|
     |
Tectia Server allows using an external application to supplement authentication. This also makes it possible to use information stored in an external database to allow access for specific users.
The external application, which may be written in any programming language suitable for the task, talks to Tectia Server using the Tectia Mapper Protocol. (For more information on the protocol, see Appendix E.)
The
path to the external application is defined in the ssh-server-config.xml
file within an authentication block, using the
mapper
element's command
attribute.
![[Caution]](images/caution.gif) | Caution |
|---|---|
| The external application will be launched under administrator (root) privileges. |
Tectia Server sends data from its blackboard to the external application. For a detailed description of the data that the server sends, see mapper in ssh-server-config(5). The data that the external application sends back to Tectia Server will be stored in the server's blackboard.
For the authentication to succeed, the external application must
return "success" and an exit status 0. For more information on the parameters
allowed by Tectia Mapper Protocol, see Parameters.
Sample scripts written in Python are provided in /etc/ssh2/samples
on Unix and <INSTALLDIR>\SSH Tectia AUX\samples on Windows.
This example presents a typical use case for user mapping:
matching a certificate and a user. Selectors are usually used for this purpose, but if you
have a database that contains information about users and certificates, you can use an
external application defined in the mapper element to query the database.
Based on the query result, users can be allowed/denied access to the server.
In
this example the user is allowed to log in only if the regular expression provided in the
certificate element matches, that is if CN in the
certificate's subject name consists of three words separated by periods (.) and a set of
digits in the end (for example "Smith.John.James.1234").
<authentication-methods login-grace-time="600">
<authentication action="allow">
<auth-publickey />
<authentication name="authentication3" action="allow">
<selector>
<certificate field="subject-name"
regexp="C=FI, O=SSH, CN=\\w\+\\.\\w\+\\.\\w\+?\\.?\\w\+?\\.\\d\+" />
</selector>
<mapper command="/path/to/python /path/to/script1.py"/>
</authentication>
</authentication>
</authentication-methods>
In this example the user is
requested to provide a password, and the external application
(/path/to/script2.py) is additionally used to check whether the user
should be allowed access.
<authentication-methods login-grace-time="600">
<authentication action="allow">
<auth-password />
<mapper command="/path/to/python /path/to/script2.py"/>
</authentication>
</authentication-methods>
| |