SSH Tectia
Home Prev Up Next  

User Authentication with Public Keys

Public-key authentication is based on the use of digital signatures and provides very good authentication security. To use public-key authentication, the user must first create a key pair on the client, and upload the public key to the server.

The default directory where SSH Tectia Server stores the users' public keys is $HOME/.ssh2/authorized_keys on Unix, and %USERPROFILE%\.ssh2\authorized_keys on Windows. The directory can be changed with the authorized-keys-directory attribute in the ssh-server-config.xml file. See auth-publickey.

The user is required to have the read rights, (and optionally the write rights) to the public-key files and directories, but the locations must not be accessible to other users. These user-specific rights are required for the key.pub file, the authorized_keys directory, and to the authorization file, if used.

To enable public-key authentication on the server, the authentication-methods element of the ssh-server-config.xml file must contain an auth-publickey element. For example:

<authentication-methods>
  <authentication action="allow">
    <auth-publickey authorized-keys-directory="%D/.ssh2/authorized_keys" />
    ...
  </authentication>
</authentication-methods>

Also other authentication methods can be allowed.

By using selectors, it is possible to allow or require public-key authentication only for a specified group of users. See Using Selectors in Configuration File for more information.

On Windows, using the SSH Tectia Server Configuration tool, public-key authentication can be allowed on the Authentication page. See Authentication.

Using the Authorization File

SSH Tectia Server 4.x (and earlier) required an authorization file that listed the user public keys that are authorized for login. Using the authorization file with SSH Tectia Server 5.0 and later is optional. If the file does not exist, SSH Tectia Server looks for authorized public keys in the authorized-keys-directory (as described in User Authentication with Public Keys above), and if that fails, in the default directory for user public-keys.

The default location for the authorization file is $HOME/.ssh2/authorization on Unix, and %USERPROFILE%\.ssh2\authorization on Windows. The file location can be changed with the authorization-file attribute in the ssh-server-config.xml file. See auth-publickey.

The authorization file contains a list of public key filenames each preceded by the keyword Key. If there is more than one Key, they are all authorized for login. For more information on the syntax of the authorization file, see $HOME/.ssh2/authorization (user-specific) under the section called “Files”.

SSH Tectia Client on Windows can upload the public keys and edit the authorization file automatically.

Using Keys Generated with OpenSSH

SSH Tectia Server supports also user public keys generated with OpenSSH. The OpenSSH keys can be configured the same way as described above for keys generated with SSH Tectia Client.

Alternatively, the OpenSSH-style authorized keys file can be specified in the ssh-server-config.xml file by using the openssh-authorized-keys-file attribute. See auth-publickey. An example configuration is shown below:

<authentication-methods>
  <authentication action="allow">
    <auth-publickey authorization-file="%D/.ssh2/authorization" 
                    openssh-authorized-keys-file="%D/.ssh/authorized_keys" />
    ...
  </authentication>
</authentication-methods>

SSH Tectia Server checks the file defined in openssh-authorized-keys-file if it cannot find a matching key in the SSH Tectia authorization-file or the authorized-keys-directory. Public keys defined in the SSH Tectia locations have precedence over the keys in the OpenSSH file if the same key is defined in both.

Special Considerations on Windows

On the SSH Tectia Server for Windows, the recommended location for public keys is the %USERPROFILE%\.ssh2 directory. This location reflects the standard Unix usage and works with the default settings of SSH Tectia Client automatic key upload, and the user's profile directory always has the appropriate access permissions (set by the operating system during the account creation).

The user configuration directory can be changed on the General page of the SSH Tectia Server Configuration tool. See General.

If users need to manage their public keys themselves, the administrator should inform the users about the location of the user configuration directory. Otherwise, the administrator has to place the user's public keys in the proper directory.

[Note]Note

SSH Tectia Client uses SFTP for the automatic uploading of the public key. It will not succeed if the user configuration directory has been set to a location that is not under the user's SFTP home directory. By default, both directories are under %USERPROFILE%.

If you want to enable automatic public-key upload for the users, change both the user configuration directory and the SFTP user home directory to point to the same directory. See SFTP.

For example, set D:\SFTP\%username% as the SFTP user home directory and D:\SFTP\%username%\.ssh2 as the user configuration directory.

See also the general considerations on user name handling in User Logon Rights on Windows.

Home Prev Up Next  

Copyright 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Contact Information