Your browser does not allow storing cookies. We recommend enabling them.
SSH.COM uses cookies to give you the best experience and most relevant marketing. More info
DECLINE Warning: Some functionality on this site will not work without cookies and our advertising will be less relevant!GOT IT!

SSH Tectia
Home Prev Up Next

Using the Configuration File (Unix)

To configure the client to authenticate itself with an X.509 certificate, perform the following tasks:

  1. Enroll a certificate for yourself. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools.

    Example: Key generation and enrollment using ssh-cmpclient-g3

    $ ssh-cmpclient-g3 INITIALIZE 
-P generate://ssh2:passphrase@rsa:1536/user_rsa \  
-o /home/user/.ssh2/user_rsa -p 62154:ssh \
-s 'C=FI,O=SSH,CN=user;email=user@example.org' \
-S http://fw.example.com:1080 http://pki.example.com:8080/pkix/ \
'C=FI, O=SSH, CN=Test CA 1'

    For more information on ssh-cmpclient-g3 and ssh-scepclient-g3, see ssh-cmpclient-g3(1) and ssh-scepclient-g3(1).

  2. Place your keys and certificates in a directory where the Connection Broker can locate them.

    By default, the Connection Broker attempts to use each key found in the $HOME/.ssh2 directory on Unix, or in the %APPDATA%\SSH\UserKeys and %APPDATA%\SSH\UserCertificates directories on Windows.

    On Windows, you can also add other directory locations for keys on the Keys and Certificates page of the SSH Tectia Configuration tool. See Managing Keys and Certificates. On Unix, you can use the general/key-stores/key-store element in the ssh-broker-config.xml file. See the section called “Key Store Configuration Examples”.

  3. (Optional) Create an identification file.

    Using the identification file is not necessary if all your keys are stored in the default directory and you allow all of them to be used for public-key and/or certificate authentication. If the identification file does not exist, the Connection Broker attempts to use each key found in the default directory. If the identification file exists, the keys listed in it are attempted first.

    Specify the private key of your software certificate in the $HOME/.ssh2/identification file (the CertKey option works identically with the IdKey option):

    CertKey     user_rsa

    The certificate itself will be read from user_rsa.crt.

    For more information on the syntax of the identification file, see $HOME/.ssh2/identification.

  4. Make sure that public-key authentication is enabled in the ssh-broker-config.xml file (it is enabled by default).

    <authentication-methods>
  <auth-publickey />
...
</authentication-methods>

    Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.

Home Prev Up Next

Copyright 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Contact Information


 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now

  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now