When SSH Tectia is used only to secure business applications (tunneling), it is not always necessary to implement strong user authentication with the SSH Tectia client/server solution. If it is acceptable from the security policy point of view to rely on the security of the application's own login mechanism, there is no need to require end users to perform double login (first to SSH Tectia Server, then to the application itself).
In this use scenario, the added value created by SSH Tectia is:
Confidentiality and integrity is provided to application traffic.
Passwords used for application login are encrypted in transit.
Note that in this use scenario SSH Tectia may be used in conjunction with a single sign-on (SSO) solution, which eliminates the need to sign on separately to each application.
User-specific authentication can be avoided by creating a common global account for a group of users, with rights to establish tunnels only (specifically no terminal or file access is allowed). The corresponding username and password can then be distributed with SSH Tectia Manager to those (SSH Tectia Connector) users that need to access business applications running on the servers (SSH Tectia Server with Tunneling Expansion Pack). SSH Tectia Connector can then automatically connect to the server with the common user group credentials without the need to prompt the user for any login credentials. Therefore, from the end-user point of view there is no visible additional authentication.
Figure 5.3 shows a network diagram of this use scenario.
See also Securing SAP GUI with SSH Tectia Connector Compatibility Note at http://www.ssh.com/resources/material/compatibility/.