SSH

Chapter 4 Authentication

Table of Contents

Supported User Authentication Methods
Compatibility with OpenSSH Keys
Server Authentication with Public Keys
Host Key Storage Formats
Using the System-Wide Host Key Storage
Resolving Hashed Host Keys
Using the OpenSSH known_hosts File
Server Authentication with Certificates
Managing CA Certificates with the Configuration File (Unix)
Managing CA Certificates with the GUI
User Authentication with Passwords
Defining Password Authentication with the Configuration File (Unix)
Using Stored Passwords in Connection Profiles
Managing Authentication Methods with the GUI
User Authentication with Public Keys
Creating Keys with ssh-keygen-g3
Uploading Public Keys Manually
Creating Keys with the Public-Key Authentication Wizard
Using Keys Generated with OpenSSH
Special Considerations with Windows Servers
User Authentication with Certificates
Using the Configuration File (Unix)
Configuring User Authentication with Certificates on Windows
Importing PKCS Certificates with Tectia Connections Configuration GUI
Host-Based User Authentication (Unix)
User Authentication with Keyboard-Interactive
Defining Keyboard-Interactive Method with the Configuration File (Unix)
Defining Keyboard-Interactive Method with the GUI
User Authentication with GSSAPI
Defining GSSAPI Method with the Configuration File (Unix)
Defining GSSAPI Method with the GUI

The Secure Shell protocol used by the Tectia client/server solution provides mutual authentication – the client authenticates the server and the server authenticates the client user. Both parties are assured of the identity of the other party.

The remote Secure Shell server host can authenticate itself using either traditional public-key authentication or certificate authentication.

Different methods can be used to authenticate Secure Shell client users. These authentication methods can be combined or used separately, depending on the level of functionality and security you want.

User authentication methods

Figure 4.1. User authentication methods

User authentication methods used by Tectia ConnectSecure by default are: public-key, password, keyboard-interactive, and GSSAPI authentication. Public-key and certificate authentication are combined into the public-key authentication method.

When several interactive authentication methods are defined as allowed, Tectia ConnectSecure will alternate between the methods and offers each of them in turn to the server in case the previous method failed. This makes it possible to define different authentication methods for different users, and they can be handled with the same server configuration.