SSH Tectia® Server 6.0

Administrator Manual

SSH Communications Security Corp.

Copyright © 1995–2010 SSH Communications Security Corp.

This software is protected by international copyright laws. All rights reserved. ssh® and Tectia® are registered trademarks of SSH Communications Security Corp in the United States and in certain other jurisdictions. The SSH and Tectia logos are trademarks of SSH Communications Security Corp and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corp.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

For Open Source Software acknowledgements, see appendix Open Source Software License Acknowledgements in the Product Description.

17 June 2010

Table of Contents

1. About This Document

Documentation Conventions

Operating System Names
Directory Paths

Customer Support

Component Terminology

2. Installing SSH Tectia Server

Preparing for Installation

System Requirements
Hardware and Disk Space Requirements
Licensing
Installation Packages
Upgrading Previously Installed SSH Tectia Server Software
Downloading SSH Tectia Releases

Installing the SSH Tectia Server Software

Installing on AIX
Installing on HP-UX
Installing on Linux
Installing on Solaris
Installing on Windows
Installing on VMware ESX
Installing on Linux on IBM System z

Removing the SSH Tectia Server Software

Removing from AIX
Removing from HP-UX
Removing from Linux
Removing from Solaris
Removing from Windows
Removing from VMware ESX
Removing from Linux on IBM System z

Files Related to SSH Tectia Server

File Locations and Permissions on Unix
File Locations on Windows
Registry Keys on Windows

3. Getting Started

Starting and Stopping the Server

Starting and Stopping on Unix
Starting and Stopping on Windows

4. Configuring SSH Tectia Server

Configuration File for SSH Tectia Server

Dividing the Configuration into Several Files
Using Selectors in Configuration File
ssh-server-config.xml

Configuration Tool (Windows)

SSH Tectia Server
General
Proxy Rules
Domain Policy
Identity
Network
Logging
Certificate Validation
Defining Access Rules Using Selectors (Advanced Mode)
Connections and Encryption
Authentication
Services

5. Authentication

Server Authentication

Server Authentication with Public Keys
Server Authentication with Certificates
Server Authentication using External Host Keys

User Authentication

User Name Handling on Windows
User Authentication with Passwords
User Authentication with Public Keys
User Authentication with Certificates
Host-Based User Authentication
User Authentication with Keyboard-Interactive
User Authentication with GSSAPI
Reporting Login Failures

Configuring User Authentication Chains

Basic Example
Example with Selectors
Authentication Chain Example
Example of Using the Deny Action

6. System Administration

SSH Tectia Client Privileged User

Disabling Root Login (Unix)
Restricting Connections
Chrooting (Unix)
Forced Commands

Notification
Customizing Logging

7. File Transfer

SSH Tectia Client File Transfer User

Encryption and Authentication Methods
Restricting Services
Settings on the Client Side

Automated File Transfer Script

8. Tunneling

Transparent TCP Tunneling from Server Perspective

Using a Shared Account
Restricting Services

Local Tunnels

Local Tunneling Rule Examples

Remote Tunnels

Remote Tunneling Rule Examples

X11 Forwarding (Unix)

Agent Forwarding (Unix)

9. Troubleshooting SSH Tectia Server

Starting SSH Tectia Server in Debug Mode

Starting SSH Tectia Server in Debug Mode on Unix
Starting SSH Tectia Server in Debug Mode on Windows
Debugging Secure File Transfer

Solving Problem Situations

CPU Overload on SSH Tectia Server on HP-UX
Audit Problems on Solaris 8 in BSM mode
Invalid Host Key Permissions on Windows
Authentication Fails for Domain Account on SSH Tectia Server on Windows
Last Login Time is Incorrect on Windows
Virtual Folders are not Available on SSH Tectia Server on Windows

A. Server Configuration File Syntax

B. Command-Line Tools and Man Pages

ssh-server-g3 - Secure Shell server - Generation 3
ssh-server-config-tool - SSH Tectia Server configuration tool
ssh-server-ctl - SSH Tectia Server control utility. Available on Unix only.
ssh-keygen-g3 - authentication key pair generator
ssh-certview-g3 - certificate viewer
ssh-cmpclient-g3 - CMP enrollment client
ssh-scepclient-g3 - SCEP enrollment client
ssh-ekview-g3 - external key viewer

C. Audit Messages