Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Using the Configuration File (Unix)

To configure the client to authenticate itself with an X.509 certificate, perform the following tasks:

  1. Enroll a certificate for yourself.

    Example: Enrollment using ssh-cmpclient-g3

    $ ssh-cmpclient-g3 INITIALIZE  
       -P generate://ssh2:passphrase@rsa:512/user_rsa  
       -o /home/user/.ssh2/user_rsa 
       -p 62154:ssh 
       -s 'C=FI,O=SSH,CN=user;email=user@example.org' 
       http://pki.ssh.com:8080/pkix/ 
       'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
    

    Remember to define also the SOCKS server (-S) before the CA URL, if required.

    For more information on the ssh-cmpclient-g3 syntax, see ssh-cmpclient-g3(1).

  2. (Optional) Create an identification file.

    Specify the private key of your software certificate in the $HOME/.ssh2/identification file (the CertKey option works identically with the IdKey option):

    CertKey     user_rsa
    

    The certificate itself will be read from user_rsa.crt.

    For more information on the syntax of the identification file, see $HOME/.ssh2/identification.

  3. Place your keys and certificates in a directory where the Connection Broker can locate them.

    With SSH Tectia Client 5.x, using the identification file is not necessary if all your keys are stored in the default directory and you allow all of them to be used for public-key and/or certificate authentication. If the identification file does not exist, the Connection Broker attempts to use each key found in the $HOME/.ssh2 directory. If the identification file exists, the keys listed in it are attempted first.

    You can also use the key-store element in the ssh-broker-config.xml file for defining locations for keys and certificates. See the section called “Key Store Configuration Examples”.

  4. Make sure that public-key authentication is enabled in the ssh-broker-config.xml file.

    <authentication-methods>
      <authentication-method name="publickey" />
    ...
    </authentication-methods>
    

    Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more