SSH Tectia Client and Server support secure password-based authentication. Unlike in plaintext protocols such as Telnet and FTP, passwords are never sent in plaintext format over the network, eliminating the risk of password exposure.
Public-key authentication (without certificates) provides an easy-to- deploy and secure means of authenticating the users without the need to deploy and maintain a public-key infrastructure. Users will create key pairs for themselves, and upload the public keys to the server for verification.
SSH Tectia Client and Server support X.509v3 certificates for further security and scalability in large and dynamic network environments. Comprehensive support for IETF PKIX and PKCS standards ensures seamless interoperability with third-party PKI products.
Flexible certificate revocation
SSH Tectia supports both CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) for centralized revocation of user credentials. CRLs are automatically fetched using HTTP or LDAP depending on the local settings and the CRL Distribution Point extension in the certificate. CRLs can also be imported offline in legacy environments.
Certificate lifecycle management
SSH Tectia Client and Server support IETF PKIX standards (CMPv2) for online certificate enrollment. Certificates can also be imported by using the PKCS#12 envelope format supported by most CAs (Certification Authorities). SSH Tectia has been integrated with Entrust PKI for transparent certificate lifecycle management in Entrust environments.
Smart cards and PKI tokens
SSH Tectia Client supports smart cards, USB tokens, and other PKI authentication devices by supporting PKCS#11 and MSCAPI for interfacing with authentication keys. Strong, two-factor authentication overcomes the inherent security issues of password authentication.
Keyboard-interactive is a standards-based method of integrating Secure Shell with third-party authentication mechanisms that are based on keyboard input, without the need to modify the client-side application (SSH Tectia Client). Keyboard-interactive is commonly used in conjunction with PAM and RADIUS in the server-side.
SSH Tectia Server supports PAM (Pluggable Authentication Module) for integrating with third-party authentication systems that have standards- based PAM libraries.
SSH Tectia Server can utilize standards-based third-party LDAP directories as centralized user repositories. The keyboard-interactive method and third-party PAM modules for LDAP can be used for integrating SSH Tectia Server on Unix with LDAP directories.
SSH Tectia Client and Server support RSA SecurID for strong, two-factor authentication. The keyboard-interactive method is used for providing the password from SSH Tectia Client to Server, which is integrated with the RSA Authentication Agent libraries for seamless interoperability.
The RADIUS (Remote Authentication Dial-In User Service) protocol can be used with SSH Tectia Client and Server for checking users' authentication and authorization information from a remote server. Keyboard-interactive is used for sending the password to SSH Tectia Server, which interfaces with the third-party RADIUS server such as Microsoft IAS or FreeRADIUS.
GSSAPI authentication (Kerberos)
Kerberos/GSSAPI authentication enables transparent, single sign-on alike authentication of SSH Tectia Client users. Once the user has logged on to the network and received the logon credentials, there is no need to type in the authentication credentials again through SSH Tectia Client user interface when accessing Secure Shell servers. Specifically, Kerberos/GSSAPI authentication enables the use of Windows domain authentication and Active Directory accounts with SSH Tectia (SSPI API in Windows).
OpenSSH key support
SSH Tectia Client and Server support the legacy OpenSSH public-key format, eliminating the need for manual key conversions in multi-vendor Secure Shell environments. The key-compatibility feature also allows easy migration of OpenSSH environments to SSH Tectia.
Centrify DirectControl support
Integration of SSH Tectia with Centrify DirectControl enables secure host access while leveraging Active Directory-based identity management throughout multi-platform enterprise networks.
What to read next:
Reduce Secure Shell risk. Get to know the NIST 7966.
The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
ISACA Practitioner Guide for SSH
With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.