SSH Tectia

Authentication Settings (version 4.x only)

These settings apply to SSH Tectia 4.x only. Settings for SSH Tectia 5.1-6.x are configured under the SSH Tectia G3 tab. See PKI (Client G3) and PKI (Server G3).

General

The General tab contains the name of the object.

Name

Name of the Authentication settings object.

User Authentication

The User Authentication tab contains the server-side CA settings.

CA list

Specifies one or more certification authorities (CAs) trusted by the Secure Shell servers in user public-key authentication.

Server-side CA, CA certificate

Specifies the BER- or PEM-encoded X.509 certificate of the trusted CA (Certification Authority) used to authenticate users in public-key authentication.

Server-side CA, Enable DOD PKI

Specifies whether to require Digital Signature to be set in Key Usage in the end entity certificate. By default, this is not required.

Server-side CA, Disable CRL checking

The CRL (certificate revocation list) checking should be disabled only for testing purposes.

Server-side CA, Use expired CRLs

Set the time (in seconds) for how long an expired CRL can be used. The default is 0 (do not use expired CRLs).

Server-side CA, User Mapping File

Specifies the mapping file used to map a certificate to a user account based on the data in the certificate. The mapping file must contain one or more lines in the following format:

account-id keyword arguments

For example:

tunnel EmailRegex .*@example\.com

keyword must be one of the following: Email, EmailRegex, Subject , SerialAndIssuer, or SubjectRegex. The possible arguments are different for each keyword. The following list describes each variation:

  • Email arguments: an e-mail address in standard format. If the certificate contains the e-mail address as an alternate name, it is good for logging in as user account-id.

  • Subject arguments: a subject name in DN notation (LDAP style). If the name matches the one in the certificate, the certificate is good for logging in as user account-id.

  • SerialAndIssuer arguments: a number and an issuer name in DN notation (LDAP style), separated by a whitespace. If the issuer name and serial number match those in the certificate, the certificate is good for logging in as user account-id.

  • EmailRegex arguments: a regular expression (egrep syntax). If it matches an alternate name (of the type Email) in the certificate, the certificate is good for logging in as user account-id. As a special feature, if account-id contains the string subst, it is replaced by the first parenthesized substring of the regular expression before comparing it to the account the user is trying to log into.

  • SubjectRegex works identically to EmailRegex, except that it matches the regular expression to the canonical subject name in the received certificate.

Empty lines and lines beginning with # are ignored.

Example mapping file:

tunnel Email tunnel@example.com guest Subject
C=FI, O=Company\, Ltd., CN=Guest User guest
SerialAndIssuer 123 C=FI, O=My Company, CN=Test CA
%subst% EmailRegex ([a-z]+)@example\.com
%subst% SubjectRegex C=FI, O=My Company,
CN=([a-z]+)

The example EmailRegex permits in users with e-mail addresses with domain example.com and usernames that contain only letters, each user to the account that corresponds to the username part of the e-mail address.

The example SubjectRegex lets in all users with fields C=FI and O=Company in the subject name if their CN field contains only letters and is the account name they are trying to log into.

LDAP Server URL

Specifies a comma-separated list of LDAP Servers used to retrieve CRLs and intermediate CA certificates in case the certificate itself does not contain a valid Authority Info Access extension and/or CRL Distribution Point extension.

The LDAP Server must be in the URL format, for example:

ldap://pki.ssh.com:389

Firewall URL

Specifies the firewall settings in the URL format, used to access the LDAP, HTTP, and OCSP services during certificate validation.

Example URL (a SOCKS server with directly connected networks):

socks://fw.example.com:1080/127.0.0.0/8,192.168.0.0/16

OCSP Responder URL

Specifies an OCSP (Online Certificate Status Protocol) Responder service in the URL format in case the certificate itself does not contain a valid Authority Info Access extension with the OCSP Responder URL, and OCSP should be used instead of CRLs.

Note that in order for the OCSP validation to succeed, both the end entity certificate and OCSP Responder certificate must be issued by the same CA.

Cache file

Specifies the name of the file where the certificates and CRLs are cached by the certificate validation server upon service shutdown. The certificate validation server reads the cache when started.

An empty value disables certificate caching.

CRL Auto Update

Enables auto update for CRLs.

CRL Prefetch

Specifies the CRL Distribution Point used to retrieve the CRL when the certificate validation service is started. Specifies also a prefetch interval in seconds.

The CRL DP must be in a specific URL format.

If an LDAP server is used, the complete URL to the CRL has to be defined. The issuer name is specified in the URL as follows:

ldap://pki.ssh.com:389/CN=SSH%20Test%20CA%203%20No%20Liabilities,O=SSH
%20Communications%20Security%20Corp,C=FI?certificaterevocationlist

Also an HTTP CRL can be prefetched. In SSH Tectia Certifier, the URL is specific to the CA installation and contains a unique ID. For example:

http://pki.ssh.com:8080/crl-as-der/currentcrl-509.crl?id=509

Server Authentication

The Server Authentication tab contains the client-side CA settings.

CA list

Specifies one or more certification authorities (CAs) trusted by the Secure Shell clients in server authentication.

Client-side CA, CA certificate

Specifies the BER- or PEM-encoded X.509 certificate of the trusted CA (certification authority) used to authenticate the remote host in server authentication.

Disable CRL checking

The CRL (certificate revocation list) checking should be disabled only for testing purposes.

Endpoint identity check

Specifies whether to check the hostname or IP if used for connecting against the Subject Name and Subject Alternative Name DNS or IP fields in the server's certificate.

[Caution]Caution

If identity checking is disabled, any certificate issued by a trusted CA is acceptable in server authentication and the validation relies solely on the CRL check.

Enable DOD PKI

Specifies whether to require Digital Signature to be set in Key Usage in the end entity certificate. By default, this is not required.

LDAP Server URL

Specifies a comma-separated list of LDAP Servers used to retrieve CRLs and intermediate CA certificates in case the certificate itself does not contain a valid Authority Info Access extension and/or CRL Distribution Point extension.

The LDAP Server must be in the URL format, for example:

ldap://pki.ssh.com:389

OCSP Responder URL

Specifies an OCSP (Online Certificate Status Protocol) Responder service in the URL format in case the certificate itself does not contain a valid Authority Info Access extension with the OCSP Responder URL, and OCSP should be used instead of CRLs.

Note that in order for the OCSP validation to succeed, both the end entity certificate and OCSP Responder certificate must be issued by the same CA.