotated the old log will be renamed to the format "logname-yyyy-MM-dd".

Delete Log File Interval

This setting only applies when using the RotateLogDays setting is greater than 0. Specifies an age limit in a number of days. After the specified number of days have elapsed, any log files older than the age limit will be deleted.

Encryption at Rest

The Encryption tab provides an optional way to encrypt files at rest. When the Enable Encryption At Rest checkbox is checked, the files on the server will remain encrypted on disk and will be transparently encrypted and decrypted as necessary. Users who authenticate to CoreSSH Server and download a file will obtain decrypted data but all file data will remain encrypted on the server.

Enabling Encryption

To enable encryption at rest, specify and confirm the encryption password. The password itself is encrypted by the system and saved in the registry (see Settings for details).

The first time encryption is enabled and Save Changes is pressed, all files present in the server root directory, a user-specific root directory, or a sub-directory therein will be encrypted. Depending on the number and size of files this may take some time.

After the initial encryption completes, it is expected that files will only be added to the server's filesystem using the SFTP protocol. Plain files created directly on disk alongside encrypted files will not automatically be encrypted and will not be available to users.

Changing The Password

To change the password, visit the Encryption tab and use the Change... button to change the password. You will be prompted to enter your current password, followed by the new password and a confirmation of the new password. When Save Changes is pressed, the operation will begin. This operation is faster than encrypting or decrypting files, but may still take some time depending on the number of files present.

Disabling Encryption

To disable data encryption, uncheck the Enable Encryption At Rest checkbox on the Encryption tab. After unchecking, you will be prompted to enter the current password in order to proceed. Once the password is verified, click Save Changes to begin the decryption process. When Save Changes is pressed, the encrypted files will be decrypted. Depending on the number and size of files, this operation may take some time.

Encryption Format Notes

Files are encrypted using standard disk encryption techniques leveraging the XTS-AES 256-bit block cipher algorithm. The encrypted files on disk will have an .aesf file extension. This file format is the same format as used by AES Drive. Please see The AES Drive documentation for details.

Supported Protocols

CoreSSH Server supports various protocols to facilitate data transfer and ensure compatibility with various types of clients. Please see the Settings page for additional information on configuring these settings.

NameDescription
SFTPAllows any standard SFTP client using SFTP v3 protocol using and modern authentication methods.
SCPAllows file transfer using the secure copy protocol. Support for any command line SCP client.
PowerShellAllows remote management from any standard SSH 2.0 client with a Windows PowerShell Host entry point.
SExecAllows remote command execution option (Sexec/SSH Exec) found in most SSH clients.
SShellAllows remote management from any standard SSH 2.0 client using a default shell.

Additional Information

Below are a few more details about each of the above protocols and corresponding links where you can learn more.

  • For SFTP and SCP, the RootDirectory setting of the Users Key governs what will be visible to logged in clients.
  • For remote management protocols, the session will be started in the %UserProfile% directory.
  • Connections have been tested with a variety of clients including PuTTY, FileZilla, OpenSSH, iPhone, Android, Linux/Unix, as well as our own SSH client solutions.
  • By default, the VT100+ emulation support will be enabled for any clients identifying themselves as vt* terminals or as xterm.

Admin Console

The Admin Console allows administrators to manage and configure server settings directly from a web browser. The admin password required for login is set during installation, either through the setup wizard or a silent install.

Accessing the Admin Console

To open the Admin Console, click the Access Admin Console link in the Admin Console tab (desktop application) or use the system tray menu Open button. This directs the user to the login page, where the admin password is required to sign in.

Setting the Admin Password

During installation, CoreSSH creates a pseudo account to facilitate management via the Admin Console. The setup prompts the user to define an admin password, which grants access to manage the server securely. These credentials are required for signing in and configuring server settings.

Resetting the Admin Password

If the admin needs to reset the Admin Console password, there are two methods available:

Command Line

Use the /resetpassword flag followed by the new password to reset the Admin Console password. Please refer to the Command Line section for more details.

System Tray Menu

The system tray menu includes a Reset Password... option. Selecting this option will prompt the user to enter and confirm a new password. Clicking OK updates the password.

Admin Console Configuration

The Admin Console can be configured using either the desktop application or the system tray menu. Both methods allow administrators to manage Admin Console settings, including enabling/disabling the feature, modifying the server interface, changing the listening port, and configuring TLS options for secure connections.

Desktop Application

The Admin Console tab in the desktop application provides full access to Admin Console settings.

System Tray Menu

The HTTP Server... option in the system tray menu offers quick access to configure the same settings without opening the Desktop application.

Admin Console Options

  • Server Interface: The network interface on which the HTTP server will listen for connections. By default, this is set to 127.0.0.1.
  • Server Port: The local port on which the interface will accept incoming connections. By default, the HTTP server will use port 8123.
  • Enable TLS: If checked, the HTTP connections will be encrypted. A TLS certificate path must be specified, or a new one can be generated.
  • TLS Certificate: The path of the TLS certificate on the local machine.

Additional Information

The Admin Console functions as a REST client, communicating with a built-in HTTP server to interact with the CoreSSH configuration and actions. The HTTP server provides an interface through which the Admin Console sends requests and receives responses, allowing users to configure and manage the CoreSSH server.

Troubleshooting

If you are having problems with CoreSSH Server, our support team is here to help. Visit https://www.nsoftware.com/support/submit.aspx to submit a ticket. Please be as detailed as possible about your issue. It is also helpful if you generate and send a log file to support@nsoftware.com.

How to Generate a Log File

  1. Navigate to the Settings tab.
  2. Enable Write Log to a File and specify a local file.
  3. Increase the Log Mode.
  4. Click the Save Changes button.
  5. Reproduce the issue.
  6. Click the Stop button.

Note that the length of time it takes for any operation is increased when Debug logging is enabled. The amount of data logged with this option enabled is substantial. We recommend enabling these settings for debugging purposes only.

Security

This section explains how the application operates and makes recommendations to ensure your server operates securely and reliably.

Overview

All settings are stored in the registry in the HKEY_LOCAL_MACHINE hive. Please see Settings for more information. Anyone who can write to the registry or is a member of the Administrators group has full control over the server.

Similarly, anyone who is granted access through the REST API by cookie authentication or API Key authentication is considered a trusted within the security architecture of CoreSSH to make changes to CoreSSH Server configuration.

Logon Information

CoreSSH Server supports two different types of Users as discussed on the User Accounts page. When an NT User Account is defined in the CoreSSH Server, we leverage the Windows operating system for SSH logins. Our logic will retrieve a security context for the user in order to verify the user's identity and to perform file access from that security context.

By contrast, with virtual user accounts our server will perform the authentication. File access will be performed without impersonation. Filesystem operations are performed using the security context of the process user.

Additional Details

For NT User Accounts, the credentials provided in the authentication request are used to try to retrieve an impersonation token using the Windows LogonUser API with the flags LOGON32_LOGON_NETWORK and LOGON32_PROVIDER_DEFAULT by default. If the call is successful, then we next ensure that the user is a memberOf a group specified in the CoreSSH configuration settings (or is an individual Windows User specified in the Users page). After that the user is considered authorized.

For virtual user accounts, the password is hashed in a manner resistent to brute force attacks and stored in the registry in the Users key. A virtual user identity is considered authorized when the hash is verified. We compute the hash of the password when logon is performed to the password hash stored in the registry when the user was created.

Resource Access

When an SFTP channel is requested, we receive SFTP packets and then process operations such as read, write, rename, delete, etc. The packet processing logic simply will use the Windows Identity (if the user is an NT User Account) for resource access or the current process identity (if the user is a virtual user account). In both cases, we will enable Windows permissions checking in the current thread.

In Shell sessions, a separate worker process will be created to isolate the operation from the rest of the server. The worker process is created using the token returned from the call to the LogonUser API, so the Windows User's privileges will apply to the whole process. When CoreSSH Server receives a command in a shell session, it sends the command to the worker process via its standard input stream. Shell support is disabled for virtual user accounts.

Application Identity

CoreSSH Server runs as Local System, but can run as a different account identity if you specify in the Log on As setting in the Service properties page. The SSH session will run as Local System until the user is authenticated. Once the user is authenticated, SFTP session will switch to the security context of the users who are actually logging in, or in the case of virtual user accounts, as the process identity. The Shell session will be launched as a separate process entirely in the user's security context.

Passwords and Hashing

When you connect to the server using NT User Accounts we do not store account passwords or password material. For virtual user accounts, when the account is initially created we will compute a hash of the password using the password derivation function PBKDF2 and store the base64-encoded value in the registry. We use the HMACSHA512 hash algorithm with 10000 iterations. This password hash will be stored in the Password registry key in Users key. Note that simple passwords can still be guessed. Even the strongest password hashing does not help if the password is easy to guess or reused from other systems.

Public Key Authentication

The keys should be in SSH public key format according to RFC 4253. For example:

ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

CoreSSH Server has no way to match the public keys stored in the certificate store with actual Windows local/domain users. Make sure that the selected certificate store does not contain certificates for individuals who should not be allowed access to the server.

Cipher Suites

CoreSSH Server supports configuring cipher suites to control encryption, key exchange, MAC, and public key algorithms used for secure communication and server identification. Administrators can specify preferred algorithms as needed to enhance security or enhance compatibility. This can be found in the SSH Protocol settings in the Admin Console.

SSH Encryption Algorithms

Defines the encryption algorithms used to secure data during transmission. This should be set to an ordered list of algorithms with the preferred algorithms toward the beginning of the list. The format should be a comma-separated string.

aes256-ctr,aes192-ctr,aes128-ctr

SSH Key Exchange Algorithms

Specifies the algorithms used for securely exchanging encryption keys. This should be set to an ordered list of algorithms with the preferred algorithms toward the beginning of the list. The format should be a comma-separated string.

curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

SSH MAC Algorithms

Defines the algorithms for negotiating message authentication during key exchange. This should be set to an ordered list of algorithms with the preferred algorithms toward the beginning of the list. The format should be a comma-separated string.

hmac-sha2-256,hmac-sha2-512

IP Whitelisting

CoreSSH Server supports configuring access control by specifying allowed and blocked IP addresses or subnets. This allows you to restrict unauthorized access to the server and define which clients can connect. For more information about the example formatting, please see the Configuration File topic. This can be found in the Protection settings in the Admin Console.

Allowed Clients

Defines a whitelist of IP addresses or subnets that are permitted to connect to the server. This should be set to a comma-separated list of IP addresses. The special value of * will be interpreted

10.0.1.*,10.0.2.225

Blocked Clients

Specifies a blacklist of IP addresses or subnets that are denied access to the server. This should be set to a comma-separated list of IP addresses.

121.31.51.74,65.2.33.32

Flood Protection

CoreSSH Server supports automatic blocking of IP addresses after excessive failed login attempts to prevent brute-force attacks. Administrators can configure the maximum failed attempts and block duration to enhance security and mitigate unauthorized access. This can be found in the Protection settings in the Admin Console.

Enable Automatic Blocking

Blocks an IP address after a specified number of failed login attempts in the Maximum Authentication Attempts setting.

Block Duration

Specifies how long an IP address remains blocked after failed login attempts.

Other Measures

Maximum Authentication Attempts

Limits the number of failed login attempts allowed per session to prevent brute-force attacks.

Idle Session Timeout

Terminates inactive sessions after a specified duration to reduce the risk of unauthorized access.

Disable Compression

Disables data compression to prevent vulnerabilities related to compression-based attacks.

Advanced

The following settings allow for a more fine-tuned setup of CoreSSH Server.

Automatic Setup

CoreSSH Server supports a streamlined installation through automated or programmatic methods. You can use the options provided in the installer to allow for scripted installations. Below are the key installation options and commands for configuring your setup.

Installation and License Activation

To install CoreSSH Server silently, use the /S flag for a non-interactive installation. You will also need to provide your product key using the /SNO option. If a previous version of the SFTP Server or PowerShell Server is detected in the system registry, their settings will be automatically imported. setup.exe /S /SNO=XISUB-RA1SU-XXXXX-XXXXX-XXXXX

This command installs CoreSSH Server without any user interaction and activates it with the provided product key. All previous configuration settings will be transferred from the registry, if applicable.

NOTE: Silent installation should only be used if you are confident in the settings and have a valid product key for activation.

Specifying the Web Administration Password

To set the Web Administration password during installation, use the /adminpassword option. Replace password with your desired password. setup.exe /S /SNO=XISUB-RA1SU-XXXXX-XXXXX-XXXXX /adminpassword:password

This command sets the password for accessing the Admin Console.

Alternate Installation Directory

If you need to install CoreSSH Server to a directory other than the default, you can specify a custom installation path using the /PATH option. setup.exe /S /SNO=XISUB-RA1SU-XXXXX-XXXXX-XXXXX /PATH=C:\Your\Path

This command installs CoreSSH Server in the directory you specify. Replace C:\Your\Path with the desired installation directory.

NOTE: For further customization or troubleshooting, refer to the detailed documentation. You can also contact support for assistance with more advanced configurations or issues.

Configuration File

There are two main ways to configure the server: by interacting with the user interface or by grouping settings into a file.

Windows Registry

Configuring CoreSSH Server was designed to be simple. All settings are stored and loaded from the registry and you have control over the current configuration by updating settings one at a time or grouping multiple settings into a file to be updated using the native Windows mechanisms such as Regedit.exe or REG.exe.

*.INI Configuration File

The filename extension *.ini is commonly used for configuration files in a simple key-value format. CoreSSH Server supports reading an INI file and writing the settings to the registry. This approach allows administrators to manage settings in a portable text-based format, which can be edited manually and imported programmatically.

Command Line

The CoreSSH server may be started,stopped and configured from the command line by specifying the command line parameters supported. For instance:

  • To start CoreSSH Server: CoreSSHServer.exe /start
  • To stop CoreSSH Server: CoreSSHServer.exe /stop
  • To restart CoreSSH Server: CoreSSHServer.exe /restart
  • To exit CoreSSH Server WinForm UI: CoreSSHServer.exe /exit

Additional command line parameters:

  • To register the CoreSSH Server service process: CoreSSHServer.exe /registerservice
  • To unregister the CoreSSH Server service process: CoreSSHServer.exe /unregisterservice
  • To modify the server's registry settings: CoreSSHServer.exe /modifyreg:
  • To modify and save the server's configuration settings: CoreSSHServer.exe /savesettings:TraceLevel=4
  • To import settings from a configuration file: CoreSSHServer.exe /importsettings:"C:\path\to\file.ini"
  • To reset the web admin password: CoreSSHServer.exe /resetpassword:newPass

Each of these parameters performs a specific task related to the configuration, management, or operation of the CoreSSH Server.

Host Key Notes

The CoreSSH Server supports the management of multiple host keys by default, with the ability to view, update, and generate new host keys through the Admin Console or REST API.

Host Keys

Host keys are presented by the server during SSH negotiation. SSH clients store host keys for the servers they have connected to. It allows the client to ensure the server is indeed the one it wanted to connect. CoreSSH Server generates three default host keys during installation, each corresponding to a different cryptographic algorithm. These can be found in the Host Keys section of the Admin Console.

  • RSA: Supported key sizes: 2048-bit, 3072-bit (default), and 4096-bit.
  • ECDSA: Supported key sizes: 256-bit (default), 384-bit, and 521-bit.
  • Ed25519: Supported key size: Fixed 256-bit.

Host Keys Configuration

The settings for each host key are stored separately in the Windows registry under the path HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24\HostKeys\{algorithm}. Please see Host Keys for more information.

Host Key Management in the REST API

The CoreSSH REST API provides several operations for managing host keys:

  • GET /api/hostkeys: Retrieves all host key settings.
  • POST /api/hostkeys/{algorithm}: Allows users to enable, disable, or generate a new host key.

API Key Notes

API keys can be used within API requests by including an x-coressh-api-key header in the HTTP request, with the value set to an appropriate User's API Key. API keys are unique, randomly generated identifiers that users authenticate with to access the API.

The web admin can issue requests to create a new API key and distinguish it by providing a keyName. This value is 32 characters long and includes a randomly generated 24-byte array, base64URL envard and prefixed by the keyName.

Warning: The raw value of the API key will be shown only once. Make sure to copy the value when creating the key and store it in a secure location.

When the admin creates an API key, the raw API key value is shown only once. The admin should copy it and provide it to a specific user. This user will then need to present the raw API key in the x-coressh-api-key header for all REST API requests.

The API keys are stored under the registry path HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24\APIKeys. Each API key has its own individual subkey within this path. The name of the subkey is determined by the key name provided by the web admin when the API key is created. It contains a string type setting APIKey, and the value will be the hash derived using PBKDF2 with a random 24-byte salt.

The supported operations are: GET, POST, and DELETE. The parameters needed are: keyName (a description provided by users) and APIKey.

API key operations can ONLY be performed by the web admin. These operations cannot be performed by a user possessing another API key.

  • GET: Performing a GET request at the /api/apikeys endpoint will return only the full list of keyName values of API keys currently created, and nothing else.
  • POST: This operation can be used to create a new API key. The request body will contain the keyName (which should be distinct from other keys). When the request is successful, a random 32-byte alphanumeric key will be generated, and the response will include the keyName and the raw API key (shown only once). In the registry, a new subkey will be created with the provided keyName and the hash value will be stored.
  • DELETE: This operation can be performed at the /api/apikeys/{keyName} endpoint, and it will delete the corresponding key if it exists.

When a user presents an API key for authorization, we check if its hash matches the stored key in the registry under the provided keyName. If it doesn't match, we respond with 401 Unauthorized.

API key holders do not know the admin's password and, therefore, do not have the same level of access as the web admin. They can authenticate with their API key and perform all operations except manipulating other API keys and accessing the /api/apikeys endpoint. Specifically, they are not allowed to create, delete, or list API keys, as these operations are allowed only to the web admin at the /api/apikeys endpoint.

API key users must present the raw key value in the header, prefixed by the keyName value. We then calculate its hash and compare it to the stored keys in the registry. The keyName is a subkey (subfolder) in the registry that contains the API key setting.

Example cURL Requests:

curl -X POST http://127.0.0.1:8123/api/server/start -H "x-coressh-api-key: test:UyP0R6hLA22pVo-Q5-oqatC89JB98h8g" -d "" curl -X POST http://127.0.0.1:8123/api/settings -H "x-coressh-api-key: test:UyP0R6hLA22pVo-Q5-oqatC89JB98h8g" -H "Content-Type: application/json" -d "{\"TraceLevel\": 4}" curl -X GET http://127.0.0.1:8123/api/settings -H "x-coressh-api-key: test:UyP0R6hLA22pVo-Q5-oqatC89JB98h8g" curl -X DELETE http://127.0.0.1:8123/api/users/test -H "x-coressh-api-key: test:UyP0R6hLA22pVo-Q5-oqatC89JB98h8g"

Backup

The CoreSSH Server offers convenient ways to migrate application settings from one system to another. Please note that this migration pertains exclusively to your client settings and does not involve transferring the contents of the virtual drive.

Exporting Settings

To export your settings, follow these steps:

  1. Navigate to the Other tab within the application.
  2. Click the Export link to initiate the settings export process.
  3. Specify the location and filename where settings will be saved. By default, the settings will be stored in INI file format.

Importing Settings

To import settings from an existing file, follow these steps:

  1. Navigate to the Other tab within the application.
  2. click Import link to start the import process.
  3. Specify the filename of the .ini file you want to load your settings from.

Importing Users from FileZilla

To import users from a FileZilla export file, follow these steps:

  1. Navigate to the Users tab within the application.
  2. Click the Import from FileZilla link to begin the import process.
  3. The system will automatically detect the presence of the FileZilla Server.xml or users.xml configuration file if it exists on the system.
  4. Confirm the import. The users will be automatically added to the server, and their settings will be transferred.

Note on Sensitive Information

Sensitive fields such as passwords will be decrypted as part of the export process and stored in plaintext in the .ini file.

Settings

Configuration settings are stored in the Windows registry in HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24. This registry key holds settings that are available for CoreSSH Server globally. Additional registry keys are available to store API keys, SSH host keys, authorized keys or user-specific configuration.

The tree structure of these registry keys is described below:

The following values can be configured within the root HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24 registry key:

NameTypeDescription
AllowedClientsStringThis setting defines a comma-separated list of host names or IPv4 addresses that are permitted to access the SSH Server. When a client attempts to connect, the client's address is checked against the list defined here. If there is no match, the connection request is immediately rejected.

The default value is * and all connections are accepted.
AllowedAdminClientsStringThis setting defines a comma-separated list of host names or IPv4 addresses that are permitted to access the HTTP Server. When a client attempts to connect, the client's address is checked against the list defined here. If there is no match, the connection request is immediately rejected.

The default value is * and all connections are accepted.
AuthMaxAttemptsDWORDSpecifies the maximum number of authentication retries per connection allowed from a client with invalid login credentials. By default, this value is set to 3.
AutoBlockDurationDWORDSpecifies how long a client is blocked for once they have reached the AutoBlockMaxAuthAttempts. The default value is 300 seconds. Setting AutoBlockDuration to 0 will disable automatic blocking.
AutoBlockMaxAuthAttemptsDWORDSpecifies the maximum number of connection retries allowed from a client with invalid login credentials. Once this number is reached, the client's IP address is added to a list of blocked clients for a specified duration. If this value is set, AutoBlockDuration must be set to a value greater than zero. The default value is 3.
BlockedClientsStringDefines a list of clients that are not allowed to connect to the SSH Server. This is a comma-separated list of IP addresses that will not be allowed to connect. Note that this list will not survive a server restart.
BlockedAdminClientsStringDefines a list of clients that are not allowed to connect to the HTTP Server. This is a comma-separated list of IP addresses that will not be allowed to connect. Note that this list will not survive a server restart.
DataEncryptionPasswordStringThe DPAPI encrypted data encryption password, base64 encoded.
DataEncryptionSaltStringThe hex encoded 16 byte data encryption salt.

Warning: This value is created automatically and should not be modified or deleted from the registry.

DeleteLogDaysDWORDThe number of days after which old log files will be deleted. This is only applicable when RotateLogDays is set to a positive value.
EnableCompressionDWORDCan be used to enable use of the zlib compression algorithm on SSH connections.

  • 0 - Off. No compression will be used. (default)
  • 1 - On. Zlib compression will be enabled, if requested by the SSH client.

EnableImpersonationDWORDCan be used to disable impersonation of the username used in the connection.

  • 0 - Off. Clients will not be impersonated.
  • 1 - On. Clients will be impersonated. (default)

EnablePowershellDWORDCan be used to enable Powershell support.

  • 0 - Off (default)
  • 1 - On

EnableSessionManagementDWORDCan be used to enable sessions management.

  • 0 - Off
  • 1 - On (default)

EnableSCPDWORDCan be used to enable SCP support.

  • 0 - Off (default)
  • 1 - On

EnableSexecDWORDCan be used to disable SExec connections

  • 0 - Off (default)
  • 1 - On

EnableSFTPDWORDCan be used to enable SFTP support.

  • 0 - Off
  • 1 - On (default)

EnableShellDWORDCan be used to disable Shell connections.

  • 0 - Off (default)
  • 1 - On

EnableSSHReverseTunnelDWORDCan be used to enable SSH Reverse Tunnel support.

  • 0 - Off (default)
  • 1 - On

EnableSSHServerOnStartupDWORDCan be used to control whether the SSH listener will start automatically on machine boot.

  • 0 - Off
  • 1 - On (default)

EnableSSHTunnelDWORDCan be used to enable SSH Tunnel support.

  • 0 - Off (default)
  • 1 - On

FirewallTypeDWORDThe type of firewall for the SSH Tunnel to connect through. Applicable values include the following:

  • 0 - No firewall (default)
  • 1 - Connect through a tunneling proxy
  • 2 - Connect through a SOCKS4 proxy
  • 3 - Connect through a SOCKS5 proxy

FirewallHostStringThe name of IP address of the firewall that the SSH Tunnel will connect through.
FirewallPortDWORDThe TCP port for the FirewallHost.
FirewallUserStringA user name if authentication is to be used when connecting through a firewall.
FirewallPasswordStringPassword to be used if authentication is to be used when connecting through a firewall.
IdleSessionTimeoutDWORDThe number of minutes after which an idle connection should be terminated. By default, idle sessions will be disconnected after 20 minutes.
KerberosSPNStringThe Service Principal Name for the Kerberos Domain Controller. If the Service Principal Name cannot be automatically determined, it should be set here. This will usually be in the form "host/fqdn.of.sshhost[@REALM]" where REALM is the fully qualified (DNS) name of the Kerberos realm (or Windows Active Directory domain name).
LocalHostStringThe local IP address of the interface to which the server will bind. By default the server will listen on the default interface for the system.
LogEnabledDWORDEnables or disables logging to a file.

  • 0 - Off (default)
  • 1 - On

LogLevelDWORDControls the trace level of the logging from the application. Possible values are:

  • 0 - Off. Nothing is logged.
  • 1 - Error. Only errors are logged.
  • 2 - Warning. Errors and warnings are logged.
  • 3 - Info. Errors, warnings and informational messages are logged. (default)
  • 4 - Verbose. All messages, including those useful for debugging and troubleshooting are logged.

NOTE: The former registry setting TraceLevel can also be used for the same purpose.

LogSSHPacketsDWORDSpecifies whether or not raw SSH packets are included in the log.

  • 0 - Off (default)
  • 1 - On

LogToFileStringThe full path to the log file.
MatchSSHPublicKeyToUsernameDWORDWindows users only. Controls whether public keys in the file specified by SSHPublicKeyFileName setting are tied to a specific user name. Possible values are:

  • 0 - Off. Public keys are not tied to a specific username. (default)
  • 1 - On. Public keys are tied to a specific username.

This setting can be used to validate that the correct public key was used to grant access to a particular user. If this setting is enabled the server will check the comment of the public key to verify it matches the username provided during authentication. This check is not case sensitive.

To specify a username to be associated with a specific key, include the username in place of the comments in the public key. For instance:

Unmodified public key: ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Public key modified to be associated with a specific username: ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= DOMAIN\Username

MaxConnectionsDWORDSpecifies the maximum number of connections that are allowed. By default the number of allowed connections is determined by the license that is installed. This setting may be specified to further restrict the number of connections. The server will restrict the number of connections to whichever is the lesser value between this setting and the number of allowed connections for the license.
MaxNumRowsInLogDWORDControls how many lines will be shown in the Status window in the Service tab of the CoreSSH Server User Interface. If this value is exceeded, the oldest lines will be removed as new lines are added. The default value is 1000.
PasswordAuthEnabledDWORDMay be set to disable password authentication.

  • 0 - Off. Password authentication is not allowed.
  • 1 - On. Password authentication is enabled. (default)

PreserveFileTimeDWORDDetermines if filetime preservation is supported. If a client requests filetime preservation (typically by setting a "-p" parameter) this setting controls whether or not it is respected.

  • 0 - Off. Filetime preservation options are ignored.
  • 1 - On. Filetime preservation is supported. (default)

PromptForRegPermissionsDWORDWhen the server is running under an account that does not have write permissions to the registry location where these settings are stored the user will be prompted to change the permissions. If this value is set to 0 the user will not be prompted again. Possible values are:

  • 0 - Off. The user will not be prompted to modify registry permissions.
  • 1 - On. The user is prompted to modify registry permissions when needed. (default)

RotateLogDaysDWORDThe number of days after which the log file will be rotated. Old log files will be renamed to the format "logname-yyyy-MM-dd". When set to a positive value DeleteLogDays is applicable.
RunProfilesDWORDControls whether the server will run profile scripts. Possible values are:

  • 0 - Off. No profile scripts will execute.
  • 1 - On. Any profile scripts found will be executed. (default)

ResolveOwnerAndGroupDWORDSpecify whether "Owner" and "Group" should be resolved during file listing or not. Having ResolveOwnerAndGroup turned on may result in slower file listing. Possible values are:

  • 0 - Off (default)
  • 1 - On

ServerSSHVersionStringStringThis setting specifies the version string value that is sent to all connecting clients. This may be set to specify server specific information. When setting a custom value, it must contain "SSH-2.0-" as this is a standard format that specifies the supported SSH version. The default value is SSH-2.0-CoreSSH Server 2024 - www.coressh.com.
SFTPHomeDirMapStringWindows users only. A map defining user-specific SFTP home directories. This setting allows for a user to be assigned a specific default directory. The value should be a semicolon-separated list of username and home directory pairs in the format: DOMAIN\user1=C:\user1;DOMAIN\user2=C:\user2 The user value must include the domain or machine name as appropriate (DOMAIN\user1 or MACHINE\user1). If the directory specified does not exist the user will be placed into the default SFTPRootDir.

NOTE: If mappings are present in this setting and a user without a mapping tries to authenticate to the server, access will be denied.

SFTPRootDirStringThe absolute path of the root directory for SFTP users. By default the "windir" environment variable will be used to determine the root directory (typically "C:\").

The special value "$user" may be included in the path which will be resolved to the username of the authenticated user (without Domain or Machine information). When "$user" is included in the path if the directory does not exist it will be automatically created.

ShowHiddenFilesDWORDWhether hidden files and folders are displayed during directory listings.

  • 0 - Off
  • 1 - On (default)

SSHEncryptionAlgorithmsStringSpecifies a name-list of the allowed SSH encryption algorithms. This list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred. To disable an encryption algorithm, remove it from this list. Note: The algorithm which is actually selected during key exchange is the first algorithm to appear in the client's list that the server supports.

Valid values are:
aes256-ctr256-bit AES encryption in CTR mode.
aes256-cbc256-bit AES encryption in CBC mode.
aes192-ctr192-bit AES encryption in CTR mode.
aes192-cbc192-bit AES encryption in CBC mode.
aes128-ctr128-bit AES encryption in CTR mode.
aes128-cbc128-bit AES encryption in CBC mode.
3des-ctr192-bit (3-key) triple DES encryption in CTR mode.
3des-cbc192-bit (3-key) triple DES encryption in CBC mode.
cast128-cbcCAST-128 encryption.
blowfish-cbcBlowfish encryption.
arcfourARC4 encryption.
arcfour128128-bit ARC4 encryption.
arcfour256256-bit ARC4 encryption.
aes256-gcm@openssh.com256-bit AES encryption in GCM mode.
aes128-gcm@openssh.com128-bit AES encryption in GCM mode.
chacha20-poly1305@openssh.comChaCha20 with Poly1305-AES encryption.
The default is:

aes256-ctr, aes192-ctr, aes128-ctr, 3des-ctr, arcfour256, arcfour128, arcfour, aes256-gcm@openssh.com, aes128-gcm@openssh.com, chacha20-poly1305@openssh.com

SSHKeyExchangeAlgorithmsStringSpecifies the Key Exchange algorithms presented during the SSH handshake. Algorithms not on this list will be disabled on the server. The list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred.

Valid values are:

  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==
  • gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==
  • gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==
  • gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==
  • gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==
  • gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
The default is:

curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

SSHKeyRenegotiationThresholdDWORDThis property allows the threshold to be specified, in the number of bytes, for the SSH Key Renegotiation. The default value for this property is set to 1073741824(1 GB) .

For example, to set the threshold to 500MB use the value 524288000.

SSHMacAlgorithmsStringSpecifies the SSH MAC algorithms presented during the SSH handshake. Algorithms not on this list will be disabled on the server. The list should be ordered based on preference and comma-delimited, with the first algorithm in the list being the most preferred.

Valid values are:

  • hmac-sha1
  • hmac-md5
  • hmac-sha1-96
  • hmac-md5-96
  • hmac-sha2-256
  • hmac-sha2-256-96
  • hmac-sha2-512
  • hmac-sha2-512-96
  • hmac-ripemd160
  • hmac-ripemd160-96
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • hmac-sha2-256-96-etm@openssh.com
  • hmac-sha2-512-96-etm@openssh.com
  • umac-64@openssh.com
  • umac-64-etm@openssh.com
  • umac-128@openssh.com
  • umac-128-etm@openssh.com
The default is:

hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
SSHPortDWORDThe TCP port the server will listen in for connections. The default value is 22.
SSHPublicKeyEnabledDWORDWindows users only. Controls if file based public key authentication is enabled or not. When enabled, the server will grant access to users based on the public keys in the file specified by the SSHPublicKeyFileName setting.

  • 0 - Off. File based public key authentication is disabled. (default)
  • 1 - On. File based public key authentication will be allowed.

SSHPublicKeyFileNameStringWindows users only. Specifies the location on disk of the file containing authorized public keys. The server will grant access to users that authenticate with a private key associated with one of the public keys in this file.

The authorized keys file should contain a list of public keys in SSH public key format separated by newlines. Empty lines and lines starting with a # are ignored as comments. Additionally, you can control the IP addresses from which the key may be used by using the "from" keyword in the authorized keys file.

Example:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAqs5hvGvJ3CM2Ink93x...tW3yw== rsa-key-20191008 ssh-rsa AAAAB3NzaC1kc3MAAAEBAK5qBqJnjNH7KH0bJR61vc+JuX...wOE8A== rsa-key-20200515

Only accept connections using the specified public key from 192.168.1.12: from="192.168.1.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.30 - 192.168.1.39: from="192.168.1.3?" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.100 - 192.168.1.199: from="192.168.1.1??" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.0.12 - 192.168.255.12 (must end in .12): from="192.168.*.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

Only accept connections using the specified public key for the IP Address range 192.168.1.0 - 192.168.1.255 EXCEPT 192.168.1.12: from="192.168.1.*,!192.168.1.12" ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822

As demonstrated above, the special characters "?", "!", and "*" may be used to specify an IP address pattern that is to be matched.

The value data in this registry setting may contain the %USERNAME% macro, which the server will substitute with the name of the user when they attempt to authenticate. This allows you to load an authorized keys file stored separately for each user.

Only IPv4 addresses are currently supported. Hostname matching and IPv6 address matching are currently not supported.

SSHUseStrictKeyExchangeDWORDThis setting controls whether strict key exchange (strict kex) is enabled to mitigate the Terrapin attack. When enabled, the application will indicate support for strict key exchange by automatically including the pseudo-algorithm kex-strict-c-v00@openssh.com for client applications and kex-strict-s-v00@openssh.com for server applications in the list of supported key exchange algorithms.

Since both client and server must implement strict key exchange to effectively mitigate the Terrapin attack, the application provides options to further control the behavior in different scenarios.

The default value is 1. Possible values for this setting are:

  • 0 - Disabled. Strict key exchange is not supported in the application.
  • 1 - Enabled, but not enforced This setting enables strict key exchange, but if the remote host does not support strict key exchange the connection is still allowed to continue.
  • 2 - Enabled, but reject affected algorithms if the remote host does not support strict key exchange. If the remote host supports strict key exchange all algorithms may be used. If the remote host does not support strict key exchange the connection will only continue if the selected encryption and MAC algorithms are not affected by the Terrapin attack.
  • 3 - Required. If the remote host does not support strict key exchange the connection will fail.

SvcLogFileStringIf present, the trace information generated by the server will be written to the specified file.
UseFIPSCompliantAPIDWORDDetermines if only FIPS compliant algorithms and API calls are made during SSH or SSL sessions. This is false by default. Possible values:

  • 0 - Off. Non-FIPS compliant algorithms are allowed. (default)
  • 1 - On. Only FIPS compliant algorithms are allowed, and cryptographic calls are made only to FIPS compliant APIs.

UseIPv6DWORDControls whether IPv4 or IPv6 is used when listening. Connecting clients will need to connect using the appropriate IP version. Possible values are:

  • 0 - Off. IPv4 is used. (default)
  • 1 - On. IPv6 is used.

UserAuthBannerStringSets the User Authentication Banner, which is displayed to the client before they provide authentication, for example before a password prompt. This can also be set in the interface using the "Login Banner" field. The default value is CoreSSH Server (www.coressh.com).
WireEncodingStringControls the encoding used by the server on the wire for text sent and received by the server. By default, the server will use ISO-8859-1 (Latin-1) encoding.

API Keys

The API keys are stored under the registry path HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24\APIKeys\{keyName}. Each created API key has its own subkey, identified by the key name provided by the web admin upon creation.

Example registry structure:

  • HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24\APIKeys\
    • testKey
    • backupKey
    • externalKey

The following key setting is available for API keys in CoreSSH Server. This setting controls the configuration and management of API keys, and it is also used during the authorization of the provided key.

NameTypeDescription
APIKeyStringThe hashed value of the API key, generated from the raw API key input. The hash is derived using PBKDF2 (Password-Based Key Derivation Function 2) with a random 24-byte salt to ensure security.

Authorized Keys

CoreSSH Server may be configured to authorize users against known public keys. When a client performs public key authentication, it presents a signature created with the private key. The server will try to verify the signature is valid using each of the known public keys until it finds a match.

To add an approved public key, you may either specify it directly in the New User... form or add it to the registry. Possession of a private key which corresponds to an allowed public key serves as authentication.

Known public keys can be added to the Windows Registry at the following location. If the key does not exist go ahead and create it.

HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24\AuthorizedKeys

Create a new String value and set the value data to the public key in SSH public key format as specified by RFC 4253 (also known as OpenSSH public key format). Briefly, an OpenSSH public key consists of three parts all on a single line:

  • The key type
  • A chunk of PEM-encoded data
  • A comment

Example:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQ...w== rsa-key-20191008

The name of the String value is not used, but it is recommended to set this to the name of the user that the public key corresponds to for organizational purposes.

Host Keys

CoreSSH Server supports multiple host keys, which are stored under the registry path HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24\HostKeys\{algorithm}. Within this registry path, subkeys for each cryptographic algorithm (RSA, ECDSA, Ed25519) are stored.

Example registry structure:

  • HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24\HostKeys\
    • ECDSA
    • Ed25519
    • RSA

The following key settings are available to host keys in CoreSSH Server. These settings control the configuration and management of host keys for each supported algorithm:

NameTypeDescription
EnabledDWORDSpecifies whether the host key is enabled.

  • 0 - Disabled
  • 1 - Enabled (default)

SSHCertStoreStringIf SSHCertStoreType is either 0 or 1, the SSHCertStore value defines the specific store where the certificate can be found. Example values: My, Root, Trust, CA, TrustedPublisher, Disallowed, AuthRoot, TrustedPeople.

When SSHCertStoreType is set to a file type (6 - PEMKeyFile), this property must be set to a fully qualified path to the file. When SSHCertStoreType is set to a blob type (7 - PEMKeyBlob), the SSHCertStore value must be set to the Base64 encoded representation of the binary contents of a PEM key file.

SSHCertStorePasswordStringThe password for the specified certificate store. The password is encrypted using DPAPI local machine scope and Base64 encoded. If you are importing from an existing key or certificate file, you can set this value to the raw password to correctly load the key.
SSHCertStoreTypeDWORDIndicates where to find the SSH certificate. Can be one of the following values:

  • 0 - User Store
  • 1 - Machine Store
  • 2 - PFX File
  • 3 - PFX Blob
  • 6 - PEM Key File
  • 7 - PEM Key Blob
  • 14 - PPK File
  • 15 - PPK Blob
  • 99 - Auto

SSHCertSubjectStringSubject of the SSH certificate used by the server. Example: CN=NEWTON.

NOTE: Using the special value * picks a random certificate in the certificate store.

Users

The following values can be configured independently for each user, at HKEY_LOCAL_MACHINE\SOFTWARE\CoreSSH\CoreSSHServer\24\Users:

NameTypeDescription
AuthenticationTypeDWORDSpecifies the type of authentication required to connect to the server.

  • 0 - Password
  • 1 - Public Key
  • 3 - Multi-factor (Password + Public Key)
  • 4 - Windows

DisplayNameStringContains a readable name for the client shown on the Users tab.
EnabledDWORDWhether the server will authorize the user or not. When enabled, the server will authorize the user.

  • 0 - Refuse authorization
  • 1 - Allow authorization (default)

EnableGSSAPIDWORDWindows users only. Whether the server will allow the GSSAPI authentication mode for the user.

  • 0 - Disabled (default)
  • 1 - Enabled

EnablePublicKeyDWORDWindows users only. Whether the server will allow Windows store based public key authentication for the user. When enabled, the StoreName and StoreType configuration settings will contain the location the server will look for client certificates.

  • 0 - Disabled (default)
  • 1 - Enabled

EnablePasswordDWORDWindows users only. Whether the server will allow password authentication via Windows Authentication mechanisms.

  • 0 - Disabled
  • 1 - Enabled (default)

LogonTypeDWORDWindows users only. Controls the type of logon performed by the application when attempting to authenticate users. Network is more secure, but access to remote network resources is prohibited. Interactive logon allows access to remote network resources.

  • 0 - Network Logon (default)
  • 1 - Interactive Logon

MechanismsDWORDWindows users only. Specifies the authentication mechansism to be used.

  • 0 - All
  • 1 - Kerberos
  • 2 - NTLM (default)

PasswordStringVirtual users only.Contains the password hash for the client. The password hash is computed using PBKDF2 and is base64-encoded and stored using the following format. E.g. PBKDF2:L4GHIfCW...
ReadOnlyDWORDSpecifies that this user may only read files and directories. Any attempt to create, update or delete files or folders will be denied.

  • 0 - Disabled
  • 1 - Read-only access

RootDirectoryStringSpecifies the default directory of the client after starting a channel. In addition, it tells the server to overwrite the global root directory for this user. As a result, the client is jailed to this location because client perceives its working directory as the root of the entire server.

Note: If UseDefaultDirectory is enabled, the value stored in this setting is ignored.

StoreNameStringWindows users only. Tells the server to look for client certificates in the specified store. Predefined system certificate store names include My, Root, Trust, CA, and more.
StoreTypeDWORDWindows users only. Tells the server to look for client certificates in the Machine or User stores.

  • 0 - User (default)
  • 1 - Machine

UseDefaultDirectoryDWORDControls the default directory behavior for the client. When enabled, the server will use the default location for this user.

  • 0 - Specify the full path of the directory for the user.
  • 1 - Use the default location which is specified by the RootDirectory setting. (default)

UserNameStringContains the client name.