Client Configuration
Configure the client side according to the key and certificate type
used: X.509 or Entrust.
X.509 Certificates
To configure the client to authenticate itself with an X.509
certificate, perform the following tasks:
- Enroll a certificate for yourself.
Example: Enrollment using
ssh-cmpclient
$ ssh-cmpclient INITIALIZE \
-P generate://ssh2:passphrase@rsa:512/user_rsa \
-o /home/user/.ssh2/user_rsa \
-p 62154:ssh \
-s 'C=FI,O=SSH,CN=user;email=user@example.org' \
http://pki.ssh.com:8080/pkix/ \
'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
Remember to define also the SOCKS server (-S) before the CA URL, if required.
For more information on the ssh-cmpclient syntax, see
the ssh-cmpclient man page.
- Make sure that public-key authentication is enabled in the
ssh2_config
AllowedAuthentications publickey
|
- Specify the private key of your software certificate in the
~/.ssh2/identification file.
CertKey <private-key-path>
|
The certificate itself will be read from private-key-path.crt.
Entrust Certificates
SSH Tectia Client supports also the use of Entrust keys and certificates for authentication.
Entrust keys are handled as external keys.
The Entrust provider described in this section is a component designed
by SSH Communications Security Corp.
Entrust Entelligence and the entrust.ini and *.epf
files are components designed by Entrust, Inc.
To configure the client to authenticate itself using the user's Entrust
key and certificate, perform the following tasks:
- Enable public-key authentication in the
ssh2_config
AllowedAuthentications publickey
|
- Define the Entrust external key provider and its initialization string:
EkProvider entrust
EkInitString profile-file($HOME/profile.epf)
|
The format of the initialization string is the same as for the server. See
Section Server Entrust Authentication above.
- Copy the
entrust.ini file to /etc/.
