It is possible to use a certificate instead of the traditional public-key pair to authenticate the client host.
The endpoint identity check, where the server verifies that the certificate actually belongs to the client that is attempting host-based authentication, is performed according to the following rules:
One of the DNS subject alternative names in the client certificate must
match the client's fully qualified domain name obtained by doing a
reverse lookup on the client's IP address. The alternative names may
have an asterisk (*
) as the first component, in which case
only the domain part is checked.
If the client's IP address cannot be reverse-mapped, the IP address is compared to the certificate's IP subject alternative names.
If the above checks do not produce a positive result, the certificate's subject name is checked. If it has a CN component that matches the client's reverse-mapped fully qualified domain name or IP address, the certificate is accepted.
To enable host-based authentication with certificates on Client
, do
the following as ClientUser
:
Add the following line in the ssh-broker-config.xml
file:
<authentication-methods> <authentication-method name="hostbased" /> ... </authentication-methods>
Also other authentication methods can be listed. Place the least interactive method first (this means usually the host-based method).
Enroll a certificate for Client
. See
User Authentication with Certificates for more information.
The certificate must contain a dns
extension which
contains the fully qualified domain name (FQDN) of Client
.
Note that the private key associated with the certificate needs to be stored with an empty passphrase.
Define the private key and certificate in
ssh-server-config.xml
on Client
:
<params> <hostkey> <private file="/etc/ssh2/hostcert" /> <x509-certificate file="/etc/ssh2/hostcert.crt" /> </hostkey> ... </params>
If SSH Tectia Server is not installed on Client
, create the
configuration file manually and save it in the /etc/ssh2
directory.
Do the following as the server administrator:
Specify the CA certificate in the
ssh-server-config.xml
file:
<cert-validation> <ca-certificate name="exa-ca1" file="/etc/ssh2/exa-ca1.crt" /> ... </cert-validation>
In the ssh-server-config.xml
file, under
the authentication-methods
element, add an
auth-hostbased
element. For example:
<authentication-methods> <authentication name="hostbased-block"> <auth-hostbased require-dns-match="no" /> <authentication action="allow" name="hostbased-cert-allow"> <selector> <host-certificate field="ca-list" pattern="exa-ca1" /> </selector> </authentication> <authentication action="deny" /> </authentication> </authentication-methods>
In addition to being signed by the required CA, the certificate must pass the endpoint identity check, described in detail in Using Certificates .
On Windows, using the SSH Tectia Server Configuration tool, host-based authentication can be configured on the Authentication page. See Authentication.
Run ssh-server-config-tool
to take the new
configuration in use. See ssh-server-config-tool(8).
On Windows, click Apply to take the new settings in use.