Authentication

On the Authentication page you can configure the allowed and required user authentication methods.

Authentication options are specified as chains of authentication rules. An authentication rule can include one or more selectors and different authentication methods. It may also include other authentication rules, forming an authentication chain.

Nesting authentication rules within each other sets the child rules as required (all must be passed for the authentication to be successful). Setting multiple authentication methods in the same authentication rule sets them as optional (one of the methods must be passed for the authentication to be successful).

The selectors define to which users an authentication rule applies to. The order of the rules is important. For rules on the same level, the first matching rule is used and the remaining rules are ignored. If the rule has nested child rules, they are matched next using the same procedure.

If no selectors (or only empty selectors) are specified in an authentication rule, the rule matches to all users. In the simple GUI mode, there is only one authentication rule that is used for all connections.

See Configuring User Authentication Chains for more information on authentication chains.

To add a new authentication rule, click the Add button below the tree view. Each rule will have a sub-page with two tabs. On the Selectors tab, you can edit the selectors of the rule and define whether the authentication is allowed or denied, and on the Parameters tab, you can configure the settings for the rule.

To edit an authentication rule, select an authentication item on the tree view. See Editing Authentication Items for more information.

To change the order of the rules, select an authentication item on the tree view and use the Up and Down buttons.

To add a child authentication rule, select an authentication item on the tree view and click the Add Child button.

To delete an authentication rule, select an authentication item and click Delete.

Editing Authentication Items

Each item under Authentication has two tabs, Selectors and Parameters. The Selectors tab is shown only in the advanced GUI mode.

Selectors (Advanced Mode)

On the Selectors tab, you can configure the selectors that apply to the authentication rule and define whether the result of the rule is allow or deny.

Figure 4.25. SSH Tectia Server Configuration - Authentication page - Selectors tab

Name

Enter a name for the authentication rule.

Selector list view

The selector list view shows the selectors that apply to the rule.

To add a new selector to the rule, click Add Selector. The new selector will contain automatically at least one attribute. The Add Selector dialog box opens allowing you to specify the selector type. See Editing Selectors for more information on the different selector attributes.

To remove a selector, choose the selector from the list view on the Selectors tab and click Delete Selector. This will delete the selector and all its attributes.

To add a new attribute to a selector, choose a selector from the list and click Add Attribute. The Add Selector dialog box opens. See Editing Selectors for more information on the different selector attributes.

To edit a selector attribute, choose the attribute from the list and click Edit Attribute. The relevant selector dialog box opens. See Editing Selectors for more information on the different selector attributes.

To remove a selector attribute, choose the attribute from the list and click Delete Attribute. Note that a selector with no attributes will match everything.

General

Select whether authentication is allowed or denied.

If an authentication chain ends in a deny action, or if the user does not match to any selectors in the authentication rules, the user is not allowed to log in.

In a nested chain of authentication rules, it is possible, for example, to set the parent rule to deny authentication and a child rule with a selector to allow authentication. If the user matches the selector and successfully completes the authentication method(s), login is allowed.

See Configuring User Authentication Chains for more information on authentication chains.

Set Services group

You can optionally select a group name in the Set Services group field. This sets a group for the users that pass the particular authentication chain. The group definition is later used when defining the allowed services for the user.

If the group is set here, it overrides any group selectors on the Services page. See Services.

Parameters

On the Parameters tab, you can configure the allowed authentication methods.

Figure 4.26. SSH Tectia Server Configuration - Authentication page - Parameters tab

Password Authentication

Select the Allow password authentication check box to allow password authentication. See User Authentication with Passwords for more information.

Failure delay / Max tries: Set the delay between failed attempts in seconds (Failure delay) and the maximum number of attempts (Max tries). The default delay is 2 seconds and default maximum is 3 attempts.

Public-Key Authentication

Select the Allow public-key authentication check box to allow public-key authentication. See User Authentication with Public Keys and User Authentication with Certificates for more information.

Try all offered public keys

This option can be used when the authentication rule contains a child rule with certificate selectors.

Select the Try all offered public keys check box when you expect the user to have several certificates of which only some allow logon (that is, match the selectors in the child authentication rule).

If the check box is not selected, SSH Tectia Server will try to match only the first certificate offered by the client. If the check box is selected, SSH Tectia Server will try all offered certificates until a match is found.

Authorization file

Specify a path to the file that lists the user public keys that are authorized for login. The path can contain a pattern string that is expanded by SSH Tectia Server.

The following pattern strings can be used:

%D or %homedir% is the user's home directory
%U or %username% is the user's login name
For Windows domain users, these strings are substituted differently:
- %U is expanded to domain.username
- %username% is expanded to domain\username
%username-without-domain% is the user's login name without the domain part.

The default is %D/.ssh2/authorization.

For more information on the syntax of the authorization file, see the section called “Authorization File Options”.

Authorized-keys directory

Specify a path to the directory that contains the user public keys that are authorized for login. As above, the path can contain a pattern string that is expanded by SSH Tectia Server. The default is %D/.ssh2/authorized_keys.

OpenSSH authorized-keys file

Optionally specify a path to an OpenSSH-style authorized_keys file that contains the user public keys that are authorized for login. As above, the path can contain a pattern string that is expanded by SSH Tectia Server.

	Note
	These settings override the User configuration directory setting on the General page.

GSSAPI

Select the Allow GSSAPI check box to allow GSSAPI authentication. See User Authentication with GSSAPI for more information.

Allow ticket forwarding: Select the check box to allow forwarding the Kerberos ticket over several connections.

Host-Based Authentication

Select the Allow host-based authentication check box to allow host-based authentication. See Host-Based User Authentication for more information.

Require DNS match: Select the check box to require that the hostname given by the client matches the one found in DNS. If the hostname does not match, the authentication fails.

Keyboard-Interactive Authentication

Select the Allow keyboard-interactive authentication check box to allow keyboard-interactive authentication. See User Authentication with Keyboard-Interactive for more information.

Failure delay / Max tries

Set the delay between failed attempts in seconds (Failure delay) and the maximum number of attempts (Max tries). The default delay is 2 seconds and default maximum is 3 attempts.

Submethods

For keyboard-interactive authentication, several submethods can be specified.

To edit the submethods, click the Submethods button. The Keyboard-Interactive Submethods dialog box opens (Figure 4.27).

Keyboard-Interactive Submethods

In the Keyboard-Interactive Submethods dialog box you can configure the allowed submethods. On Windows, the password, RSA SecurID, RADIUS, and generic submethods are available.

Figure 4.27. Keyboard-interactive submethods

Password

Select the Allow password over keyboard-interactive to allow the password submethod. See Password Submethod for more information.

SecurID

Select the Allow SecurID over keyboard-interactive to allow the RSA SecurID submethod. See RSA SecurID Submethod for more information.

DLL Path: Enter the path to the SecurID DLL.

RADIUS

Select the Allow RADIUS over keyboard-interactive to allow the RADIUS submethod. See RADIUS Submethod for more information.

Servers

Click Add to add a new RADIUS server. The RADIUS Submethod dialog box opens.

For each RADIUS server, define a Shared secret file, server IP Address, Port, Timeout, and Client NAS identifier.

To change the order of the RADIUS servers, select a server from the list, and click Up and Down to move it. The servers are tried in the specified order.

To edit a RADIUS server, select the server from the list and click Edit.

To remove a RADIUS server, select the server from the list and click Delete.

Generic

Click Add to add a new generic submethod. The Generic Submethod dialog box opens.

Enter the Name of the method and the initialization Parameters.