SSH Tectia

User Authentication Settings

SSH Tectia Servers need to perform the following actions for strong user authentication:

  • Validate the user certificate signature. For this, the CA certificate is needed.

  • Verify that the user certificate has not been revoked. In this case, the check is performed against a CRL retrieved from the LDAP directory configured in LDAP Server URL.

  • Authorize the login using rules that map certain fields of the user certificate to existing user accounts on the server host. The Certificate selectors are defined in Server configuration Authentication Settings.

Depending on the security policy and PKI environment of the end-user organization, other settings may be required in actual deployments (for example, certificate caching in case of large CRLs).

The CA certificate is imported into the Management Server prior to deploying the configuration to the hosts. Other PKI-related settings are entered via the SSH Tectia Manager administration interface and stored on the Management Server, in a manner similar to other SSH Tectia Server settings.

The configuration settings for SSH Tectia G3 are done on tab Configurations → Edit Configurations → SSH Tectia G3 under the Server configuration PKI view.

For SSH Tectia 4.x products, the settings are made on tab Configurations → Edit Configurations → PKI.

For examples of the user authentication settings on SSH Tectia Server version G3, see Figure 5.20 and Figure 5.21.

User authentication settings

Figure 5.20. User authentication settings

Adding a CA certificate for User authentication

Figure 5.21. Adding a CA certificate for User authentication