SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
            Client Configuration
            Server Configuration
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Server Configuration

SSH Tectia Server can accept both X.509 certificates and Entrust certificates for authenticating users.

X.509 Certificates

To configure the server to allow user authentication with certificates, perform the following tasks:

  1. Acquire the CA certificate and copy it to the server machine. You can either copy the X.509 certificate(s) as such or you can copy a PKCS #7 package including the CA certificate(s). Certificates can be extracted from a PKCS #7 package by specifying the -7 flag with ssh-keygen2.
  2. Certificate authentication is a part of the publickey authentication method. Make sure that you have enabled it in the sshd2_config file: 
    AllowedAuthentications   publickey
  3. Specify the CA certificate and the mapping file(s) in the ssh_certd_config file: 
    Pki                      <ca-cert-path>
MapFile                  <map-file-path>
    You can disable the use of CRLs by adding the PkiDisableCRLs keyword below the Pki keyword. 
    PkiDisableCRLs           yes
    Note: CRL usage should only be disabled for testing purposes. Otherwise it is highly recommended to always use CRLs. You can define several CA certificates by using several Pki keywords. 
    Pki                      <ca-cert-path1>
MapFile                  <map-file-path1>
Pki                      <ca-cert-path2>
MapFile                  <map-file-path1>
MapFile                  <map-file-path2>
    Note that multiple MapFile keywords are permitted per Pki keyword. Also, if no mapping file is defined, all connections are denied even if user certificates can be verified using the defined CA certificate. The server will accept only certificates issued by defined CA(s).
  4. Also define the LDAP server(s) in the ssh_certd_config file. 
    LDAPServers    ldap://server1.domain1:port1
  5. If necessary, define also the SOCKS server in the ssh_certd_config file. 
    SocksServer    socks://socks_server:port/network/netmask,network/netmask
    The SOCKS server must be defined if CA services (OCSP and CRLs) are located behind a firewall.
  6. Next you need to create the certificate user mapping file. The map file specifies which certificates authorize logging into which accounts. The format of the file is the following: 
    <account-id> <keyword> <argument>
    The keyword can be either Email, Subject, SerialAndIssuer, EmailRegex, or SubjectRegex. The argument depends on the keyword.
    • Email: The argument is the e-mail address which must be present in the certificate.
    • Subject: The argument is the required subject name in LDAP DN (distinguished name) string format.
    • SerialAndIssuer: The argument is the required serial number and issuer name in LDAP DN string format, separated by spaces or tabs.
    • EmailRegex: The argument is the regular expression which must match an e-mail address in the certificate. If account-id contains the string %subst%, it is substituted with the first parenthesized part of the regular expression. The patterns are matched using the egrep syntax.
    • SubjectRegex: The argument is the regular expression which must match a subject name in the certificate. If account-id contains the string %subst%, it is substituted with the first parenthesized part of the regular expression. The patterns are matched using the egrep syntax.
  7. Restart ssh-certd as instructed in Section Starting and Stopping the Server.

Examples

The following are examples of different map file definitions: 

testuser email testuser@ssh.com
testuser subject C=FI,O=SSH,CN=Secure Shell Tester
testuser serialandissuer 1234 C=FI,O=SSH,CN=Secure Shell Tester
%subst% subjectregex C=FI, O=SSH, CN=([a-z]+)         
%subst% emailregex ([a-z]+)@ssh\.com

The last line permits logging with any e-mail address with only letters in the username. For more information on the regular expression syntax, see the sshregex man page.

Entrust Certificates

To configure the server to accept user authentication with Entrust certificates, do the following:

  1. Copy the Entrust CA certificate to /etc/ssh2/.
  2. Make sure that you have enabled public-key authentication in the sshd2_config file: 
    AllowedAuthentications   publickey
  3. Edit the /etc/ssh2/ssh_certd_config file to include the following lines: 
    LDAPServers              ldap://ldap.ssh.com:389
...
Pki                      entrust_ca.der
Mapfile                  mapfile
    Use argument values appropriate to your system.
  4. Edit or create a mapfile. An example from /etc/ssh2/mapfile is shown below: 
    joetest subjectregex CN=Joe.Tester
janetest subjectregex CN=Jane.Tester
    Note: You cannot use a space character in the CN field.
  5. Restart ssh-certd as instructed in Section Starting and Stopping the Server.

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice