Server Configuration
SSH Tectia Server can use either X.509 certificates or Entrust certificates for
authenticating itself.
X.509 Certificates
To configure SSH Tectia Server to authenticate itself using X.509 certificates,
perform the following tasks:
- Enroll a certificate for the server.
This can be done with the
ssh-cmpclient command-line tool.
Note that the DNS address parameter (dns) needs to correspond
to the fully qualified domain name of the server.
Example: Enrollment using ssh-cmpclient:
$ ssh-cmpclient INITIALIZE \
-P generate://ssh2@rsa:1024/testserv-rsa \
-o /etc/ssh2/testserv-rsa \
-p 62154:ssh \
-s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \
http://pki.ssh.com:8080/pkix/ \
'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
Remember to define also the SOCKS server (-S) before the CA URL, if required.
For more information on the ssh-cmpclient syntax, see
the ssh-cmpclient man page.
- Define the private key and the server certificate in the
sshd2_config
HostKeyFile <private key>
HostCertificateFile <server-certificate>
|
- Restart the server as instructed in Section
Starting the Server.
Entrust Certificates
SSH Tectia Server supports also the use of Entrust keys and certificates for authentication.
Entrust keys are handled as external keys.
The Entrust external key provider described in this section is a
component designed by SSH Communications Security Corp.
Entrust Entelligence and the entrust.ini and *.epf
files are components designed by Entrust, Inc.
The server is configured to use the Entrust key and certificate with the
following sshd2_config parameters:
HostKeyEkProvider entrust
HostKeyEkInitString <string>
|
The initialization string for the Entrust provider has the following
components: dll, ini-file, profile-file,
password, and login-options.
-
dll This defines the name of the shared Entrust FileToolkit object.
This setting has decent defaults, so the authentication should work
without this setting, but if you need to, you can override the
defaults.
For example, on Solaris, this would be
dll(/usr/local/lib/sshsecsh/entrust/libEntrust.so,\
/usr/local/lib/sshsecsh/entrust/libentapi.so)
(On one line, without the '\' character.)
-
login-options This defines how the password is queried from the user. If the value is
entrust, only the Entrust dialogs are used in querying the
password. If the value is native, the password will be queried
using the native authentication callback. If the field contains something
else (e.g. both), both methods are used.
-
ini-file The location of the initialization file. If it is not set, this will be
searched first from $HOME/entrust.ini (the user's home directory),
and if it is not found, from /etc/entrust.ini. On Windows, the default
location is entrust.ini in the Windows directory (X:\WINDOWS
or X:\WINNT).
-
profile-file The location of the user's profile. If it is not set, this will be
searched from $HOME/profile.epf on Unix, and from the user's My
Documents\Entrust Profile\profile.epf on Windows.
-
password This can be used to set the password (for host-key profiles, for
example).
An example of an initialization string:
dll(entapi32.dll) password(foobar) ini-file(solo.ini)
profile-file(solo_user.epf) login-options(entrust)
Environment variables are substituted when the initialization string is
parsed.
