11.5. Procedure – Creating and editing protocol-level SSH settings


SSH settings determine the parameters of the connection on the protocol level, including when the server-side connection is built, as well as the timeout value and greeting message of the connection. The following parameters determine which algorithms are used in the connections, and can be set independently for the client and the server side: key exchange, host key, cipher, MAC, and compression algorithms. Complete the following procedure to create a new SSH settings profile or edit an existing one.


Before modifying any of the algorithm settings, check whether the default algorithms are supported by your SSH client and server.

If yes, then you can leave these settings untouched.

If not and you need to amend the default algorithm settings, ensure that the client and server sides are harmonized. You can either do that in PSM or on the client/server itself.

Note that modifying algorithm settings in PSM is recommended to advanced users only. If you are unsure about which settings to amend, then contact the Balabit Support Team for assistance.

Figure 11.10. SSH Control > Settings — SSH settings

SSH Control > Settings — SSH settings


  1. Navigate to the SSH Control > Settings and click to create an SSH setting profile. Enter a name for the profile (for example strongencryption).

  2. Click to display the parameters of the SSH connection.

  3. To set a connection timeout value, enter a value in the Idle timeout field in milliseconds. To avoid early timeout, set it to a larger value, for example a week (604800000 milliseconds).


    Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing PSM from closing the connection.

  4. To display a greeting message to the clients after connecting the server, enter the message into the Greeting field.

  5. To display a banner message to the clients before authentication (as specified in RFC 4252 — The Secure Shell (SSH) Authentication Protocol), enter the message into the Banner field. For example, this banner can inform the users that the connection is audited.

  6. Optional. You can specify additional text to append to the SSH protocol banner, for example to mask the OpenSSH version upon connection. Enter the text in the Software version field.

  7. If needed, modify the encryption parameters. PSM enforces policies on the various elements of the encrypted SSH communication, such as the MAC, key-exchange, and cipher algorithms that are permitted to be used. The parameters can be set separately for the client and for the server side. The attributes are comma-separated strings listing the enabled methods/algorithms, in the order of preference.

    For a complete list of the available parameters, see Section 11.6, Supported encryption algorithms.


    Do not use the CBC block cipher mode, or the diffie-hellman-group1-sha1 key exchange algorithm. For details, see Section 11.6, Supported encryption algorithms.

  8. To check the protocol-level parameters of the connections very strictly, select the Strict mode option. This option is enabled by default. When this option is enabled:

    PSM will reject connections that use unrealistic parameters, for example:

    • The number of columns and rows of the terminal is bigger or equal than 512

    • The size of the screen is greater than 8192 pixels in either directions

    PSM will reject port-forwarding connections where the address in the port-forwarding request and the channel-opening request does not match.


    Strict mode can interfere with certain client or server applications.


    Strict mode is not working with the Windows 10 internal Bash/WSL feature, because it uses a very large terminal window size. Using Windows 10 internal Bash/WSL is not supported.

  9. Before establishing the server-side connection, PSM can evaluate the connection and channel policies to determine if the connection might be permitted at all, for example it is not denied by a Time Policy. To enable this function, select the Enable pre channel check option. That way PSM establishes the server-side connection only if the evaluated policies permit the client to access the server.

  10. Click .

  11. Select this settings profile in the SSH settings field of your connections.