SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
            Server Configuration
            Client Configuration
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Server Configuration

SSH Tectia Server can use either X.509 certificates or Entrust certificates for authenticating itself.

X.509 Certificates

To configure SSH Tectia Server to authenticate itself using X.509 certificates, perform the following tasks:

  1. Enroll a certificate for the server. This can be done with the ssh-cmpclient command-line tool. Note that the DNS address parameter (dns) needs to correspond to the fully qualified domain name of the server. Example: Enrollment using ssh-cmpclient:
    $ ssh-cmpclient INITIALIZE \ 
      -P generate://ssh2@rsa:1024/testserv-rsa \
      -o /etc/ssh2/testserv-rsa \
      -p 62154:ssh \
      -s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \
      http://pki.ssh.com:8080/pkix/ \
      'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
    
    Remember to define also the SOCKS server (-S) before the CA URL, if required. For more information on the ssh-cmpclient syntax, see the ssh-cmpclient man page.
  2. Define the private key and the server certificate in the sshd2_config file:
     
    HostKeyFile              <private key>
    HostCertificateFile      <server-certificate>
    
  3. Restart the server as instructed in Section Starting the Server.

Entrust Certificates

SSH Tectia Server supports also the use of Entrust keys and certificates for authentication. Entrust keys are handled as external keys.

The Entrust external key provider described in this section is a component designed by SSH Communications Security Corp.

Entrust Entelligence and the entrust.ini and *.epf files are components designed by Entrust, Inc.

The server is configured to use the Entrust key and certificate with the following sshd2_config parameters:

HostKeyEkProvider        entrust
HostKeyEkInitString      <string>

The initialization string for the Entrust provider has the following components: dll, ini-file, profile-file, password, and login-options.

  • dll

    This defines the name of the shared Entrust FileToolkit object. This setting has decent defaults, so the authentication should work without this setting, but if you need to, you can override the defaults. For example, on Solaris, this would be

    dll(/usr/local/lib/sshsecsh/entrust/libEntrust.so,\
        /usr/local/lib/sshsecsh/entrust/libentapi.so)
    
    (On one line, without the '\' character.)

  • login-options

    This defines how the password is queried from the user. If the value is entrust, only the Entrust dialogs are used in querying the password. If the value is native, the password will be queried using the native authentication callback. If the field contains something else (e.g. both), both methods are used.

  • ini-file

    The location of the initialization file. If it is not set, this will be searched first from $HOME/entrust.ini (the user's home directory), and if it is not found, from /etc/entrust.ini. On Windows, the default location is entrust.ini in the Windows directory (X:\WINDOWS or X:\WINNT).

  • profile-file

    The location of the user's profile. If it is not set, this will be searched from $HOME/profile.epf on Unix, and from the user's My Documents\Entrust Profile\profile.epf on Windows.

  • password

    This can be used to set the password (for host-key profiles, for example).

An example of an initialization string:

dll(entapi32.dll) password(foobar) ini-file(solo.ini) 
profile-file(solo_user.epf) login-options(entrust)

Environment variables are substituted when the initialization string is parsed.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice