SSH Tectia

SSH Tectia® Server 6.0

Administrator Manual

SSH Communications Security Corp.

This software is protected by international copyright laws. All rights reserved. ssh® and Tectia® are registered trademarks of SSH Communications Security Corp in the United States and in certain other jurisdictions. The SSH and Tectia logos are trademarks of SSH Communications Security Corp and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corp.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

For Open Source Software acknowledgements, see appendix Open Source Software License Acknowledgements in the Product Description.

17 June 2010


Table of Contents

1. About This Document
Documentation Conventions
Operating System Names
Directory Paths
Customer Support
Component Terminology
2. Installing SSH Tectia Server
Preparing for Installation
System Requirements
Hardware and Disk Space Requirements
Licensing
Installation Packages
Upgrading Previously Installed SSH Tectia Server Software
Downloading SSH Tectia Releases
Installing the SSH Tectia Server Software
Installing on AIX
Installing on HP-UX
Installing on Linux
Installing on Solaris
Installing on Windows
Installing on VMware ESX
Installing on Linux on IBM System z
Removing the SSH Tectia Server Software
Removing from AIX
Removing from HP-UX
Removing from Linux
Removing from Solaris
Removing from Windows
Removing from VMware ESX
Removing from Linux on IBM System z
Files Related to SSH Tectia Server
File Locations and Permissions on Unix
File Locations on Windows
Registry Keys on Windows
3. Getting Started
Starting and Stopping the Server
Starting and Stopping on Unix
Starting and Stopping on Windows
4. Configuring SSH Tectia Server
Configuration File for SSH Tectia Server
Dividing the Configuration into Several Files
Using Selectors in Configuration File
ssh-server-config.xml
Configuration Tool (Windows)
SSH Tectia Server
General
Proxy Rules
Domain Policy
Identity
Network
Logging
Certificate Validation
Defining Access Rules Using Selectors (Advanced Mode)
Connections and Encryption
Authentication
Services
5. Authentication
Server Authentication
Server Authentication with Public Keys
Server Authentication with Certificates
Server Authentication using External Host Keys
User Authentication
User Name Handling on Windows
User Authentication with Passwords
User Authentication with Public Keys
User Authentication with Certificates
Host-Based User Authentication
User Authentication with Keyboard-Interactive
User Authentication with GSSAPI
Reporting Login Failures
Configuring User Authentication Chains
Basic Example
Example with Selectors
Authentication Chain Example
Example of Using the Deny Action
6. System Administration
SSH Tectia Client Privileged User
Disabling Root Login (Unix)
Restricting Connections
Chrooting (Unix)
Forced Commands
Auditing
Notification
Customizing Logging
7. File Transfer
SSH Tectia Client File Transfer User
Encryption and Authentication Methods
Restricting Services
Settings on the Client Side
Automated File Transfer Script
8. Tunneling
Transparent TCP Tunneling from Server Perspective
Using a Shared Account
Restricting Services
Local Tunnels
Local Tunneling Rule Examples
Remote Tunnels
Remote Tunneling Rule Examples
X11 Forwarding (Unix)
Agent Forwarding (Unix)
9. Troubleshooting SSH Tectia Server
Starting SSH Tectia Server in Debug Mode
Starting SSH Tectia Server in Debug Mode on Unix
Starting SSH Tectia Server in Debug Mode on Windows
Debugging Secure File Transfer
Solving Problem Situations
CPU Overload on SSH Tectia Server on HP-UX
Audit Problems on Solaris 8 in BSM mode
Invalid Host Key Permissions on Windows
Authentication Fails for Domain Account on SSH Tectia Server on Windows
Last Login Time is Incorrect on Windows
Virtual Folders are not Available on SSH Tectia Server on Windows
A. Server Configuration File Syntax
B. Command-Line Tools and Man Pages
ssh-server-g3 - Secure Shell server - Generation 3
ssh-server-config-tool - SSH Tectia Server configuration tool
ssh-server-ctl - SSH Tectia Server control utility. Available on Unix only.
ssh-keygen-g3 - authentication key pair generator
ssh-certview-g3 - certificate viewer
ssh-cmpclient-g3 - CMP enrollment client
ssh-scepclient-g3 - SCEP enrollment client
ssh-ekview-g3 - external key viewer
C. Audit Messages
Index