When the SSH Tectia Server Configuration tool is run in the advanced GUI mode, the Connections and Encryption, Authentication, and Services pages can contain several sub-pages, each of which defines its own set of access rules. The rule to be used in each case is chosen using selectors.
Selectors define the access rules for users based on the user parameters such as username or location. Users can be divided to groups dynamically, for example, based on the authentication method they used for logging in. On the Services page, each group can then be allowed or denied services such as tunneling, file transfer, or terminal access.
Use the Add and Delete buttons below the tree view to add and delete rules. Each rule will have a sub-page with two or more tabs. On the Selectors tab, you can edit the selectors of the rule, and on the other tab(s), you can configure the settings for the rule.
Under Authentication, you can also add child authentication methods using the Add Child button.
Whenever a user is attempting login to the server, the connections, authentication, and services rules are processed in top-down order. In each case, the first rule that matches the user is used. Use the Up and Down buttons to change the order of the rules. See the section called “Selectors” for more information on selector processing.
The commands for adding, deleting, and moving rules are also available from a shortcut menu (right-click on a rule in the tree view).
The selectors can be edited on the Selectors tab of the Connections and Encryption, Authentication, and Services sub-pages.
The Selectors tab shows a list of all selectors and attributes that apply to the rule (connection, authentication, or service group rule, depending on the page you are on).
The selector elements are numbered. If any of the selectors match, the rule will match and is used.
Each selector element can have one or more attributes. All attributes of the selector must match for the selector to match, except with the attributes of the same type, of which only one has to match.
To add a new selector to the rule, click Add Selector. The new selector will contain automatically at least one attribute. To add a new attribute to a selector, choose a selector from the list and click Add Attribute. In both cases, the Add Selector dialog box opens allowing you to specify the selector type. See Figure 4.14.
Select the selector type and click OK.
The attributes of the selector depend on the type. The different selector types are described below.
The Interface selector matches to the listener interface ID or Address and/or Port. At least one attribute must be given. If the ID is defined, the others MUST NOT be given. If the ID is not defined, either or both of Address and Port may be given.
This selector matches to a Pattern in a specified Field of the user certificate.
The field can be either ca-list, issuer-name, subject-name, serial-number, altname-email, altname-upn, altname-ip, or altname-fqdn.
The format of the pattern depends on the type of the field. The ca-list field contains a list of CA names separated by commas. The names that are defined in the ca-certificate element are used. The issuer-name and subject-name fields contain distinguished names, serial-number a positive integer. The altname-fqdn field contains a hostname and altname-ip an IP address or a range. The altname-email field contains an email address and altname-upn the principal name.
The altname-fqdn, altname-upn,
altname-email, subject-name, and
issuer-name selectors may contain the
%username%
keyword which is replaced with the
user's login name before comparing with the actual certificate
data. For domain accounts, the %username-without-domain%
keyword can be used and it is replaced by the user's login name without
the domain part. The %hostname%
keyword can be used in the
same way and it is replaced by the client's FQDN. These patterns may
also contain "*" and "?" globbing characters.
Patterns are normally matched case-insensitively. Select the Case-sensitive check box to match the pattern case-sensitively.
Normally if the certificate field to be matched is not available, the selector matching process ends in error. However, if the Allow undefined check box is selected, the undefined field is treated as non-matched and the matching continues to other selectors. See the section called “Selectors and Undefined Data” for more information.
This selector matches to a Pattern in a specified Field of the client host certificate.
The field can be either ca-list, issuer-name, subject-name, serial-number, altname-email, altname-upn, altname-ip, or altname-fqdn.
Patterns are normally matched case-insensitively. Select the Case-sensitive check box to match the pattern case-sensitively.
Normally if the certificate field to be matched is not available, the selector matching process ends in error. However, if the Allow undefined check box is selected, the undefined field is treated as non-matched and the matching continues to other selectors. See the section called “Selectors and Undefined Data” for more information.
The IP selector matches to an IP Address or fully qualified domain name (FQDN) of the client.
The IP address can be in one of the following formats:
a single IP address x.x.x.x
an IP address range of the form x.x.x.x-y.y.y.y
an IP sub-network mask of the form x.x.x.x/y
The fully qualified domain name matches to an FQDN pattern (case-insensitive). The attribute can include a comma-separated list of allowed FQDN patterns. These patterns may also contain "*" and "?" globbing characters. The form of the pattern is not checked.
This selector matches to a user Name. A list of usernames can be given as a comma-separated list.
Names are matched non-case-sensitively.
Note | |
---|---|
We recommend using the object picker dialog in the GUI when defining the selectors, because it returns the correct form of usernames and hostnames. To open the object picker, click the Browse... button in the User Selector dialog. |
If the original username is longer than 20 characters, Windows stores the name in both full format and in short format with max 20 characters. Similarly, long hostnames are cut to 15 characters.
When SSH Tectia Server is running in domain environment on Windows, the usernames
and hostnames must be used in the short format in the selectors. For
example, username longusername1234567890123
(25 chars) cannot
be used as such in the SSH Tectia Server selectors, instead the user name is used in the
short form as follows:
domain\longusername12345678
Note that SSH Tectia Server supports only the following username format in selectors:
domain\username
The UPN format username@domain.com
is
not supported.
To browse for Windows domain usernames directly from an Active Directory server, follow these instructions:
Click Browse. This opens a standard Windows Select Users dialog box that allows you to search for usernames from a directory server.
Click Locations to select the Active Directory server you want to use. Select the server from the list and click OK.
Enter the username or a part of it in the text field. You can enter several names and separate them with semicolons. Click Check Names to check the names from the Active Directory server.
To use advanced search options, click Advanced. This opens an advanced search dialog.
After you have found the username(s), click OK to return to the User Selector dialog box. The selected domain user accounts are now shown in the Name field.
This selector matches to a user group Name. A list of user-group names can be given as a comma-separated list.
Names are matched non-case-sensitively.
On Windows domain environment, the user
and
user-group
selectors have a length limitation.
For more information, see the description of option
User above.
To browse for Windows domain user groups directly from an Active Directory server, follow these instructions:
Click Browse. This opens a standard Windows Select Groups dialog box that allows you to search for user group names from a directory server.
Click Locations to select the Active Directory server you want to use. Select the server from the list and click OK.
Enter the group name or a part of it in the text field. You can enter several names and separate them with semicolons. Click Check Names to check the names from the Active Directory server.
To use advanced search options, click Advanced. This opens an advanced search dialog.
After you have found the user group name(s), click OK to return to the User Group Selector dialog box. The selected domain user groups are now shown in the Name field.
This selector matches to a privileged user (administrator) or to a non-privileged user.
Select the Is Administrator check box to match to a privileged user or clear it to match to a normal user.
If this selector is used in an authentication rule and the user is logging in using a domain account and does not yet have an access token allocated, the selector matching process ends in error. However, if the Allow undefined check box is selected, the selector is treated as non-matched and the matching continues to other selectors. See the section called “Selectors and Undefined Data” for more information.
Note | |
---|---|
The user-privilege level is not available during the authentication phase when the user is logging in using a domain account and does not yet have an access token allocated. To get the user-privilege status for domain users, the user should first pass password or GSSAPI authentication. If the privilege level needs to be checked for local accounts, the Allow undefined check box should be selected or else connection fails for users logging in using domain accounts. However, this means that the user-privilege status will not be verified for Windows domain users. To check the privilege level of domain accounts on a Windows server in the authentication phase, the Administrator selector should be used in a nested authentication rule when password or GSSAPI authentication has already been passed. |
This selector matches if authentication is passed using a normal public key (without a certificate).
Optionally, the
Length range of the public key can be given, for
example 1024-2048
.