SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
            Client Configuration
            Server Configuration
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Client Configuration

Configure the client side according to the key and certificate type used: X.509 or Entrust.

X.509 Certificates

To configure the client to authenticate itself with an X.509 certificate, perform the following tasks:

  1. Enroll a certificate for yourself. Example: Enrollment using ssh-cmpclient
    $ ssh-cmpclient INITIALIZE \ 
       -P generate://ssh2:passphrase@rsa:512/user_rsa \ 
       -o /home/user/.ssh2/user_rsa \
       -p 62154:ssh \
       -s 'C=FI,O=SSH,CN=user;email=user@example.org' \
       http://pki.ssh.com:8080/pkix/ \
       'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
    
    Remember to define also the SOCKS server (-S) before the CA URL, if required. For more information on the ssh-cmpclient syntax, see the ssh-cmpclient man page.
  2. Make sure that public-key authentication is enabled in the ssh2_config file.
    AllowedAuthentications   publickey
    
  3. Specify the private key of your software certificate in the ~/.ssh2/identification file.
    CertKey                  <private-key-path>
    
    The certificate itself will be read from private-key-path.crt.

Entrust Certificates

SSH Tectia Client supports also the use of Entrust keys and certificates for authentication. Entrust keys are handled as external keys.

The Entrust provider described in this section is a component designed by SSH Communications Security Corp.

Entrust Entelligence and the entrust.ini and *.epf files are components designed by Entrust, Inc.

To configure the client to authenticate itself using the user's Entrust key and certificate, perform the following tasks:

  1. Enable public-key authentication in the ssh2_config file.
    AllowedAuthentications   publickey
    
  2. Define the Entrust external key provider and its initialization string:
    EkProvider               entrust 
    EkInitString             profile-file($HOME/profile.epf)
    
    The format of the initialization string is the same as for the server. See Section Server Entrust Authentication above.
  3. Copy the entrust.ini file to /etc/.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice