Your browser does not allow storing cookies. We recommend enabling them.
SSH.COM uses cookies to give you the best experience and most relevant marketing. More info
DECLINE Warning: Some functionality on this site will not work without cookies and our advertising will be less relevant!GOT IT!

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
            Server Configuration
            Client Configuration
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Client Configuration

When configuring the client, it must be set up to trust the CA certificate and to access the certificate revocation list (CRL). For more information on client-side configuration, see the documentation for SSH Tectia Client and Connector.

X.509 Certificates

To configure the client to trust the server's certificate, perform the following tasks:

  1. Copy the CA certificate(s) to the client machine. You can either copy the X.509 certificate(s) as such, or you can copy a PKCS #7 package including the CA certificate(s).

    Certificates can be extracted from a PKCS #7 package by specifying the -7 flag with ssh-keygen2.

  2. Define the CA certificate(s) to be used in host authentication in the ssh2_config file: 
    HostCA                   <ca-certificate>
    Only one CA certificate can be defined per HostCA keyword. The client will only accept certificates issued by the defined CA.

    You can disable the use of CRLs by using the HostCANoCrls keyword instead of HostCA: 

    HostCANoCrls             <ca-certificate>

    Note: CRL usage should only be disabled for testing purposes. Otherwise it is highly recommended to always use CRLs.

  3. Also define the LDAP server(s) used for CRL checks in the ssh2_config file. 
    LDAPServers    ldap://server1.domain1:port1
    Defining the LDAP server is not necessary if the CA certificate contains a CRL distribution point extension.
  4. If the CA services (OCSP, CRLs) are located behind a firewall, define also the SOCKS server in the ssh2_config file. 
    SocksServer    socks://socks_server:port/network/netmask,network/netmask

Entrust Certificates

The client is set to trust the Entrust certificate in the same way as with standard X.509 certificates. See the instructions above.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice


 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now

  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now