Newer versions
Scriptable configuration in Bitvise SSH Server versions 9.xx
Scriptable configuration in Bitvise SSH Server versions 8.xx
This page applies to non-latest Bitvise SSH Server versions.
Bitvise SSH Server comes with a textual configuration utility, BssCfg, which is useful for administering SSH servers in large-scale installations. It also comes with a configuration COM object, BssCfgManip, which can be used to configure the SSH Server from any language that supports COM, but is especially intended for use with PowerShell.
Using BssCfg and PowerShell, it is possible to administer the SSH Server remotely from client machines where it is not possible to use Bitvise SSH Client and its Remote Control Panel feature. PowerShell scripts that modify SSH Server settings can be run on the server by a client through an SSH terminal shell or using exec requests.
Note: Everything that can be configured through BssCfg and PowerShell can also be configured through the graphical SSH Server Control Panel. Users who don't need scriptable configuration do not need to learn BssCfg or PowerShell. Such users should simply use the graphical settings, accessed through the Bitvise SSH Server Control Panel.
Using BssCfg
The BssCfg utility resides in the SSH Server installation directory and can be run from a Windows Command Prompt or PowerShell. It can be run either locally or remotely using an SSH session. If run without parameters, it will show available commands and options.
BssCfg must be run by a user with administrative permissions, in an elevated Command Prompt or PowerShell window.
Configuring the SSH Server with PowerShell
To instantiate the SSH Server's configuration COM object in PowerShell, use:
$cfg = new-object -com "BssCfg815.BssCfg815"
Note:
Like the BssCfg utility, the BssCfgManip COM object must be instantiated by a user with administrative permissions, in an elevated PowerShell window.
The exact name of the BssCfgManip COM object is changed in SSH Server versions that contain changes to the configuration format. To find the name of the COM object for your installation, check the reference file BssCfgManip.htm in your SSH Server installation directory.
Once the object is instantiated, you can view its properties and methods:
$cfg | Get-Member
Reference
Every object in the hierarchy features integrated help. You can display it as follows:
$cfg.help $cfg.instances.help $cfg.instances.entries[0].help $cfg.instanceSettings.help $cfg.settings.help $cfg.keypairs.help $cfg.keypairs.entries[0].help
You can find built-in help at all levels in the settings hierarchy. For example:
$cfg.settings.access.help $cfg.settings.access.virtAccounts.help $cfg.settings.access.virtAccounts.new.help $cfg.settings.access.virtAccounts.new.auth.help $cfg.settings.access.virtAccounts.new.auth.keys.help
The same help text has also been compiled, and can be viewed as HTML:
Stop on errors
If your script encounters an error when calling a method such as settings.Lock, it is important the script stops instead of continuing as if no error happened. The reason locking functions must be called is because they can fail: aspects of SSH Server settings can be briefly locked by another process, and it's not safe to try to alter settings in this case.
To make sure your script stops if it encounters any errors, make one of the first commands:
$ErrorActionPreference = "Stop"
Alternately, your script can handle any execution errors in a Try/Catch block.
Selecting the SSH Server instance
It is possible to install multiple concurrent SSH Server instances on the same computer. There can be no more than one default, unnamed instance ("Bitvise SSH Server"). Other instances will have names ("Bitvise SSH Server - InstanceName").
If more than one instance is installed, it must be selected using $cfg.SetInstance. Examples:
# Alternatives to select the default (unnamed) instance $cfg.SetInstance("") $cfg.SetInstance("Bitvise SSH Server") # Alternatives to select the instance named "InstanceName" $cfg.SetInstance("InstanceName") $cfg.SetInstance("Bitvise SSH Server - InstanceName")
Either the short name (the empty string, or "InstanceName") or the long name (prefixed with "Bitvise SSH Server") may be provided.
If only one SSH Server instance is installed, instance selection is not required. The BssCfgManip COM object will automatically use the only installed instance.
Instances can be enumerated using $cfg.instances:
foreach ($instance in $cfg.instances.entries) { Write-Host "Instance: '$($instance.name)', version: $($instance.version)" }
Locking and loading settings
When the BssCfgManip COM object is first instantiated, neither settings nor keypairs are locked or loaded. To modify settings, you must lock and load them as follows:
$cfg.settings.Lock() $result = $cfg.settings.Load() if ($result.failure) { Write-Error $result.Describe() } # Manipulate settings # ... $cfg.settings.Save() $cfg.settings.Unlock()
Similarly, to modify keypairs - lock and load them as follows:
$cfg.keypairs.Lock() $cfg.keypairs.Load() # Manipulate keypairs # ... # $true to perform automatic backup; $false to not $cfg.keypairs.Save($true) $cfg.keypairs.Unlock()
Master/slave and update settings are stored separately, and must be locked and loaded as follows:
$cfg.instanceSettings.Lock() $result = $cfg.instanceSettings.Load() if ($result.failure) { Write-Error $result.Describe() } # Manipulate master/slave and update settings # ... $cfg.instanceSettings.Save() $cfg.instanceSettings.Unlock()
If you are loading settings or keypairs only to view them; but not change them; it is not necessary to lock them.
Navigating settings
To access server settings, use the property $cfg.settings:
# Load server settings and display the textual log file directory $result = $cfg.settings.Load() if ($result.failure) { Write-Error $result.Describe() } Write-Host "Log file directory: $($cfg.settings.server.logging.logFileDir)"
To access master/slave and update settings, use $cfg.instanceSettings:
# Load instance type settings and print the master server's address $cfg.instanceSettings.Load() if ($result.failure) { Write-Error $result.Describe() } Write-Host "Master server's address: $($cfg.instanceSettings.slave.host)"
Enumerations
All enumeration values are accessible by name via the BssCfgManip COM object. For example, the following code can be used to set the setting pwCacheAutoSave:
$cfg.settings.access.pwCacheAutoSave = $cfg.enums.pwCacheAutoSave.allAccounts
To list all available values for the pwCacheAutoSave enumeration, use:
$cfg.enums.pwCacheAutoSave
Lists
Every list is represented by a list object with an enumerable .entries property. For example, the list of virtual accounts can be accessed through virtAccounts and virtAccounts.entries. The list object (without .entries) allows manipulation of the list (add, erase, move items). The .entries property (virtAccounts.entries) provides easy, enumerable access to the items.
List object - discard all virtual accounts:
$cfg.settings.access.virtAccounts.Clear()
The .entries property - enumerate virtual accounts:
foreach ($account in $cfg.settings.access.virtAccounts.entries) { Write-Host $account.virtAccount }
Adding new accounts and groups
Accounts and groups are stored by the SSH Server in lists. Some of the fields in each list entry are the entry's sort key; when you use the help property, these fields are displayed with a ">" prefix. Other fields in each list entry may have a unique constraint; such fields will be marked with a "!" prefix in the result of help. For example, virtual accounts are sorted according to the value of their virtAccount field (">" prefix). On the other hand, values of the groupType, winDomain and group properties in Windows group settings entries must be unique ("!" prefix).
New account and group entries are added in two steps:
The entry is initialized with the new settings it will contain. In this step, it is accessed using the new property of the list object. For example:
$cfg.settings.access.winAccounts.new.winAccountType = $cfg.enums.winAccountType.domainAccount $cfg.settings.access.winAccounts.new.winDomain = "DomainName" $cfg.settings.access.winAccounts.new.winAccount = "User" $cfg.settings.access.winAccounts.new.loginAllowed = $cfg.enums.DefaultYesNo.yes $cfg.settings.access.winAccounts.new.xfer.mountPoints.Clear() $cfg.settings.access.winAccounts.new.xfer.mountPoints.new.allowUnlimitedAccess = $false $cfg.settings.access.winAccounts.new.xfer.mountPoints.new.realRootPath = "C:\Sftp\User" $cfg.settings.access.winAccounts.new.xfer.mountPoints.NewCommit() ...
When the initial data for the new list entry is configured, it is committed into the list:
$cfg.settings.access.winAccounts.NewCommit()
This process applies not only to account and group settings entries, but to all settings items stored as lists. In the above example, there is already a second nested example, where a mount point is added to xfer.mountPoints.
Removing list entries
Accounts and groups can be removed from their lists as follows:
for ($i = 0; $i -lt $cfg.settings.access.winAccounts.count; ) { if ($cfg.settings.access.winAccounts.GetItem($i).winAccount -ieq "User") { $cfg.settings.access.winAccounts.Erase($i) } else { $i++ } }
The above will remove any and all Windows account settings entries whose Windows account name matches "User". For example, it will match and remove a domain account "Domain\User", as well as a local account "User".
Blocking IP addresses
In order to block a large number of IP addresses, you can use PowerShell, or "BssCfg settings importText", to run settings instructions such as these:
$cfg.settings.access.clientAddresses.Clear() $cfg.settings.access.clientAddresses.new.addressRule.addressType = $cfg.enums.AddressVer6Type.ipv4 $cfg.settings.access.clientAddresses.new.addressRule.ipv4 = "10.2.3.4" $cfg.settings.access.clientAddresses.new.instr.allowConnect = $false $cfg.settings.access.clientAddresses.NewCommit() $cfg.settings.access.clientAddresses.new.addressRule.addressType = $cfg.enums.AddressVer6Type.anyIP $cfg.settings.access.clientAddresses.new.instr.allowConnect = $true $cfg.settings.access.clientAddresses.NewCommit()
These instructions will:
- Clear the list of rules in Advanced settings > Access control > Client address rules.
- Add a rule to block connections from the single IPv4 address 10.2.3.4.
- Add a final rule to allow connections from other IP address.
Faster import using BssCfg
BssCfg implements a number of commands to access all aspects of the SSH Server's configuration. Among them are the commands BssCfg settings exportText and importText.
The command settings exportText is roughly equivalent to the following in PowerShell:
$cfg = new-object -com "BssCfg815.BssCfg815" $result = $cfg.settings.Load() if ($result.failure) { Write-Error $result.Describe() } $cfg.settings.Dump("`$cfg", $cfg.enums.showDefaults.no)
The result of settings exportText is executable directly as a PowerShell script, and will set SSH Server settings to what they were at the time of export. However, the settings in this format can also be imported using BssCfg settings importText.
The command settings importText imports SSH Server settings in the textual format exported by exportText. The syntax supported by importText is very limited, and does not support most PowerShell language features. The main feature of importText is that it is much faster than direct execution of the settings as a script in PowerShell.
Example scripts
The following example scripts have been renamed to .txt from their original extensions:
PowerShell: Roll over to a new host key algorithm in two stages: first generate a new host key and export the public key; subsequently employ it.
PowerShell: Import a public key into a virtual account settings entry.
PowerShell: Loop through virtual account entries, displaying the virtual filesystem mount points defined by each virtual account settings entry.
PowerShell: Loop through Windows group settings entries, searching for Windows file share entries that use accounts whose passwords have changed, and update such file share entries with new passwords.
PowerShell: Create a virtual account, assign it a password and public key for authentication, configure it with virtual filesystem mount points.
PowerShell: Read a file with IP addresses and add them to Client address rules.
PowerShell: Create a virtual account with server-configured port forwarding rules in the client-to-server and server-to-client direction.
PowerShell: Locate any DSA keys, both among host keypairs used for server authentication, and public keys imported for client authentication in account and group settings entries.
VBScript: Load, Update and Apply Settings.
VBScript: Loop through Windows account entries, resetting their mount points so that each account has a single mount point with a real root path set to the value of the "Initial terminal shell directory" for the account.
You can find the following scripts in your SSH Server installation directory:
VirtAccountExporter.ps1: A PowerShell script that exports virtual account information into a CSV text file.
VirtAccountImporter.ps1: A PowerShell script that imports new virtual accounts from a CSV text file.
These scripts can be used as-is, or modified according to your needs.
Older versions
Scriptable configuration in Bitvise SSH Server versions 7.xx