Defining Access Rules Using Selectors (Advanced Mode)

When the SSH Tectia Server Configuration tool is run in the advanced GUI mode, the Connections and Encryption, Authentication, and Services pages can contain several sub-pages, each of which defines its own set of access rules. The rule to be used in each case is chosen using selectors.

Selectors define the access rules for users based on the user parameters such as username or location. Users can be divided to groups dynamically, for example, based on the authentication method they used for logging in. On the Services page, each group can then be allowed or denied services such as tunneling, file transfer, or terminal access.

Use the Add and Delete buttons below the tree view to add and delete rules. Each rule will have a sub-page with two or more tabs. On the Selectors tab, you can edit the selectors of the rule, and on the other tab(s), you can configure the settings for the rule.

Under Authentication, you can also add child authentication methods using the Add Child button.

Whenever a user is attempting login to the server, the connections, authentication, and services rules are processed in top-down order. In each case, the first rule that matches the user is used. Use the Up and Down buttons to change the order of the rules. See the section called “Selectors” for more information on selector processing.

The commands for adding, deleting, and moving rules are also available from a shortcut menu (right-click on a rule in the tree view).

Editing Selectors

The selectors can be edited on the Selectors tab of the Connections and Encryption, Authentication, and Services sub-pages.

The Selectors tab shows a list of all selectors and attributes that apply to the rule (connection, authentication, or service group rule, depending on the page you are on).

The selector elements are numbered. If any of the selectors match, the rule will match and is used.

Each selector element can have one or more attributes. All attributes of the selector must match for the selector to match, except with the attributes of the same type, of which only one has to match.

To add a new selector to the rule, click Add Selector. The new selector will contain automatically at least one attribute. To add a new attribute to a selector, choose a selector from the list and click Add Attribute. In both cases, the Add Selector dialog box opens allowing you to specify the selector type. See Figure 4.14.

Figure 4.14. The Add Selector dialog box

Select the selector type and click OK.

The attributes of the selector depend on the type. The different selector types are described below.

Interface

The Interface selector matches to the listener interface ID or Address and/or Port. At least one attribute must be given. If the ID is defined, the others MUST NOT be given. If the ID is not defined, either or both of Address and Port may be given.

Figure 4.15. The Interface Selector dialog box

Certificate

This selector matches to a Pattern in a specified Field of the user certificate.

Figure 4.16. The Certificate Selector dialog box

The field can be either ca-list, issuer-name, subject-name, serial-number, altname-email, altname-upn, altname-ip, or altname-fqdn.

The format of the pattern depends on the type of the field. The ca-list field contains a list of CA names separated by commas. The names that are defined in the ca-certificate element are used. The issuer-name and subject-name fields contain distinguished names, serial-number a positive integer. The altname-fqdn field contains a hostname and altname-ip an IP address or a range. The altname-email field contains an email address and altname-upn the principal name.

The altname-fqdn, altname-upn, altname-email, subject-name, and issuer-name selectors may contain the %username% keyword which is replaced with the user's login name before comparing with the actual certificate data. For domain accounts, the %username-without-domain% keyword can be used and it is replaced by the user's login name without the domain part. The %hostname% keyword can be used in the same way and it is replaced by the client's FQDN. These patterns may also contain "*" and "?" globbing characters.

Patterns are normally matched case-insensitively. Select the Case-sensitive check box to match the pattern case-sensitively.

Normally if the certificate field to be matched is not available, the selector matching process ends in error. However, if the Allow undefined check box is selected, the undefined field is treated as non-matched and the matching continues to other selectors. See the section called “Selectors and Undefined Data” for more information.

Host certificate

This selector matches to a Pattern in a specified Field of the client host certificate.

The field can be either ca-list, issuer-name, subject-name, serial-number, altname-email, altname-upn, altname-ip, or altname-fqdn.

Patterns are normally matched case-insensitively. Select the Case-sensitive check box to match the pattern case-sensitively.

IP

The IP selector matches to an IP Address or fully qualified domain name (FQDN) of the client.

Figure 4.17. The IP Selector dialog box

The IP address can be in one of the following formats:

a single IP address x.x.x.x
an IP address range of the form x.x.x.x-y.y.y.y
an IP sub-network mask of the form x.x.x.x/y

The fully qualified domain name matches to an FQDN pattern (case-insensitive). The attribute can include a comma-separated list of allowed FQDN patterns. These patterns may also contain "*" and "?" globbing characters. The form of the pattern is not checked.

User

This selector matches to a user Name. A list of usernames can be given as a comma-separated list.

Figure 4.18. The User Selector dialog box

Names are matched non-case-sensitively.

	Note
	We recommend using the object picker dialog in the GUI when defining the selectors, because it returns the correct form of usernames and hostnames. To open the object picker, click the Browse... button in the User Selector dialog.

If the original username is longer than 20 characters, Windows stores the name in both full format and in short format with max 20 characters. Similarly, long hostnames are cut to 15 characters.

When SSH Tectia Server is running in domain environment on Windows, the usernames and hostnames must be used in the short format in the selectors. For example, username longusername1234567890123 (25 chars) cannot be used as such in the SSH Tectia Server selectors, instead the user name is used in the short form as follows:

domain\longusername12345678

Note that SSH Tectia Server supports only the following username format in selectors:

domain\username

The UPN format username@domain.com is not supported.

To browse for Windows domain usernames directly from an Active Directory server, follow these instructions:

Click Browse. This opens a standard Windows Select Users dialog box that allows you to search for usernames from a directory server.
Figure 4.19. Selecting users from Active Directory
Click Locations to select the Active Directory server you want to use. Select the server from the list and click OK.
Enter the username or a part of it in the text field. You can enter several names and separate them with semicolons. Click Check Names to check the names from the Active Directory server.
To use advanced search options, click Advanced. This opens an advanced search dialog.
After you have found the username(s), click OK to return to the User Selector dialog box. The selected domain user accounts are now shown in the Name field.

User group

This selector matches to a user group Name. A list of user-group names can be given as a comma-separated list.

Figure 4.20. The User Group Selector dialog box

Names are matched non-case-sensitively.

On Windows domain environment, the user and user-group selectors have a length limitation. For more information, see the description of option User above.

To browse for Windows domain user groups directly from an Active Directory server, follow these instructions:

Click Browse. This opens a standard Windows Select Groups dialog box that allows you to search for user group names from a directory server.
Click Locations to select the Active Directory server you want to use. Select the server from the list and click OK.
Enter the group name or a part of it in the text field. You can enter several names and separate them with semicolons. Click Check Names to check the names from the Active Directory server.
To use advanced search options, click Advanced. This opens an advanced search dialog.
After you have found the user group name(s), click OK to return to the User Group Selector dialog box. The selected domain user groups are now shown in the Name field.

Administrator

This selector matches to a privileged user (administrator) or to a non-privileged user.

Figure 4.21. The Administrator Selector dialog box

Select the Is Administrator check box to match to a privileged user or clear it to match to a normal user.

If this selector is used in an authentication rule and the user is logging in using a domain account and does not yet have an access token allocated, the selector matching process ends in error. However, if the Allow undefined check box is selected, the selector is treated as non-matched and the matching continues to other selectors. See the section called “Selectors and Undefined Data” for more information.

Note

The user-privilege level is not available during the authentication phase when the user is logging in using a domain account and does not yet have an access token allocated. To get the user-privilege status for domain users, the user should first pass password or GSSAPI authentication.

If the privilege level needs to be checked for local accounts, the Allow undefined check box should be selected or else connection fails for users logging in using domain accounts. However, this means that the user-privilege status will not be verified for Windows domain users.

To check the privilege level of domain accounts on a Windows server in the authentication phase, the Administrator selector should be used in a nested authentication rule when password or GSSAPI authentication has already been passed.

Public key passed

This selector matches if authentication is passed using a normal public key (without a certificate).

Figure 4.22. The Public Key Passed Selector dialog box

Optionally, the Length range of the public key can be given, for example 1024-2048.