Tectia® Server 6.4

Administrator Manual

SSH Communications Security Corporation

Copyright © 1995–2021 SSH Communications Security Corporation

This software and documentation are protected by international copyright laws and treaties. All rights reserved.

ssh® and Tectia® are registered trademarks of SSH Communications Security Corporation in the United States and in certain other jurisdictions.

SSH and Tectia logos and names of products and services are trademarks of SSH Communications Security Corporation. Logos and names of products may be registered in certain jurisdictions.

All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corporation.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY, RELIABILITY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

For Open Source Software acknowledgements, see appendix Open Source Software License Acknowledgements in the User Manual.

26 August 2021

Table of Contents

1. About This Document

Documentation Conventions

Operating System Names
Directory Paths

Customer Support

Component Terminology

2. Installing Tectia Server

Preparing for Installation

System Requirements
Hardware and Disk Space Requirements
Licensing
Installation Packages
Upgrading Previously Installed Tectia Server Software
Downloading Tectia Releases

Installing the Tectia Server Software

Installing on AIX
Installing on HP-UX
Installing on Linux
Installing on Solaris
Installing on Windows

Removing the Tectia Server Software

Removing from AIX
Removing from HP-UX
Removing from Linux
Removing from Solaris
Removing from Windows

Files Related to Tectia Server

File Locations and Permissions on Unix
File Locations on Windows
Registry Keys on Windows

3. Getting Started

Starting and Stopping the Server

Starting and Stopping on AIX
Starting and Stopping on Other Unix Platforms
Starting and Stopping on Windows

4. Configuring Tectia Server

Tectia Server Configuration Tool

Tectia Server
General
Proxy Rules
Domain Policy
Password Cache
Identity
Network
Logging
Certificate Validation
Defining Access Rules Using Selectors (Advanced Mode)
Connections and Encryption
Authentication
Services

Configuration File for Tectia Server

Dividing the Configuration into Several Files
Using Selectors in Configuration File
ssh-server-config.xml

5. Authentication

Supported User Authentication Methods

Compatibility with OpenSSH Keys

Server Authentication with Public Keys

Generating the Host Key
Notifying the Users of Host Key Changes
Key rotation

Server Authentication with Certificates

Certificate Enrollment Using ssh-cmpclient-g3

Server Authentication Using External Host Keys

User Authentication with Passwords

Expired Passwords
Empty/Blank Passwords
User Logon Rights on Windows

User Authentication with Public Keys

Using the Authorization File
Using Keys Generated with OpenSSH
Special Considerations on Windows
Authorized Keys on a Windows Network Drive

User Authentication with Certificates

Configuring Certificates
Configuring User Authentication with Certificates on Windows

Host-Based User Authentication

Using Conventional Public Keys
Using Certificates

User Authentication with Keyboard-Interactive

Password Submethod
Pluggable Authentication Module (PAM) Submethod
RSA SecurID Submethod
RADIUS Submethod
LAM Submethod on AIX

User Authentication with GSSAPI

Supplementing Authentication with an External Application

Example with Certificate Authentication
Example with Password Authentication

Configuring User Authentication Chains

Basic Example
Example with Selectors
Authentication Chain Example
Example of Using the Deny Action

Forwarding User Authentication

Forwarding User Authentication to a Kerberos Realm

Reporting User Login Failures

User Name Handling on Windows

Requirements for Trusted Domain Authentication on Windows

Accessing Resources on Windows Network from Logon Sessions Created by Tectia Server

Network Resource Access from Terminal Session
Network Resource Access from SFTP Subsystem
Accessing Network Shares Using Another User's Account
Accessing Shares on a Computer That Is Not a Member of a Domain
Access to DFS Shares

Accessing Files Stored on EFS on Windows from Logon Sessions Created by Tectia Server

6. System Administration

Tectia Client Privileged User

Disabling Root Login (Unix)
Restricting Connections
Chrooting (Unix)
Forced Commands

Notification
Customizing Logging
Auditing with Solaris BSM

7. File Transfer

Tectia Client File Transfer User

Encryption and Authentication Methods
Restricting Services
Settings on the Client Side

Automated File Transfer Script

8. Tunneling

Local Tunnels

Local Tunneling Rule Examples

Remote Tunnels

Remote Tunneling Rule Examples

X11 Forwarding (Unix)

Agent Forwarding (Unix)

9. Troubleshooting Tectia Server

Starting Tectia Server in Debug Mode

Starting Tectia Server in Debug Mode on Unix
Starting Tectia Server in Debug Mode on Windows
Debugging Secure File Transfer

Collecting System Information for Troubleshooting

Solving Problem Situations

CPU Overload on Tectia Server on HP-UX
Invalid Host Key Permissions on Windows
Invalid Configuration File Permissions on Windows
Authentication Fails for Domain Account on Tectia Server on Windows
Last Login Time is Incorrect on Windows
Virtual Folders Defined on Windows Network Shared Folders Are Not Available on Tectia Server on Windows

A. Tectia Server Configuration File Quick Reference

B. Server Configuration File Syntax

C. Command-Line Tools and Man Pages

ssh-server-g3 — Secure Shell server - Generation 3
ssh-server-ctl — Tectia Server control utility.
ssh-troubleshoot — tool for collecting system information
ssh-keygen-g3 — authentication key pair generator
ssh-keyfetch — Host key tool for the Secure Shell client
ssh-cmpclient-g3 — CMP enrollment client
ssh-scepclient-g3 — SCEP enrollment client
ssh-certview-g3 — certificate viewer
ssh-ekview-g3 — external key viewer

D. Audit Messages

E. Tectia Mapper Protocol

Communication Between Tectia Server and the External Application

Positive Response
Negative Response
Checking the Number of Connections

Example Application

F. Removing OpenSSL from Tectia Server

Background Information

OpenSSL in Tectia
Should I Remove the OpenSSL Library?
What Happens If I Remove the OpenSSL Library?

Removing the OpenSSL Cryptographic Library

Unix
Windows

G. Open Source Software License Acknowledgements

H. Changing the Host Key of Tectia Server

Host key Algorithm in Manual Host Key Rotation

Manual Rotation Example using RSA Host Keys

Fingerprints

Replacing Host Public Key on Client-Side

z/OS Example
Windows Tectia Client Example