SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
            Client Configuration
            Server Configuration
            Optional Configuration Settings
        User Authentication with Keyboard-Interactive >>
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Client Configuration

Host-based authentication can be enabled either by using traditional public keys or by using certificates.

Traditional Public Keys

To enable host-based authentication with traditional public keys on the client, do the following steps as ClientUser:

  1. Generate a host key. By default, /etc/ssh2/hostkey and /etc/ssh2/hostkey.pub are generated during installation, so you can skip this step. Otherwise, give the following command:
    # ssh-keygen2 -P /etc/ssh2/hostkey
    
  2. Add the following line in the /etc/ssh2/ssh2_config file:
    AllowedAuthentications   hostbased
    
    Also other authentication methods can be listed. Place the least interactive method first. For example:
    AllowedAuthentications   hostbased,publickey,password
    
  3. Change the DefaultDomain keyword in the ssh2_config file to reflect your fully qualified domain:
    DefaultDomain            example.com
    
    Setting this is mandatory if the HostbasedAuthForceClientHostnameDNSMatch keyword in the sshd2_config file on Server has been set to yes. But even if HostbasedAuthForceClientHostnameDNSMatch is not used, the DefaultDomain keyword is useful, for example, on AIX and Solaris, which report only the short hostname by default.

Certificates

It is possible to use a certificate instead of the traditional public-key pair to authenticate the client host.

To enable host-based authentication with certificates on the client, do the following steps as ClientUser:

  1. Add the following line in the /etc/ssh2/ssh2_config file:
    AllowedAuthentications   hostbased
    
  2. Enroll a certificate for client. See User Authentication with Certificates for more information. The certificate must contain a dns extension which contains the fully qualified domain name (FQDN) of client. Note that the private key associated with the certificate needs to be stored with an empty passphrase.
  3. Define the private key and certificate in sshd2_config on client:
    HostKeyFile              <private key>
    HostCertificateFile      <server-certificate>
    
  4. Change the DefaultDomain keyword in the ssh2_config file to reflect your fully qualified domain:
    DefaultDomain            example.com
    

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice