Chapter 5 Authentication

Table of Contents

Server Authentication with Public Keys

Generating the Host Key
Notifying the Users of the Host Key Change

Server Authentication with Certificates

Certificate Enrollment Using ssh-cmpclient-g3

Server Authentication using External Host Keys

User Authentication with Passwords

Special Considerations on Windows

User Authentication with Public Keys

Using the Authorization File
Using Keys Generated with OpenSSH
Special Considerations on Windows

User Authentication with Certificates

Certificate Configuration

Host-Based User Authentication

Using Traditional Public Keys
Using Certificates

User Authentication with Keyboard-Interactive

Password Submethod
Pluggable Authentication Module (PAM) Submethod
RSA SecurID Submethod
RADIUS Submethod

User Authentication with GSSAPI

Special Considerations on Microsoft Windows Server 2003

Configuring User Authentication Chains

Basic Example
Example with Selectors
Authentication Chain Example
Example of Using the Deny Action

The Secure Shell protocol used by the SSH Tectia client/server solution provides mutual authentication – the client authenticates the server and the server authenticates the client. Both parties are assured of the identity of the other party.

The SSH Tectia Server host can authenticate itself using either traditional public-key authentication or certificate authentication.

Different methods can be used to authenticate Secure Shell client users. These authentication methods can be used separately or combined, depending on the level of functionality and security you want.

The server allows GSSAPI, public-key, keyboard-interactive, and password authentication by default.

Figure 5.1. User authentication methods