Your browser does not allow storing cookies. We recommend enabling them.


Configuring Extended Admin Authentication

By default the admin users are authenticated using passwords stored internally by the Management Server. To modify the admininistrator authentication settings, select Settings → Admin Authentication. On this page you will see three types of configurable categories.

Administrator authentication settings

Figure 4.8. Administrator authentication settings

LDAP authentication parameters

LDAP authentication parameters such as LDAP server address, search scope etc.

Certificate authentication parameters

Certificate authentication parameters such as trusted CA certificate and certificate to admin account mappings.

Authentication settings

Authentication settings are assigned to users. Each authentication setting specifies what password and certificate authentication parameters to use (or none).

There are two different default authentication settings called Default superuser authentication settings and Default user authentication settings.

When an administrator is logging in, the authentication process will go through the following steps:

  1. If certificate authentication is configured, any TLS client certificate is verified using the certificate parameters. If verification succeeds, the TLS client certificate is displayed in the login screen.

  2. The account is identified by the account name entered in the login screen. If the given account name is not valid, access is denied.

  3. The account's authentication settings are applied as follows:

    1. If the account has password authentication configured, then the password is verified. If verification fails, access is denied.

    2. If the account has certificate authentication configured, then the TLS client certificate is verified using the certificate parameters. If verification fails, access is denied.

    3. If neither password nor certificate authentication is defined, access is denied (for example using None for both password and certificate parameters will deny access).

It is possible to create and edit sets of password and certificate authentication parameters which can in turn be assigned to authentication sets. The management system itself also defines one password authentication source (Internal password database), which cannot be edited or removed by a superuser.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more