Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.
By using this site you consent to us using cookies for improving user experience, identifying returning visitors, providing special offers, and marketing to our visitors. See Privacy Policy for details and how to disable cookies.

SSH Tectia
Home Prev Up Next

Using Certificates

It is possible to use a certificate instead of the traditional public-key pair to authenticate the client host.

The endpoint identity check, where the server verifies that the certificate actually belongs to the client that is attempting host-based authentication, is performed according to the following rules:

  1. One of the DNS subject alternative names in the client certificate must match the client's fully qualified domain name obtained by doing a reverse lookup on the client's IP address. The alternative names may have an asterisk (*) as the first component, in which case only the domain part is checked.

  2. If the client's IP address cannot be reverse-mapped, the IP address is compared to the certificate's IP subject alternative names.

  3. If the above checks do not produce a positive result, the certificate's subject name is checked. If it has a CN component that matches the client's reverse-mapped fully qualified domain name or IP address, the certificate is accepted.

Client Configuration

To enable host-based authentication with certificates on Client, do the following as ClientUser:

  1. Add the following line in the ssh-broker-config.xml file:

    <authentication-methods>
  <authentication-method name="hostbased" />
  ...
</authentication-methods>

    Also other authentication methods can be listed. Place the least interactive method first (this means usually the host-based method).

  2. Enroll a certificate for Client. See User Authentication with Certificates for more information.

    The certificate must contain a dns extension which contains the fully qualified domain name (FQDN) of Client.

    Note that the private key associated with the certificate needs to be stored with an empty passphrase.

  3. Define the private key and certificate in ssh-server-config.xml on Client:

    <params>
  <hostkey>      
    <private file="/etc/ssh2/hostcert" />
    <x509-certificate file="/etc/ssh2/hostcert.crt" />
  </hostkey>
...
</params>

    If SSH Tectia Server is not installed on Client, create the configuration file manually and save it in the /etc/ssh2 directory.

Server Configuration

Do the following as the server administrator:

  1. Specify the CA certificate in the ssh-server-config.xml file:

    <cert-validation>
  <ca-certificate name="myca" file="/etc/ssh2/ca-certificate.crt" />
  ...
</cert-validation>

  2. In the ssh-server-config.xml file, under the authentication-methods element, add an auth-hostbased element:

    <authentication-methods>
  <authentication name="hostbased-block">
    <auth-hostbased require-dns-match="no" />
    <authentication action="allow" name="hostbased-cert-allow">
      <selector>
         <host-certificate field="ca-list" pattern="exa-ca1" />
      </selector>
    </authentication>
    <authentication action="deny" />
  </authentication>
</authentication-methods>

    In addition to being signed by the required CA, the certificate must pass the endpoint identity check, described in detail in Using Certificates .

    On Windows, using the SSH Tectia Server Configuration tool, host-based authentication can be configured on the Authentication page. See Authentication.

  3. Run ssh-server-config-tool to take the new configuration in use. See ssh-server-config-tool(8).

    On Windows, click Apply to take the new settings in use.

Home Prev Up Next

Copyright 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Contact Information

===AUTO_SCHEMA_MARKUP===