SSH Tectia Server (A/F/T) 5.0

Administrator Manual

SSH Communications Security Corp.

Copyright © 1995–2005 SSH Communications Security Corp.

This software is protected by international copyright laws. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. The SSH logo and Tectia are trademarks of SSH Communications Security Corp and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corp.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

9 December 2005

Table of Contents

1. About This Document

Component Terminology
Documentation Conventions
Customer Support

2. Installing SSH Tectia Server

Planning the Installation

System Requirements
Packaging
Licensing
Upgrading from Version 4.x to 5.0
Upgrading from Version 5.0

Installing the SSH Tectia Server Software

Installing on AIX
Installing on HP-UX
Installing on Linux
Installing on Solaris
Installing on Windows

Removing the SSH Tectia Server Software

Removing from AIX
Removing from HP-UX
Removing from Linux
Removing from Solaris
Removing from Windows

3. Getting Started

Location of Installed Files

File Locations on Unix
File Locations on Windows

Starting and Stopping the Server

Starting and Stopping on Unix
Starting and Stopping on Windows

Examples of Use

4. Configuring SSH Tectia Server

ssh-server-config - SSH Tectia Server configuration file format

Configuration Tool (Windows)

SSH Tectia Server
General
Identity
Network
Logging
Certificate Validation
Defining Access Rules Using Selectors
Connections and Encryption
Authentication
Services

5. Authentication

Server Authentication with Public Keys

Generating the Host Key
Notifying the Users of the Host Key Change

Server Authentication with Certificates

Certificate Enrollment Using ssh-cmpclient

Server Authentication using External Host Keys

User Authentication with Passwords

Special Considerations on Windows

User Authentication with Public Keys

Special Considerations on Windows

User Authentication with Certificates

Certificate Configuration

Host-Based User Authentication

Using Traditional Public Keys
Using Certificates

User Authentication with Keyboard-Interactive

Password Submethod
Pluggable Authentication Module (PAM) Submethod
RSA SecurID Submethod
RADIUS Submethod

User Authentication with GSSAPI

Configuring User Authentication Chains

Basic Example
Example with Selectors
Authentication Chain Example
Example of Using the Deny Action

6. System Administration

SSH Tectia Client Privileged User

Disabling Root Login (Unix)
Restricting Connections
Forced Commands

Notification
Customizing Logging

7. File Transfer

SSH Tectia Client File Transfer User

Encryption and Authentication Methods
Restricting Services
Settings on the Client Side

Automated File Transfer

8. Tunneling

SSH Tectia Connector Tunneling User

Using a Shared Account
Restricting Services

Local Tunnels

Remote Tunnels

X11 Forwarding (Unix)

Agent Forwarding (Unix)

A. Command-Line Tools

ssh-server-g3 - Secure Shell server - Generation 3
ssh-server-config-tool - SSH Tectia Server configuration tool
ssh-keygen-g3 - authentication key pair generator
ssh-certview-g3 - certificate viewer
ssh-cmpclient-g3 - CMP enrollment client
ssh-ekview-g3 - external key viewer

B. Server Configuration File Syntax

C. Man Pages and Help Files

D. Audit Messages