Storage and backup of Bitvise SSH Server configuration

Your SSH Server configuration can consist of the following parts:

  • Host keypairs. These are private keys which are used to authenticate your SSH Server installation to clients that connect to it. Host key verification is critical to defend against man-in-the-middle attacks on the SSH session. Without host key verification, an SSH session can be hijacked.

  • Settings. These are the settings you see when you open Easy settings or Advanced settings in the SSH Server Control Panel. All of your SSH account and group settings entries are stored here, as well as their public keys for client authentication.

  • Instance-type settings. These are settings that control synchronization of the SSH Server with other instances in a master/slave environment. Standalone installations do not use these settings.

  • Password cache. You can set up a password cache to allow Windows accounts implicit access to network resources when they log into the SSH Server using public key authentication.

  • External infrastructure. Your SSH Server setup will likely depend on infrastructure that is not part of the SSH Server itself. This includes Windows accounts that have been granted the right to log in via the SSH Server; any filesystem folders that users have been configured to access; Windows filesystem permissions on those folders; and similar. Any backup of external infrastructure is site-specific, and will not be discussed here.

How the configuration is stored

The components of your SSH Server configuration are stored in the following locations:

  • Host keys are stored in the Config directory. Within this directory, host keys are stored unencrypted.

  • Settings are stored in the Config directory. If the settings contain any sensitive information, such as passwords for login to network shares, then the whole settings are encrypted using the SSH Server's machine-specific encryption key. Otherwise, settings are stored unencrypted.

  • Instance-type settings are stored in the Config directory. If the settings contain a password or obfuscation keyword, only these fields are encrypted using the SSH Server's machine-specific encryption key. Other parts of instance-type settings are stored unencrypted.

  • The password cache is stored in the SSH Server's instance-specific registry key. This registry key is secured using Windows registry permissions so that only administrators can access it. The passwords are encoded reversibly with an encryption key that is the same on all computers.

The Config directory is a subdirectory of the SSH Server installation directory. Like other sensitive subdirectories, such as Logs, this directory is secured using Windows filesystem permissions so that only administrators can read or write files in it.

The SSH Server's instance-specific registry key matches the name of the SSH Server instance. It can be found under HKLM\Software\Bitvise on 32-bit computers, and HKLM\Software\Wow6432Node\Bitvise on 64-bit.

The SSH Server's machine-specific encryption key is stored as a REG_SZ value named EncKey under the registry key HKLM\Software\Bitvise\AdminKey on 32-bit computers, and HKLM\Software\Wow6432Node\Bitvise\AdminKey on 64-bit.

Built-in automatic backup

By default, your SSH Server host keypairs, settings, and instance type settings are backed up automatically whenever they are changed. The backups are stored in the Config\Backup subdirectory of your SSH Server installation directory. These automatic backups can be disabled in Advanced settings, under Server.

You should not rely on being able to copy these backups, and use them on other computers as-is. For example, if the settings contain any sensitive information – such as passwords to access network shares – it will not be possible to decrypt them on another computer. The main purpose of automatic backup is to allow your configuration to be restored, on the same computer, to a previous known working state.

Manual backup

If you need to make backups only sporadically, you can do so as follows:

  • To manually backup host keypairs, use the Manage host keys interface on the Server tab in the SSH Server Control Panel. You can select one or multiple host keys using Ctrl+click or Shift+click. For backup, export the keypairs, not only the public keys.

  • To manually backup settings, use the Export link on the Server tab in the SSH Server Control Panel, under Settings.

  • To manually backup instance-type settings, access the Instance type settings dialog from the Server tab in the SSH Server Control Panel. Use the Import / Export button to export the settings.

  • To manually backup the password cache, open the Manage password cache interface from the Server tab in the SSH Server Control Panel, under Password cache. Under More, find the option Backup items to file.

Automated backup

If you need to make backups frequently, you can automate them as follows:

  • For host keypairs, automated backups are needed only in rare situations. Host keys will not change unless you change them manually, or use advanced configuration options such as scriptable configuration. In this case, the BssCfg COM object contains methods to load, count, and export host keypairs.

  • For settings, use the BssCfg utility that's included in the SSH Server installation directory:

    BssCfg settings exportBin C:\Path\FileName.wst -pass=password

    Alternately, use the SSH Server's scriptable configuration. In this case, the BssCfg COM object contains methods to load and export SSH Server settings.

  • For instance-type settings, use the BssCfg utility that's included in the SSH Server installation directory:

    BssCfg instanceType exportBin C:\Path\FileName.wst

    Alternately, use the SSH Server's scriptable configuration. In this case, the BssCfg COM object contains methods to load and export instance-type settings.

  • For the password cache, the SSH Server currently does not provide automated export functionality. However, you can export the registry key that contains the entries using the Windows reg utility. For example, with a default (unnamed) SSH Server installation:

    reg export HKLM\Software\Bitvise\BvSshServer C:\Path\FileName.txt /reg:32

    The /reg:32 parameter allows this same command to work on both 32-bit and 64-bit Windows.