The Tectia Client/Server solution offers several methods for user and server authentication, and true strong authentication using either public keys or public-key certificates.
- Server authentication with public keys or certificates
The Tectia client-side components authenticate the Secure Shell server in order to verify that they are connecting to the correct server. Likewise, the Secure Shell server authenticates the client user. The server can be authenticated by either (plain) public-key authentication or certificate authentication.
In (plain) public-key authentication, the server sends its public key to the client at the beginning of the first connection, and after the user has once verified and accepted the key, it is used in all future connections to that server.
In certificate authentication, the Tectia client-side components rely on a trusted third party, a certification authority (CA), to verify the server's identity. The signature of the certification authority in the server certificate guarantees the authenticity of the server certificate. When certificate authentication is used, the public key is included in the certificate that the server sends to the client.
- User authentication with certificates and public keys
Client-side users can use certificates as proof of their identity. Certificates work like passports; the user proves his or her identity to a certificate authority once using public keys, receives a certificate, and from then on can authenticate using the certificate.
- Public keys
Public-key authentication (without certificates) provides an easy-to-deploy and secure means of authenticating the users without the need to deploy and maintain a public-key infrastructure (PKI). Users will create key pairs for themselves and upload the public keys to the server for verification.
- Authentication agent
Tectia Client and ConnectSecure incorporate authentication agent functionality that allows the caching of passphrases, eliminating the need to retype the passphrase each time when a connection is made. Passphrases are used in public-key authentication, which is more secure than password authentication. In addition, authentication can be "forwarded" to another host, allowing administrators to hop from one server to another without the need to store private keys in multiple servers.
Tectia supports secure password-based authentication. Unlike in plaintext protocols such as Telnet and FTP, passwords are never sent in plaintext format over the network, thus eliminating the risk of exposing the password to unauthorized parties.
- X.509 v3 certificates
Tectia supports X.509 v3 certificates for further security and scalability in large and dynamic network environments. Comprehensive support for IETF PKIX and PKCS standards ensures seamless interoperability with third-party PKI products.
- Flexible certificate revocation
Tectia supports both Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) for centralized revocation of user credentials. CRLs are automatically fetched from a local file or by using HTTP or LDAP, depending on the local settings and the CRL Distribution Point extension in the certificate. CRLs can also be imported offline in legacy environments.
- Certificate lifecycle management
Tectia supports IETF PKIX standards (CMPv2) and Cisco Systems' Simple Certificate Enrollment Protocol (SCEP) for online certificate enrollment. Certificates can also be imported by using the PKCS #12 envelope format supported by most Certification Authorities (CAs). Tectia has been integrated with Entrust PKI for transparent certificate lifecycle management in Entrust environments. Entrust support is available on Windows platforms.
- Smart cards and PKI tokens
Tectia Client and ConnectSecure support smart cards, USB tokens, and other PKI authentication devices by supporting PKCS #11 and MSCAPI for interfacing with authentication keys. Strong, two-factor authentication overcomes the inherent security issues of password authentication.
- Host-based authentication on Unix
Host-based authentication is a form of delegated trust authentication, where the Secure Shell server trusts the Secure Shell client host to authenticate the user. The user is verified by a
suidbinary (ssh-signer) on the client host which then confirms the user identity to the server in a communication signed with a root-owned host key. The client host is authenticated strongly with public key cryptography, thus the authentication does not rely solely on a host IP address or domain name. The Secure Shell host-based authentication utilizes strong cryptography for host identity verification.
Keyboard-interactive is a standards-based method of integrating Secure Shell with third-party authentication mechanisms that are based on keyboard input, without the need to modify the client-side application (Tectia Client). Keyboard-interactive is commonly used in conjunction with PAM and RADIUS on the server side.
- PAM support
Tectia Server supports Pluggable Authentication Module (PAM) for integrating with third-party authentication systems that have standards-based PAM libraries.
- LDAP integration
Tectia Server can utilize standards-based third-party LDAP directories as centralized user repositories. The keyboard-interactive method and third-party PAM modules for LDAP can be used for integrating Tectia Server on Unix with LDAP directories.
- RSA SecurID
Tectia Client, ConnectSecure, and Server support RSA SecurID for strong, two-factor authentication. The keyboard-interactive method is used for providing the password from Tectia Client or ConnectSecure to Server, which is integrated with the RSA Authentication Agent libraries for seamless interoperability.
- RADIUS support
The RADIUS (Remote Authentication Dial-In User Service) protocol can be used with the Tectia Client/Server solution for checking users' authentication and authorization information from a remote server. Keyboard-interactive is used for sending the password to Tectia Server, which interfaces with the third-party RADIUS server such as Microsoft IAS or FreeRADIUS.
- GSSAPI authentication (Kerberos)
Kerberos/GSSAPI authentication enables transparent, single sign-on authentication of Tectia Client users. Once the user has logged on to the network and received the logon credentials, there is no need to type in the authentication credentials again through Tectia Client user interface when accessing Secure Shell servers. Specifically, Kerberos/GSSAPI authentication enables the use of Windows domain authentication and Active Directory accounts with Tectia (SSPI API in Windows).
- OpenSSH key support
Tectia Client, ConnectSecure, and Server support the legacy OpenSSH public-key format, eliminating the need for manual key conversions in multi-vendor Secure Shell environments. The key-compatibility feature also allows easy migration of OpenSSH environments to Tectia.
- Centrify DirectControl support
Integration of Tectia with Centrify DirectControl enables secure host access while leveraging Active Directory-based identity management throughout multi-platform enterprise networks.