|
Server Configuration
SSH Tectia Server can accept both X.509 certificates and Entrust certificates for
authenticating users.
X.509 Certificates
To configure the server to allow user authentication with certificates,
perform the following tasks:
- Acquire the CA certificate and copy it to the server
machine. You can either copy the X.509 certificate(s) as such
or you can copy a PKCS #7 package including the CA
certificate(s).
Certificates can be extracted from a PKCS #7 package by specifying
the
-7 flag with ssh-keygen2 .
- Certificate authentication is a part of the
publickey
authentication method. Make sure that you have enabled it in the
sshd2_config file:
AllowedAuthentications publickey
|
- Specify the CA certificate and the mapping file(s)
in the
ssh_certd_config file:
Pki <ca-cert-path>
MapFile <map-file-path>
|
You can disable the use of CRLs by adding the
PkiDisableCRLs keyword below the
Pki keyword.
Note: CRL usage should only be disabled for testing
purposes. Otherwise it is highly recommended to always use
CRLs.
You can define several CA certificates by using several
Pki keywords.
Pki <ca-cert-path1>
MapFile <map-file-path1>
Pki <ca-cert-path2>
MapFile <map-file-path1>
MapFile <map-file-path2>
|
Note that multiple MapFile keywords are
permitted per Pki keyword. Also, if no mapping file is
defined, all connections are denied even if user certificates
can be verified using the defined CA certificate.
The server will accept only certificates issued by defined CA(s).
- Also define the LDAP server(s) in the
ssh_certd_config
file.
LDAPServers ldap://server1.domain1:port1
|
- If necessary, define also the SOCKS server in the
ssh_certd_config file.
SocksServer socks://socks_server:port/network/netmask,network/netmask
|
The SOCKS server must be defined if CA services (OCSP and CRLs)
are located behind a firewall.
- Next you need to create the certificate user mapping file.
The map file specifies which certificates authorize logging into which
accounts. The format of the file is the following:
<account-id> <keyword> <argument>
|
The keyword can be either Email ,
Subject , SerialAndIssuer ,
EmailRegex , or SubjectRegex . The argument depends on the keyword .
-
Email : The argument is the e-mail address which must
be present in the certificate.
-
Subject : The argument is the required subject
name in LDAP DN (distinguished name) string format.
-
SerialAndIssuer : The argument is the required
serial number and issuer name in LDAP DN string format,
separated by spaces or tabs.
-
EmailRegex : The argument is the regular expression which
must match an e-mail address in the certificate. If account-id
contains the string %subst% , it is substituted with the first
parenthesized part of the regular expression. The patterns are matched
using the egrep syntax.
-
SubjectRegex : The argument is the regular expression
which must match a subject name in the certificate. If account-id
contains the string %subst% , it is substituted with the first
parenthesized part of the regular expression. The patterns are matched
using the egrep syntax.
- Restart
ssh-certd as instructed in Section
Starting and Stopping the Server.
Examples
The following are examples of different map file definitions:
testuser email testuser@ssh.com
testuser subject C=FI,O=SSH,CN=Secure Shell Tester
testuser serialandissuer 1234 C=FI,O=SSH,CN=Secure Shell Tester
%subst% subjectregex C=FI, O=SSH, CN=([a-z]+)
%subst% emailregex ([a-z]+)@ssh\.com
|
The last line permits logging with any e-mail address with only letters
in the username. For more information on the regular expression syntax, see
the sshregex man page.
Entrust Certificates
To configure the server to accept user authentication with Entrust
certificates, do the following:
- Copy the Entrust CA certificate to
/etc/ssh2/ .
- Make sure that you have enabled public-key authentication in the
sshd2_config file:
AllowedAuthentications publickey
|
- Edit the
/etc/ssh2/ssh_certd_config file to
include the following lines:
LDAPServers ldap://ldap.ssh.com:389
...
Pki entrust_ca.der
Mapfile mapfile
|
Use argument values appropriate to your system.
- Edit or create a mapfile.
An example from
/etc/ssh2/mapfile is shown below:
joetest subjectregex CN=Joe.Tester
janetest subjectregex CN=Jane.Tester
|
Note: You cannot use a space character in the CN field.
- Restart
ssh-certd as instructed in Section
Starting and Stopping the Server.
[Contents]
[Index]
[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]
Copyright © 2005 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice
|
|
|