User Certificate Authentication

This section provides an example configuration of a user authentication using existing certificates in the SSH Tectia environment.

The Human Resources department or another suitable unit is responsible for the identity establishment of the users (i.e. verifying that the information used to create the entities is correct and that enrolled certificates on smart cards are received by the correct users). The issued user certificates contain the subject name and subject name alternative e-mail extension in a consistent format.

Configuration

The CA certificate in the DER or PEM format is required for the certificate authentication configuration in SSH Tectia Manager. In addition, a detailed description of the certificate template and policy used to issue the certificates is needed to determine what information can be used to map the certificates to the user accounts.

The configuration of user certificate authentication is slightly different between SSH Tectia Server 4.x and G3 (5.x and 6.x versions).

Ensure that public-key authentication is allowed or required in the SSH Tectia Server configuration, and also allowed in the SSH Tectia Client configuration. Public-key authentication is allowed by default.
Define the CA used for user authentication.
(SSH Tectia Server G3) Under Configurations → Edit configurations → SSH Tectia G3 → Server, on the PKI page, upload the MyCompany People CA certificate for user authentication.
Figure 8.8. User certificate authentication settings for SSH Tectia Server 6.x
Configure the authorization.
SSH Tectia Server requires the configuration to authorize logging in to an existing user account with a certificate issued by the MyCompany People CA.
The user certificate displayed below with the command-line tool ssh-certview /ssh-certview-g3 (included in SSH Tectia Client, ConnectSecure, and Server) provides several options for the configuration (mappings).
Figure 8.9. User certificate
Editing Server Authentication Settings
The Certificate selectors in the Server Authentication settings in Configurations → Edit configurations → SSH Tectia G3 → Server will authorize logging in to an existing user account with a certificate issued by the MyCompany People CA. The user certificate displayed above with the command-line tool ssh-certview-g3 (included in the SSH Tectia Client, ConnectSecure, and Server) provides several options for the mappings.
Example 1:
The shared account tunnel on the server used by SSH Tectia Client or SSH Tectia ConnectSecure could be mapped to certificates, using a combination of the User name and Subject name selectors so that any user in the Administration unit is able to login.
On the Certificate Authentication page, under User Certificate Selectors, add a User name selector and define the value tunnel as the user name.
For the same selector, add another selector field Subject name and define the value C=FI,O=MyCompany,OU=Administration,CN=* for the subject name.
Example 2:
A scalable mapping option for user accounts would be to use an e-mail certificate selector, so that the login account is derived from the e-mail address.
On the Certificate Authentication page, under User Certificate Selectors, add an Email altname selector and define the value %username%@mycompany.com for the Email altname.
If both Certificate selectors are defined, John Doe can use the same certificate to access the shared account tunnel and johnd on those SSH Tectia Servers where the user account exists. See Figure 8.10.
Figure 8.10. Editing Selectors in Certificate Authentication settings
Edit the configuration assignments (Configurations → Assign configurations). For SSH Tectia Server 4.x, the certificate configuration is contained in Certificate authentication configuration. For SSH Tectia Server 5.x and 6.x, the certificate configuration is part of the Server configuration. Example configuration assignment is shown in Figure 8.4.
Deploy the SSH Tectia configuration (Configurations → Deploy configurations). The SSH Tectia Server hosts will use the trusted CA certificate for user authentication and take the configuration into use.
Connect with SSH Tectia Client to the server.
1. Ensure that the user certificate is available in SSH Tectia Client Key Providers.
  See the documentation of your smart card vendor on how to enable access to the card with MSCAPI or another supported provider type.
2. Provide the username for logging in. In case the server-side username is the same as the Windows login name, this can be pre-configured in SSH Tectia Manager as %USERNAME% in the SSH Tectia Client or ConnectSecure Connection Profile settings.