Tectia^® Server 7.0

Administrator Manual

SSH Communications Security Corporation

Copyright © 1995–2025 SSH Communications Security Corporation

This software and documentation are protected by international copyright laws and treaties. All rights reserved.

ssh® and Tectia® are registered trademarks of SSH Communications Security Corporation in the United States and in certain other jurisdictions.

SSH and Tectia logos and names of products and services are trademarks of SSH Communications Security Corporation. Logos and names of products may be registered in certain jurisdictions.

All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corporation.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY, RELIABILITY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

For Open Source Software acknowledgements, see appendix Open Source Software License Acknowledgements in the User Manual.

27 November 2025

Table of Contents

1. About This Document

Documentation Conventions
Customer Support
Component Terminology

2. Installing Tectia Server

Preparing for Installation
Installing the Tectia Server Software
Removing the Tectia Server Software
Files Related to Tectia Server

3. Getting Started

Starting and Stopping the Server

4. Configuring Tectia Server

Tectia Server Configuration Tool
Configuration File for Tectia Server

5. Authentication

Supported User Authentication Methods
Server Authentication with Public Keys
Server Authentication with Certificates
Server Authentication Using External Host Keys
User Authentication with Passwords
User Authentication with Public Keys
User Authentication with Certificates
Host-Based User Authentication
User Authentication with Keyboard-Interactive
User Authentication with GSSAPI
Supplementing Authentication with an External Application
Configuring User Authentication Chains
Forwarding User Authentication
Reporting User Login Failures
User Name Handling on Windows
Requirements for Trusted Domain Authentication on Windows
Accessing Resources on Windows Network from Logon Sessions Created by Tectia Server
Accessing Files Stored on EFS on Windows from Logon Sessions Created by Tectia Server

6. System Administration

Tectia Client Privileged User
Auditing

7. File Transfer

Tectia Client File Transfer User
Automated File Transfer Script

8. Tunneling

Local Tunnels
Remote Tunnels
X11 Forwarding (Unix)
Agent Forwarding (Unix)

9. Troubleshooting Tectia Server

Starting Tectia Server in Debug Mode
Collecting System Information for Troubleshooting
Solving Problem Situations

A. Tectia Server Configuration File Quick Reference

B. Server Configuration File Syntax

C. Command-Line Tools and Man Pages

ssh-server-g3 — Secure Shell server - Generation 3
ssh-server-ctl — Tectia Server control utility.
ssh-troubleshoot — tool for collecting system information
ssh-keygen-g3 — authentication key pair generator
ssh-keyfetch — Host key tool for the Secure Shell client
ssh-cmpclient-g3 — CMP enrollment client
ssh-scepclient-g3 — SCEP enrollment client
ssh-certview-g3 — certificate viewer
ssh-ekview-g3 — external key viewer

D. Audit Messages

E. Tectia Mapper Protocol

Parameters
Communication Between Tectia Server and the External Application
Examples
Example Application

F. Removing OpenSSL from Tectia Server

Background Information
Removing the OpenSSL Cryptographic Library

G. Default and Supported SSH Algorithms

Ciphers
Key-Exchange Algorithms
Message-Authentication Codes
Host-Key and Public Key Signature Algorithms

H. Open Source Software License Acknowledgements

I. Changing the Host Key of Tectia Server

Host key Algorithm in Manual Host Key Rotation
Manual Rotation Example using RSA Host Keys
Fingerprints
Replacing Host Public Key on Client-Side