Defining Access Rules Using Selectors (Advanced Mode)

When the Tectia Server Configuration tool is run in the advanced GUI mode, the Connections and Encryption, Authentication, and Services pages can contain several sub-pages, each of which defines its own set of access rules. The rule to be used in each case is chosen using selectors.

Selectors define the access rules for users based on the user parameters such as user name or location. Users can be divided to groups dynamically, for example, based on the authentication method they used for logging in. On the Services page, each group can then be allowed or denied services such as tunneling, file transfer, or terminal access.

Use the Add and Delete buttons below the tree view to add and delete rules. Each rule will have a sub-page with two or more tabs. On the Selectors tab, you can edit the selectors of the rule, and on the other tab(s), you can configure the settings for the rule.

Under Authentication, you can also add child authentication methods using the Add Child button.

Whenever a user is attempting login to the server, the connections, authentication, and services rules are processed in top-down order. In each case, the first rule that matches the user is used. Use the Up and Down buttons to change the order of the rules. See Using Selectors in Configuration File for more information on selector processing.

The commands for adding, deleting, and moving rules are also available from a shortcut menu (right-click on a rule in the tree view).

Editing Selectors

The selectors can be edited on the Selectors tab of the Connections and Encryption, Authentication, and Services sub-pages.

The Selectors tab shows a list of all selectors and attributes that apply to the rule (connection, authentication, or service group rule, depending on the page you are on).

The selector elements are numbered. If any of the selectors match, the rule will match and is used.

Each selector element can have one or more attributes. All attributes of the selector must match for the selector to match, except with the attributes of the same type, of which only one has to match.

To add a new selector to the rule, click Add Selector. The new selector will contain automatically at least one attribute. To add a new attribute to a selector, choose a selector from the list and click Add Attribute. In both cases, the Add Selector dialog box opens allowing you to specify the selector type. See Figure 4.16.

Figure 4.16. The Add Selector dialog box

Select the selector type and click OK.

The attributes of the selector depend on the type. The different selector types are described below.

Interface

The Interface selector is matched to the listener interface ID or Address and/or Port. At least one attribute must be given. If the ID is defined, the others MUST NOT be given. If the ID is not defined, either or both of Address and Port may be given.

Figure 4.17. The Interface Selector dialog box

Certificate

This selector matches a Pattern in a specified Field of the user certificate. Using this selector requires that the parent rule in the authentication chain enables public-key authentication.

Figure 4.18. The Certificate Selector dialog box

The field can be either ca-list, issuer-name, subject-name, serial-number, altname-email, altname-upn, altname-ip, or altname-fqdn.

The format of the pattern depends on the type of the field. The ca-list field contains a list of CA names separated by commas. The names that are defined in the ca-certificate element in ssh-server-config.xml are used. The issuer-name and subject-name fields contain distinguished names, serial-number a positive integer. The altname-fqdn field contains a host name and altname-ip an IP address or a range. The altname-email field contains an email address and altname-upn the principal name.

The altname-fqdn, altname-upn, altname-email, subject-name, and issuer-name selectors may contain the %username% keyword which is replaced with the user's login name before comparing with the actual certificate data. For domain accounts, the %username-without-domain% keyword can be used and it is replaced by the user's login name without the domain part. The %hostname% keyword can be used in the same way and it is replaced by the client's FQDN. These patterns may also contain "*" and "?" globbing characters.

Patterns are normally matched case-insensitively. Select the Case-sensitive check box to match the pattern case-sensitively.

For the issuer-name and subject-name selectors, you can also define if the pattern has to match the subject name completely or only partly. Select the ignore-prefix check box to match only the end of the subject name. Select the ignore-suffix check box to match only the beginning of the subject name. By default, the ignore options are unselected.

You can also select both of the ignore options simultaneously in which case the pattern has to match with some point in the subject name. For example: when both ignore settings are selected, pattern O=SSH,OU=*,CN=example matches with:

C=FI, O=SSH, OU=RandD, CN=example, CN=UID12345

Normally if the certificate field to be matched is not available, the selector matching process ends in error. However, if the Allow undefined check box is selected, the undefined field is treated as non-matched and the matching continues to other selectors. For more information, see Selectors and Undefined Data.

Caution

	Caution
When creating the certificate selectors, make sure that every selector element ties the user name to the certificate, either by including a User selector attribute, or by putting the special substitution string `%username%` or `%username-without-domain%` to a field used to match the corresponding field in the certificate. Failing to do this may cause unintended consequences, for example authentication succeeding with many different user names with a single certificate.

When creating the certificate selectors, make sure that every selector element ties the user name to the certificate, either by including a User selector attribute, or by putting the special substitution string %username% or %username-without-domain% to a field used to match the corresponding field in the certificate.

Failing to do this may cause unintended consequences, for example authentication succeeding with many different user names with a single certificate.

Host certificate

This selector matches a Pattern in a specified Field of the client host certificate. Using this selector requires that the parent rule in the authentication chain enables host-based authentication.

The field can be either ca-list, issuer-name, subject-name, serial-number, altname-email, altname-upn, altname-ip, or altname-fqdn.

Patterns are normally matched case-insensitively. Select the Case-sensitive check box to match the pattern case-sensitively.

For the subject-name selector, you can also define if the pattern has to match the subject name completely or only partly. Select the ignore-prefix check box to match only the end of the subject name. Select the ignore-suffix check box to match only the beginning of the subject name. You can also select both of the ignore options simultaneously in which case the pattern has to match with some point in the subject name. By default, the ignore options are unselected.

Normally if the certificate field to be matched is not available, the selector matching process ends in error. However, if the Allow undefined check box is selected, the undefined field is treated as non-matched and the matching continues to other selectors. See Selectors and Undefined Data for more information.

IP

The IP selector matches an IP Address or fully qualified domain name (FQDN) of the client.

Figure 4.19. The IP Selector dialog box

The IP address can be in one of the following formats:

a single IP address x.x.x.x
an IP address range of the form x.x.x.x-y.y.y.y
an IP sub-network mask of the form x.x.x.x/y

The fully qualified domain name is matched to an FQDN pattern (case-insensitive). The attribute can include a comma-separated list of allowed FQDN patterns. These patterns may also contain "*" and "?" globbing characters. The form of the pattern is not checked.

After entering the IP address, you can click the Validate button to check whether the format of the address is valid. The validate feature is available only for single IP addresses and IP address ranges.

User

This selector matches a user Name. A list of user names can be given as a comma-separated list.

Figure 4.20. The User Selector dialog box

Names are matched case-insensitively.

	Note
	We recommend using the object picker dialog in the GUI when defining the selectors, because it returns the correct form of user names and host names. To open the object picker, click the Browse button in the User Selector dialog.

If the original user name is longer than 20 characters, Windows stores the name in both full format and in short format with max 20 characters. Similarly, long host names are cut to 15 characters.

When Tectia Server is running in domain environment on Windows, the user names and host names must be used in the short format in the selectors. For example, user name longusername1234567890123 (25 chars) cannot be used as such in the Tectia Server selectors, instead the user name is used in the short form as follows:

domain\longusername12345678

Note that Tectia Server supports only the following user name format in selectors:

domain\username

The UPN format username@domain.com is not supported.

To browse for Windows domain user names directly from an Active Directory server, follow these instructions:

Click Browse. This opens a standard Windows Select Users dialog box that allows you to search for user names from a directory server.
Figure 4.21. Selecting users from Active Directory
Click Locations to select the Active Directory server you want to use. Select the server from the list and click OK.
Enter the user name or a part of it in the text field. You can enter several names and separate them with semicolons. Click Check Names to check the names from the Active Directory server.
To use advanced search options, click Advanced. This opens an advanced search dialog.
After you have found the user name(s), click OK to return to the User Selector dialog box. The selected domain user accounts are now shown in the Name field.

User group

This selector matches a user group Name. A list of user-group names can be given as a comma-separated list.

Figure 4.22. The User Group Selector dialog box

Names are matched case-insensitively.

On Windows domain environment, the user and user-group selectors have a length limitation. For more information, see the description of option User above.

To browse for Windows domain user groups directly from an Active Directory server, follow these instructions:

Click Browse. This opens a standard Windows Select Groups dialog box that allows you to search for user group names from a directory server.
Click Locations to select the Active Directory server you want to use. Select the server from the list and click OK.
Enter the group name or a part of it in the text field. You can enter several names and separate them with semicolons. Click Check Names to check the names from the Active Directory server.
To use advanced search options, click Advanced. This opens an advanced search dialog.
After you have found the user group name(s), click OK to return to the User Group Selector dialog box. The selected domain user groups are now shown in the Name field.

Administrator

This selector matches a privileged user (administrator) or a non-privileged user.

Figure 4.23. The Administrator Selector dialog box

Select the Is Administrator check box to match the selector to a privileged user or clear the checkbox to match it to a normal user.

If this selector is used in an authentication rule and the user is logging in using a domain account and does not yet have an access token allocated, the selector matching process ends in error. However, if the Allow undefined check box is selected, the selector is treated as non-matched and the matching continues to other selectors. For more information, see Selectors and Undefined Data.

Note

The user-privilege level is not available during the authentication phase when the user is logging in using a domain account and does not yet have an access token allocated. To get the user-privilege status for domain users, the user should first pass password or GSSAPI authentication.

If the privilege level needs to be checked for local accounts, the Allow undefined check box should be selected or else connection fails for users logging in using domain accounts. However, this means that the user-privilege status will not be verified for Windows domain users.

To check the privilege level of domain accounts on a Windows server in the authentication phase, the Administrator selector should be used in a nested authentication rule when password or GSSAPI authentication has already been passed.

Public key passed

This selector matches if authentication is passed using a normal public key (without a certificate).

Figure 4.24. The Public Key Passed Selector dialog box

Optionally, the Length range of the public key can be given, for example 1024-2048.