Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH

Server

The settings for Tectia Server can be edited under Configurations → Edit configurations → Tectia → Server.

For more information on the configuration options, see Tectia Server Administrator Manual.

General

The General page contains general settings for Tectia Server.

Configuration name

Name of the configuration.

Description

Describes the configuration.

Crypto library mode

Define the cryptographic library mode to be used. Either the standard version or the FIPS 140-2 certified version of the crypto library can be used.

Hash algorithms

Define whether all or only the SHA2-compliant algorithms are accepted by the server. When the SHA2 option is selected, all non-SHA2 algorithms will be omitted. This option affects the settings of macs, kexs and host key algorithms in the configuration, because they include hash algorithms.

[Note]Note

Only SHA2-compliant hash algorithms is not supported with 6.1.x or earlier Tectia configurations.

Maximum connections

Define the maximum number of client connections allowed per servant. The value range is 1-256. The default value is 256.

This setting together with Maximum processes is useful in systems with low resources. The server has to be restarted to use the changed setting.

Maximum processes

Define the maximum number of servant processes the master server will launch. The value range is 1-40. The default value is 40.

This setting together with Maximum connections is useful in systems with low resources. The server has to be restarted to use the changed setting.

Login grace time

Specify a time after which the server disconnects if the user has not successfully logged in. If the value is set to 0, there is no time limit. The default is 600 (seconds).

User configuration directory

Specify a directory where user-specific public-key configuration data is found. With this, the administrator can control those options that are usually controlled by the user. The directory path can include a pattern string which is expanded by Tectia Server.

The following pattern strings can be used:

  • %D or %homedir% is the user's home directory

  • %U or %username% is the user's login name

    For Windows domain users, these strings are substituted differently:

    • %U is expanded to domain.username

    • %username% is expanded to domain\username

  • %IU or %userid% is the user's user ID (uid)

  • %IG or %groupid% is the user's group ID (gid)

Note that user ID and group ID are only supported on Unix, not on Windows.

The default is "%D/.ssh2".

Listener list

This setting is used to specify where the server listens to connections. Click Add to add a new listener. Click Edit to edit or click Delete to delete a listener.

Each listener entry has three fields: ID, IP address, and Port.

The ID must be given and it must be unique within a configuration. Also the port and address can be given. The default port for listeners is 22.

Several listeners can be created to the same IP address to different ports. Each listener must have a unique ID.

Proxy scheme

Define rules for HTTP or SOCKS proxy servers that Tectia Server will use when a client forwards a connection (local tunnel).

For a description of the proxy scheme format, see Tectia Server Administrator Manual.

XAuth path (Unix only)

Contains a path to a supplementary XAuth binary used with X11 forwarding on Unix platforms.

x11 listen address (Unix only)

Select the type for the x11 listener address (used in X11 forwarding). Value localhost (default) binds the x11 listener to the loopback address; value Any binds the X11 listener to the 0.0.0.0 (wildcard) interface thereby allowing connections to the proxy from other hosts.

Terminate user processes

Select the Terminate on session close check box to have all processes started by the user on the SSH terminal session terminated when the user logs off from the session. By default this is not enabled.

Record PTY-less sessions (Unix only)

This setting controls whether sessions without PTYs are recorded as user logins in the operating system. Sessions without PTYs are for example remote commands and SFTP sessions. By default, all sessions are recorded. However, some system utilities (such as finger on Solaris) do not allow sessions without PTYs to be recorded because these sessions do not have a valid TTY name. On these systems, only real shell logins should be recorded and others turned off by clearing the check box.

Ignore AIX login policy (AIX only)

If the check box is selected, the server ignores the local login restriction on AIX. Remote login permission is still honored.

Ignore AIX rlogin policy (AIX only)

If the check box is selected, the server ignores the remote login restriction on AIX. Local login permission is still honored.

Ignore NIS+ no permission (Linux and Solaris only)

If the check box is selected, the server ignores the fact that NIS+ gives no permission to the user during authentication. When selected, the server will ignore it if the NIS+ returns *NP* when querying for a shadow password for a non-root user. *NP* indicates no permission to read the password information.

When NIS+ returns *NP*, the user will NOT be able to use password authentication or the keyboard-interactive with password authentication to authenticate the session. However, the keyboard-interactive with PAM is possible.

Default PATH

On Unix, you can define the default PATH value for the user environment. This path will be applied after connection to a server unless anything else is defined in the system settings. Alternatively, the default environment can be set by using the environment variable PATH.

PAM service name

Defines the service that PAM account and session management should use. When defined, this setting will override the factory setting which is ssh-server-g3.

PAM DLL path

Defines the location of the PAM library, if the library is not in the default library path of the operating system.

PAM calls with commands

Select this option to enable PAM Account Management and PAM Session Management when the user executes shells, remote commands and subsystems. This setting has no effect on platforms which do not support PAM.

Enabling PAM calls with commands will enforce the PAM restrictions on session and account management regardless of the authentication method that is used to connect to the server. Note that this requires either a PAM configuration file for the service ssh-server-g3 or defining the PAM service name.

PAM account checking only (Unix only)

Select this option to define that only PAM will be used to check if the user is allowed to login (for example, the account is not locked). With this setting active, Tectia Server will not try to independently verify whether the account has been locked or otherwise disabled, if either PAM authentication has succeeded or if PAM calls with commands is set on for PAM Account or Session Management.

Resolve client's hostname

Deselect this option to define that Tectia Server should NOT try to use DNS lookups to resolve the client host name during connection setup. Instead, the IP address is used as the returned client host name. This option is useful when you know that the DNS cannot be reached, and the query would cause just additional delay in logging in.

Note that this attribute does not affect the resolution of TCP tunnel endpoints and Tectia Server will try to resolve the client host name when creating a TCP tunnel.

Windows logon type

On Windows, you can define what kind of user logon methods for the local host are accepted by Tectia Server. The defined logon type affects password authentication.

Windows domain list

On Windows, you can define a comma-separated list of trusted domains which will be tried when looking for a match for a user name that is missing the prefix (indicating local or domain user status). The list will be read in order, and the first domain that has an account for the user name will be used to log in the user and the rest will be ignored. If the user name is not found in any of the specified domains, the user account is assumed not to exist.

In addition to domain names, you can define special values %local% and %default%. If %local% matches, a user without a specified prefix will be treated as a local user (usernamelocalmachine_name\username). If %default% matches, the user will be treated as a domain user, and the domain name is expected to be the default domain of the local machine (usernamedefaultdomain_name\username).

If this setting is not defined in the Tectia Server configuration, and a user logs in without specifying the prefix, Tectia Server first checks if the given user name is valid in the default domain where the local machine exists. If no match is found, for example because the machine is standalone, the user will be treated as a local user.

Banner message

Specify the message that is sent to the client before authentication. Note, however, that the client is not obliged to show this message.

PKI

The PKI page contains the certificate validation settings used for user authentication.

CA list

Specify one or more certification authorities (CAs) trusted by Tectia Server in user public-key authentication.

To add a trusted CA, click Add.

To edit a trusted CA, click Edit next to the CA.

To delete a trusted CA, click Delete next to the CA.

CA certificate

Specify the BER- or PEM-encoded X.509 certificate of the trusted CA (Certification Authority).

Disable CRL checking

The CRL (certificate revocation list) checking should be disabled only for testing purposes.

Use expired CRLs

Set a number of seconds an expired CRL is used. The default is 0 (do not use expired CRLs).

Socks server URL

Specify the firewall settings used to access the LDAP, HTTP, and OCSP services during certificate validation. The settings are specified in URL format, first the SOCKS server address, and after that the networks that are connected directly, separated by commas.

Example URL (a SOCKS server with directly connected networks):

socks://fw.example.com:1080/127.0.0.0/8,192.168.0.0/16
HTTP proxy URL

Specify the proxy settings used to access the LDAP, HTTP, and OCSP services during certificate validation. The settings are specified in URL format, first the HTTP proxy server address, and after that the networks that are connected directly, separated by commas.

LDAP Server URL

Specify a comma-separated list of LDAP Servers used to retrieve CRLs and intermediate CA certificates in case the certificate itself does not contain a valid Authority Info Access extension and/or CRL Distribution Point extension.

The LDAP server address must be in the URL format, for example:

ldap://pki.example.com:389
OCSP Responder URL

Specify an OCSP (Online Certificate Status Protocol) Responder service in the URL format in case the certificate itself does not contain a valid Authority Info Access extension with the OCSP Responder URL, and OCSP should be used instead of CRLs.

Note that in order for the OCSP validation to succeed, both the end entity certificate and OCSP Responder certificate must be issued by the same CA.

Cache file

Specify the name of the file where the certificates and CRLs are cached by the certificate validation server upon service shutdown. The certificate validation server reads the cache when started.

An empty value disables certificate caching.

Enable DOD PKI compliance mode

Specify whether to require Digital Signature to be set in Key Usage in the end entity certificate. By default, this is not required.

CRL Auto Update

Enables auto update for CRLs.

CRL Prefetch

Specify the CRL Distribution Point used to retrieve the CRL when the certificate validation service is started. Specify also a prefetch interval in seconds.

The CRL DP must be in a specific URL format.

If an LDAP server is used, the complete URL to the CRL has to be defined. The issuer name is specified in the URL as follows:

ldap://pki.example.com:389/CN=Test%20CA,O=SSH,C=FI?certificaterevocationlist

Also an HTTP CRL can be prefetched. For example:

http://pki.example.com:8080/crl-as-der/currentcrl-509.crl?id=509
Maximum certificate and CRL memory cache

Specify the maximum size (in megabytes) of in-memory cache for the certificates and CRLs. The value range is 1-512 MB; and the default is 35 MB.

Maximum CRL size

Specify the maximum size for CRLs (in megabytes). Processing large CRLs can consume a considerable amount of memory and processing power, so in some environments its advisable to limit their size. The value range is 1-512 MB; and the default is 11 MB.

External search time limit

Specify the time limit (in seconds) for external HTTP and LDAP searches for CRLs and certificates. The value range is 1-3600 seconds; and the default is 60 seconds.

Maximum LDAP response length

Specify the maximum size (in megabytes) of LDAP responses accepted. The value range is 1-512 MB; and the default is 11 MB.

LDAP idle timeout

Specify an idle timeout for LDAP connections. The validation engine retains LDAP connections and reuses them in forthcoming searches. The connection is closed only after the LDAP idle timeout has been reached. The value range is 1-3600 seconds; and the default idle timeout is 30 seconds.

Logging

On the Logging page, you can set the severity and facility of different logging events. The events have reasonable default values, which are used if no explicit logging settings are made.

To add customized values for events:

  1. Click Add. A list of log events is shown.

    When you click Add, the events that already have customized values are not shown on the list. When you click Replace, all events are shown on the list.

  2. Select the event(s) you want to customize from the list, and select whether to log the event(s) and select the Facility and Severity for the event(s).

  3. Click Add event(s) when finished.

    The customized events are now shown on the Logging page.

To delete a log event from the customized events, click Delete. The event will revert to using the default values.

For more information on the events and their default values, see Tectia Server Administrator Manual, Appendix: Audit Messages.

Connections

The Connections page contains the settings for rekey intervals, and the ciphers and MACs that the server allows.

Rekey time interval

Specify the number of seconds after which the key exchange is done again.

The default is 3600 seconds (1 hour). Value 0 (zero) turns rekey requests off. This does not prevent the client from requesting rekeys.

Rekey data interval

Specify the number of megabytes after which the key exchange is done again.

The default is 1000 MB. The value 0 (zero) turns rekey requests off. This does not prevent the client from requesting rekeys.

If a value for both Rekey time interval and Rekey data interval is specified, rekeying is done whenever one of the values is reached, after which the counters are reset.

Ciphers

Define ciphers allowed by the server for data encryption. Select a cipher from the list, and use the arrow buttons (<< and >>) to move the cipher to the used (enabled) list or to the available (disabled) list.

MACs

Define MACs allowed by the server for data integrity verification. Select a MAC from the list and use the arrow buttons (<< and >>) to move the MAC to the used (enabled) list or to the available (disabled) list.

KEXs

Define the key exchange methods that the server will accept from the client. The first method proposed by the Client that is included also in the Server's list will be selected. Use the Up and Down buttons to change the order of the KEXs.

Due to issues in OpenSSL, the following KEXs cannot operate in the FIPS mode: diffie-hellman-group15-sha256@ssh.com and diffie-hellman-group15-sha384@ssh.com.

By default, the server allows diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1.

Host key algorithms

Define the host key signature algorithms that the server accepts for host-based authentication. The first method proposed by the Client that is included also in the Server's list will be selected. Use the Up and Down buttons to change the order of the algorithms.

The following host key signature algorithms are available: ssh-dss, ssh-dss-sha224@ssh.com, ssh-dss-sha256@ssh.com, ssh-dss-sha384@ssh.com, ssh-dss-sha512@ssh.com, ssh-rsa, ssh-rsa-sha224@ssh.com, ssh-rsa-sha256@ssh.com, ssh-rsa-sha384@ssh.com, ssh-rsa-sha512@ssh.com, x509v3-sign-dss, x509v3-sign-dss-sha224@ssh.com, x509v3-sign-dss-sha256@ssh.com, x509v3-sign-dss-sha384@ssh.com, x509v3-sign-dss-sha512@ssh.com, x509v3-sign-rsa, x509v3-sign-rsa-sha224@ssh.com, x509v3-sign-rsa-sha256@ssh.com, x509v3-sign-rsa-sha384@ssh.com, and x509v3-sign-rsa-sha512@ssh.com.

When setting Only SHA2 hash algorithm allowed is selected in the General section, the following algorithms are accepted: ssh-dss-sha224@ssh.com, ssh-dss-sha256@ssh.com, ssh-dss-sha384@ssh.com, ssh-dss-sha512@ssh.com, ssh-rsa-sha224@ssh.com, ssh-rsa-sha256@ssh.com, ssh-rsa-sha384@ssh.com, ssh-rsa-sha512@ssh.com, x509v3-sign-dss-sha224@ssh.com, x509v3-sign-dss-sha256@ssh.com, x509v3-sign-dss-sha384@ssh.com, x509v3-sign-dss-sha512@ssh.com, x509v3-sign-rsa-sha224@ssh.com, x509v3-sign-rsa-sha256@ssh.com, x509v3-sign-rsa-sha384@ssh.com, and x509v3-sign-rsa-sha512@ssh.com.

Public key algorithms

Define the public key signature algorithms that the server accepts. The first method proposed by the Client that is included also in the Server's list will be selected. Use the Up and Down buttons to change the order of the algorithms.

When setting Only SHA2 hash algorithm allowed is selected in the General section, only the SHA2 algorithms are accepted.

Rules

Rules are used to define connection, authentication, and service policies for connections to the server. The rules are evaluated in top-down order. Every incoming connection will match one and only one rule; after that, the selected rule will determine the authentication and allowed services for the connection.

To add a new rule, click Add. After you fill in the Rule name and click OK, a new rule object will appear in the tree view.

To edit a rule, click Edit next to the rule. You can also edit a rule directly on its subpages. See Selectors, Authentication, Certificate Authentication, Basic Services, SFTP, and Tunnels for the available settings in the rule.

To delete a rule, click Delete next to the rule.

To move a rule up or down, use the Up and Down buttons. When a client attempts to connect to the server, the rules are evaluated in order, and the first matching rule is used for the connection.

Rule name

Name of the configuration rule object.

Allow or deny connections

Define whether this rule will allow or deny connections.

Enable password cache

Select the Enable Password Cache check box to enable server password cache. When enabled, the password cache stores users' passwords every time they log on to the Tectia SSH Server on Windows using password or keyboard-interactive password authentication.

Selectors

Selectors are used to define to which incoming connections a rule applies. A rule can have multiple selectors. The selectors are processed in order, and each selector is compared to the connection. If a matching selector is found, the processing stops and the rule is selected for the connection.

Each selector can contain multiple Fields. Inside a selector, every field must match the connection. If there is a mismatch in any field, the whole selector will fail to match. Exception: if many fields of the same type are defined in a selector, only one of those fields is required to match.

On the Selectors page, click Add to add selectors. Click Edit to edit or click Delete to delete a selector.

On the selector Fields page, click Add to add fields to the selector. Click Edit to edit or click Delete to delete a field from the selector.

The following selectors are available:

Listener address

The Listener selector matches the listener interface Address and/or Port. Either field may be left empty.

IP address

The IP selector matches an IP Address of the client.

The IP address can be in one of the following formats:

  • a single IP address x.x.x.x

  • an IP address range of the form x.x.x.x-y.y.y.y

  • an IP sub-network mask of the form x.x.x.x/y

FQDN

The FQDN selector matches a fully qualified domain name (FQDN) of the client.

The fully qualified domain name matches an FQDN pattern (case-insensitive). The attribute can include a comma-separated list of allowed FQDN patterns. These patterns may also contain "*" and "?" globbing characters. The form of the pattern is not checked.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

User name

This selector matches a User name. A list of usernames can be given as a comma-separated list.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

Names are normally matched case-insensitively. Select the Case-sensitive? check box to match the name case-sensitively.

[Note]Note

In Windows domain environment, the User name and Group name selectors have a length limitation. For more information, see Tectia Server Administrator Manual.

User ID

This selector matches a User ID. A list of user IDs can be given as a comma-separated list.

Group name

This selector matches a user Group name. A list of user-group names can be given as a comma-separated list.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

Names are normally matched case-insensitively. Select the Case-sensitive? check box to match the name case-sensitively.

[Note]Note

In Windows domain environment, the User name and Group name selectors have a length limitation. For more information, see Tectia Server Administrator Manual.

Group ID

This selector matches a Group ID. A list of group IDs can be given as a comma-separated list.

Privileged user

This selector matches a privileged user (administrator) or a non-privileged user.

Select the Privileged? check box to match a privileged user or clear it to match a normal user.

For more information on selectors, see Tectia Server Administrator Manual.

Authentication

The Authentication page contains settings on the user authentication methods that the server allows.

Require any or all selected methods

Select whether the user has to pass any one of the enabled authentication methods (selected by the Secure Shell client) or whether the user has to pass all of the enabled methods.

Enable password authentication

Select the check box to enable password authentication.

Password failure delay

Set the delay between failed attempts in seconds. The default delay is 2 seconds.

Password maximum tries

Set the maximum number of password guesses. The default maximum is 3 tries.

Enable public-key authentication

Select the check box to enable public-key authentication.

Authorization file path

Specify a path to the file that lists the user public keys that are authorized for login. The path can contain a pattern string that is expanded by Tectia Server.

The following pattern strings can be used:

  • %D or %homedir% is the user's home directory

  • %U or %username% is the user's login name

    For Windows domain users, these strings are substituted differently:

    • %U is expanded to domain.username

    • %username% is expanded to domain\username

  • %username-without-domain% is the user's login name without the domain part.

The default is %D/.ssh2/authorization.

For more information on the syntax of the authorization file, see the ssh-server-g3(8) man page.

Authorized-keys directory path

Specify a path to the directory that contains the user public keys that are authorized for login. As above, the path can contain a pattern string that is expanded by Tectia Server. The default is %D/.ssh2/authorized_keys.

OpenSSH authorized-keys file path

Optionally specify a path to an OpenSSH-style authorized_keys file that contains the user public keys that are authorized for login. As above, the path can contain a pattern string that is expanded by Tectia Server.

[Note]Note

These settings override the User configuration directory setting on the General page.

Require DNS match

Select the check box to require that the hostname given by the client matches the one found in DNS. If the hostname does not match, the authentication fails.

Enable GSSAPI authentication

Select the check box to enable GSSAPI authentication.

Enable GSSAPI ticket forwarding

Select the check box to allow forwarding the Kerberos ticket over several connections.

GSSAPI DLL path (Unix only)

The GSSAPI DLL path can be given. This specifies where the necessary GSSAPI libraries are located. If this attribute is not specified, the libraries are searched for in a number of common locations. The full path to the libraries should be given, for example, "/usr/lib/libkrb5.so,/usr/lib/libgssapi_krb5.so".

On AIX, the DLL path should include the archive file, if applicable, for example, "<path>/libgssapi_krb5.a(libgssapi_krb5.a.so)". The archive(shared_object) syntax is not necessary if the library is a shared object or has been extracted from the shared object.

On Windows, the GSSAPI DLL path attribute is ignored. Tectia Server locates the correct DLL automatically.

Enable host-based authentication

Select the check box to enable host-based authentication.

Require DNS match

If this check box is selected, host-based authentication will require the hostname given by the client to match the one found in DNS. If the hostname does not match, the authentication will fail. By default, exact match is not required.

Enable keyboard-interactive authentication

Select the check box to enable keyboard-interactive authentication.

Keyboard-interactive submethod configurations

Click Add to add a new submethod. Click Edit to edit or click Delete to delete a submethod.

If no submethods are configured, all available submethods are allowed by default (however, the server may not be able find the necessary libraries for SecurID and PAM, for example). If some of the submethods are configured, the rest of the submethods are implicitly disabled.

  • For submethod PAM, you can define the library path with option PAM DLL path and option PAM service name can be used to define the service to be used instead of the default ssh-server-g3. The library path needs to be defined only when the DLL is read from a non-default location.

  • Set the delay between failed attempts in seconds. The default delay is 2 seconds.

For detailed information on the submethods, see Tectia Server Administrator Manual.

Keyboard-interactive failure delay

Set the delay between failed attempts in seconds. The default delay is 2 seconds.

Keyboard-interactive maximum tries

Set the maximum number of keyboard-interactive authentication attempts. The default maximum is 3 tries.

Certificate Authentication

Certificate authentication is controlled by lists of certificate selectors. The lists are used to tie certificates and user names together; they are analogous to mapping files used by Tectia Server prior to 5.0.

When Tectia Client has presented a certificate to Tectia Server and it has been successfully validated against a configured CA, Tectia Server tries to match it using the certificate selector lists. If there is a match, the authentication succeeds, and if none of the selectors match with the certificate given by the user, the authentication is rejected.

[Caution]Caution

When creating selector lists for the public-key method, make sure that every selector ties the user name to the certificate in some way, either by including a User name field, or putting the special substitution string %username% or %username-without-domain% to a field used to match some field in the certificate. Failing to do this may cause unintended consequences, for example authentication succeeding with many different user names with a single certificate.

Similarly, when creating selector lists for the host-based method, make sure that some field in every selector ties the certificate to the client host, using the %hostname% special substitution string.

User Certificate Selectors

Define the selectors to match the user certificates applied in public-key authentication.

[Note]Note

Enabling certificate authentication via the public-key method requires that public-key authentication is allowed on the Authentication page.

The following selectors are available:

User name

This selector is matched to a User name. A list of usernames can be given as a comma-separated list.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

Names are normally matched case-insensitively. Select the Case-sensitive? check box to match the name case-sensitively.

[Note]Note

In Windows domain environment, the User name and Group name selectors have a length limitation. For more information, see Tectia Server Administrator Manual.

CA

The CA selector is matched to the certification authority (CA) that has issued the user certificate used in public-key authentication (or the client host certificate used in host-based authentication).

The list shows the CAs that have been defined under the PKI page. Use the arrow buttons (<< and >>) to move a certificate to the allowed list or to the available (disallowed) list.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

Issuer name

The Issuer name selector is matched to the distinguished name of the certification authority (CA) that has issued the certificate.

The pattern may also contain "*" and "?" globbing characters.

Patterns are normally matched case-insensitively. Select the Case-sensitive? check box to match the pattern case-sensitively.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

Subject name

The Subject name selector is matched to the distinguished name in the user certificate used in public-key authentication (or the client host certificate used in host-based authentication).

The selector may contain the %username% keyword which is replaced with the user's login name before comparing with the actual certificate data. For Windows domain accounts, the %username-without-domain% keyword can be used and it is replaced by the user's login name without the domain part. The %hostname% keyword can be used in the same way and it is replaced by the client's FQDN. The pattern may also contain "*" and "?" globbing characters.

Patterns are normally matched case-insensitively. Select the Case-sensitive? check box to match the pattern case-sensitively.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

Serial number

The Serial number selector is matched to the serial number of the certificate.

To match several numbers, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

Email altname

The Email altname selector is matched to the Email subject alternative name in the user certificate used in public-key authentication.

The selector may contain the %username% keyword which is replaced with the user's login name before comparing with the actual certificate data. For Windows domain accounts, the %username-without-domain% keyword can be used and it is replaced by the user's login name without the domain part. The pattern may also contain "*" and "?" globbing characters.

Patterns are normally matched case-insensitively. Select the Case-sensitive? check box to match the pattern case-sensitively.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

UPN altname

The UPN altname selector is matched to the UPN (User Principal Name) subject alternative name in the user certificate used in public-key authentication.

The selector may contain the %username% keyword which is replaced with the user's login name before comparing with the actual certificate data. For Windows domain accounts, the %username-without-domain% keyword can be used and it is replaced by the user's login name without the domain part. The pattern may also contain "*" and "?" globbing characters.

Patterns are normally matched case-insensitively. Select the Case-sensitive? check box to match the pattern case-sensitively.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

FQDN altname

The FQDN altname selector is matched to the FQDN subject alternative name in the client host certificate used in host-based authentication.

The selector may contain the %hostname% keyword which is replaced with the client's FQDN before comparing with the actual certificate data. The pattern may also contain "*" and "?" globbing characters.

Patterns are normally matched case-insensitively. Select the Case-sensitive? check box to match the pattern case-sensitively.

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

IP altname

The IP altname selector is matched to the IP subject alternative name in the client host certificate used in host-based authentication.

The IP address can be in one of the following formats:

  • a single IP address x.x.x.x

  • an IP address range of the form x.x.x.x-y.y.y.y

  • an IP sub-network mask of the form x.x.x.x/y

Alternatively, you can define a regular expression (with egrep syntax), and select the Is a regular expression option.

Extended key usage

The Extended key usage selector is matched to the standard name or numerical OID that specifies the key purpose of the certificate. The main purpose of this option is to prevent authentication with wrong certificate types, for example a user certificate should not be accepted for host-based authentication. Move the relevant key usage bits to the Accepted Key Usage Bits field.

Select the Reguire explicit key usage bits option request that the certificate must include the key purpose ID specified in the list. If this option is not selected, any certificates containing no key purpose ID or containing the anyExtendedKeyUsage definition will be accepted.

For detailed information on selectors, see Tectia Server Administrator Manual.

Host Certificate Selectors
[Note]Note

Enabling certificate authentication via the host-based method requires that host-based authentication is allowed on the Authentication page.

Define the selectors to be matched with the host certificates used in host-based authentication.

For a description of the selectors, see User Certificate Selectors above.

Basic Services

The Basic Services page contains settings on the basic services that the server allows, for example, terminal and remote command execution.

Idle timeout

Set the idle timeout limit in seconds. If the connection (all channels) has been idle this long, the connection is closed. The default is 0 (zero), which disables idle timeouts.

Print MOTD (Unix only)

Define whether the message of the day (/etc/motd) is printed when a user logs in interactively to a Unix server.

Allowed environment variables

Define the environment variables the user group can set. By default, the user can set the TERM, PATH, TZ, LANG, and LC_* variables. The allowed variables are normally matched case-insensitively.

Allowed environment variables are case-sensitive

Change the parameter to case-sensitive.

Terminal

Define whether terminal access is allowed or denied for the user group.

If terminal access is denied, also shell commands are denied, unless (some or all) commands are specifically allowed by the Commands setting.

Chroot to directory (Unix only)

On Unix systems, the user can be optionally chrooted to a specified directory during the terminal session.

Subsystems

Click Add to add a new subsystem definition. Click Edit to edit or click Delete to delete a subsystem definition.

  • Type: required

  • Action: Allow or Deny

  • Application: optional

  • Chroot: can be optionally used to define a directory where the user is chrooted when running the subsystem.

  • Attributes: Define a name and a value.

Commands

Define shell commands as allowed, denied, or forced. Click Add to add a new command rule. Click Edit to edit or click Delete to delete a command rule. There can be several of these rules. When a user attempts to run a remote command, the rules are read in order and the first matching rule is used. Use the Up and Down buttons to change the order of the rules.

  • Action: Allow, Deny or Forced

  • Application path: for the Allow and Forced actions, the application must be given as an attribute. If the application is not given for the Allow action, all commands are allowed. If the Forced action is set, the specified application is run automatically when the user logs in.

  • Chroot: can be optionally used to define a directory where the user is chrooted when running the command.

  • Application path is case-sensitive: changes the parameter to case-sensitive.

SFTP

On the SFTP page, you can allow and deny SFTP for users and set limitations on the folders accessible via SFTP and SCP2.

SFTP

Define whether secure file transfer access is allowed or denied for the user group.

Chroot to directory (Unix only)

On Unix systems, the user can be optionally chrooted to a specified directory during the SFTP session.

User home directory (Windows only)

Define the directory where the user's SFTP session starts and which is the default target for the SCP2 operations (by default %USERPROFILE%). The location of the home directory must be under one of the defined virtual folders.

Use default virtual folders (Windows only)

Virtual folders can be used to restrict the folders the user is able to access via SFTP and SCP2.

If the Use default virtual folders check box is selected, all local drive letters are used as defaults. This means that the user can access all drives via SFTP and SCP2.

If any virtual folders are explicitly defined in the configuration, the default drive letters are not used. If you still want to use the drive letters, they need to be defined separately as virtual folders.

Virtual folders (Windows only)

To add a custom virtual folder:

  1. Clear the Use default virtual folders check box.

  2. Click Add. The Server SFTP Virtual Folder view opens.

  3. Enter the Virtual Folder name.

  4. Enter the Destination path.

  5. Click OK.

To edit a virtual folder, click Edit. To delete a virtual folder, click Delete.

Tunnels

On the Tunnels page, you can define rules for agent and X11 forwarding, and local and remote tunnels (port forwarding).

Agent Tunneling (Unix only)

Define whether agent tunneling (forwarding) is allowed or denied by the server.

X11 Tunneling (Unix only)

Define whether X11 tunneling (forwarding) is allowed or denied by the server.

Local TCP Tunnels

Define rules for local TCP tunnels (port forwarding). Click Add to add a new tunneling rule. Click Edit to edit or click Delete to delete a tunneling rule. There can be several of these rules. When a user attempts tunneling, the rules are read in order and the first matching rule is used. Use the Up and Down buttons to change the order of the rules.

  • Action: Allow or Deny. By default, local tunnels are allowed.

  • Source: Defines allowed source address(es) for local tunnels.

  • Destination: Defines allowed destination address(es) and/or port(s) for local tunnels.

If the Source or Destination is not defined, the rule applies to all sources or destinations, respectively.

Remote TCP Tunnels

Define rules for remote TCP tunnels (port forwarding). Click Add to add a new tunneling rule. Click Edit to edit or click Delete to delete a tunneling rule. There can be several of these rules. When a user attempts tunneling, the rules are read in order and the first matching rule is used. Use the Up and Down buttons to change the order of the rules.

  • Action: Allow or Deny. By default, remote tunnels are allowed.

  • Source: Defines allowed source address(es) for remote tunnels.

  • Listen: Defines allowed listen address(es) and/or port(s) for remote TCP tunnels.

===AUTO_SCHEMA_MARKUP===