Tectia

Strong Authentication

The Tectia MFT Events offers several methods for user and server authentication, and true strong authentication using either public keys or public-key certificates. For user authentication, non-interactive methods are used.

Server Authentication with Public Keys or Certificates

The Tectia MFT Events authenticates the Secure Shell server in order to verify that they are connecting to the correct server. Likewise, the Secure Shell server authenticates the Tectia MFT Events user. The server can be authenticated by either (plain) public-key authentication or certificate authentication. When certificate authentication is used, the public key is included in the certificate that the server sends to the client.

In (plain) public-key authentication, the server sends its public key to Tectia MFT Events at the beginning of the first connection, and after the user has once verified and accepted the key, it will be used in all future connections to that server.

In certificate authentication, Tectia MFT Events relies on a trusted third party, a certification authority (CA) to verify the server's identity. The signature of the certification authority in the server certificate guarantees the authenticity of the server certificate.

Secure Non-interactive User Authentication

The automating of file transfer functions requires that authentication is done without user interaction. For non-interactive authentication, we have the following possibilities:

  • X.509 certificates

    Tectia MFT Events supports X.509v3 certificates for advanced security and scalability in large and dynamic network environments. Comprehensive support for IETF PKIX and PKCS standards ensures seamless interoperability with third-party PKI products.

  • public keys with null passphrase

    Public-key authentication (without certificates) provides an easy-to-deploy and secure means of authenticating the users without the need to deploy and maintain a public-key infrastructure (PKI). Tectia MFT Events provides a Public-key Authentication Wizard that helps the user to create key pairs and to upload the public keys to remote servers.

    The keys can be stored with empty passphrases, so they do not require user attendance after creation.

Certificate lifecycle management

Tectia MFT Events supports IETF PKIX standards (CMPv2) and Cisco Systems' Simple Certificate Enrollment Protocol (SCEP) for online certificate enrollment. Certificates can also be imported by using the PKCS#12 envelope format supported by most Certification Authorities (CAs). Tectia MFT Events has been integrated with Entrust PKI for transparent certificate lifecycle management in Entrust environments. Entrust support is available on Windows platforms.

Flexible certificate revocation

Tectia supports both Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) for centralized revocation of user credentials. CRLs are automatically fetched from a local file or by using HTTP or LDAP, depending on the local settings and the CRL Distribution Point extension in the certificate. CRLs can also be imported offline in legacy environments.

Host-based authentication on Unix

Host-based authentication is a form of delegated trust authentication, where the Secure Shell server trusts the Secure Shell client host to authenticate the user. The user is verified by a suid binary (ssh-signer) on the client host which then confirms the user identity to the server in a communication signed with a root-owned host key. The client host is authenticated strongly with public key cryptography, thus the authentication does not rely solely on a host IP address or domain name. The Secure Shell host-based authentication utilizes strong cryptography for host identity verification.

LDAP integration

Tectia MFT Events can utilize standards-based third-party LDAP directories as centralized user repositories. The keyboard-interactive method and third-party PAM modules for LDAP can be used for integrating Tectia Server on Unix with LDAP directories.

GSSAPI authentication (Kerberos)

Kerberos/GSSAPI authentication enables transparent, single-sign-on-like authentication of Tectia MFT Events users. Once the user has logged on to the network and received the logon credentials, there is no need to type in the authentication credentials again through Tectia MFT Events user interface when accessing Secure Shell servers. Specifically, Kerberos/GSSAPI authentication enables the use of Windows domain authentication and Active Directory accounts with Tectia (SSPI API in Windows).

OpenSSH key support

Tectia MFT Events support the legacy OpenSSH public-key format, eliminating the need for manual key conversions in multi-vendor Secure Shell environments. The key-compatibility feature also allows easy migration of OpenSSH environments to Tectia.