Chapter 5 Authentication

Table of Contents

Supported User Authentication Methods

Compatibility with OpenSSH Keys

Server Authentication with Public Keys

Generating the Host Key
Notifying the Users of Host Key Changes
Key rotation

Server Authentication with Certificates

Certificate Enrollment Using ssh-cmpclient-g3

Server Authentication Using External Host Keys

User Authentication with Passwords

Expired Passwords
Empty/Blank Passwords
User Logon Rights on Windows

User Authentication with Public Keys

Using the Authorization File
Using Keys Generated with OpenSSH
Special Considerations on Windows
Authorized Keys on a Windows Network Drive

User Authentication with Certificates

Configuring Certificates
Configuring User Authentication with Certificates on Windows

Host-Based User Authentication

Using Conventional Public Keys
Using Certificates

User Authentication with Keyboard-Interactive

Password Submethod
Pluggable Authentication Module (PAM) Submethod
RSA SecurID Submethod
RADIUS Submethod
LAM Submethod on AIX

User Authentication with GSSAPI

Supplementing Authentication with an External Application

Example with Certificate Authentication
Example with Password Authentication

Configuring User Authentication Chains

Basic Example
Example with Selectors
Authentication Chain Example
Example of Using the Deny Action

Forwarding User Authentication

Forwarding User Authentication to a Kerberos Realm

Reporting User Login Failures

User Name Handling on Windows

Requirements for Trusted Domain Authentication on Windows

Accessing Resources on Windows Network from Logon Sessions Created by Tectia Server

Network Resource Access from Terminal Session
Network Resource Access from SFTP Subsystem
Accessing Network Shares Using Another User's Account
Accessing Shares on a Computer That Is Not a Member of a Domain
Access to DFS Shares

Accessing Files Stored on EFS on Windows from Logon Sessions Created by Tectia Server

The Secure Shell protocol used by the Tectia client/server solution provides mutual authentication – the client authenticates the server and the server authenticates the client users. Both parties are assured of the identity of the other party.

The Tectia Server host can authenticate itself to the client using either public-key authentication or certificate authentication.

Different methods can be used to authenticate Secure Shell client users. These authentication methods can be used separately or combined, depending on the level of functionality and security you want. The server defines what methods are allowed, and the client defines the order in which they will be tried. The least interactive methods should be tried first. In case several interactive authentication methods are defined for user authentication, the client-side will alternate between the methods on each failed authentication attempt.

Figure 5.1. User authentication methods

Tectia Server allows GSSAPI, public-key, keyboard-interactive, and password in user authentication by default.