To configure the server to allow user authentication with X.509 certificates, perform the following tasks:
Acquire the CA certificate and copy it to the server machine. You can either copy the X.509 certificate(s) as such or you can copy a PKCS #7 package including the CA certificate(s).
Certificates can be extracted from a PKCS #7 package by specifying the
Specify the CA certificate and the CRL and OCSP settings in the
ssh-server-config.xmlfile. An example is shown below:
<params> ... <cert-validation socks-server-url="socks://fw.example.com:1080"> <ldap-server address="ldap.example.com" port="389" /> <ocsp-responder validity-period="60" url="https://ca.example.com/ocsp-1" /> <cert-cache-file file="/var/cert-cache.dat" /> <crl-auto-update update-before="30" minimum-interval="600" /> <crl-prefetch interval="1800" url="http://ca.example.com/default.crl" /> <dod-pki enable="no" /> <ca-certificate name="exa-ca1" file="/etc/ssh2/exa-ca1.crt" /> </cert-validation> </params>
You can define several CA certificates by using several
ca-certificateelements. The server will accept only certificates issued by defined CA(s). Only the ca-certificates are mandatory, all other configuration items featured above are just examples that may be used as needed.
The SOCKS server must be defined if the OCSP and CRL (LDAP) services are located behind a firewall.
On Windows, using the SSH Tectia Server Configuration tool, the corresponding settings can be made on the Certificate Validation page. See Certificate Validation.
Certificate authentication is a part of the
publickeyauthentication method. Enable public-key authentication in the
ssh-server-config.xmlfile and create rules that specify which certificates authorize logging into which accounts.
The following is an example of certificate authentication rules in the
<authentication-methods> <authentication action="allow" repeat-block="yes"> <auth-publickey /> <authentication action="allow"> <selector> <certificate field="ca-list" pattern="exa-ca1,exa-ca2" /> <certificate field="issuer-name" pattern="C=FI, O=SSH, CN=*" /> <certificate field="subject-name" pattern="C=FI, O=SSH, CN=%username%" /> <certificate field="serial-number" pattern="123456" /> <certificate field="altname-email" pattern="%email@example.com" /> <certificate field="altname-fqdn" pattern="client.ssh.com" /> <certificate field="altname-upn" pattern="%username-without-domain%@ssh" /> <certificate field="altname-ip" pattern="10.2.3.5" /> </selector> </authentication> <authentication action="deny" /> </authentication> </authentication-methods>
In this example, the
repeat-blockattribute is set to
yes. This causes SSH Tectia Server to try to match all certificates offered by the client against the
certificateselectors. If the attribute is omitted, SSH Tectia Server will try only the first certificate, and if it does not match, the authentication ends in failure.
In this example, as the last action, access is denied for all users whose certificates were not explicitly allowed. This is not strictly needed, since the server automatically inserts a authentication block named
implicit-certificate-denyafter other blocks to catch all certificate authentications that do not match anything else.
In the example, users with normal public keys will cause the authentication to end in error because the
allow-undefinedattribute is not set. See also the section called “Authentication Examples”.
Certificate authentication can be restricted using the following
ca-list: The pattern is a comma-separated list of CA names. The names that are defined in the
ca-certificateelement are used.
issuer-name: The pattern is the required certificate issuer name in LDAP DN (distinguished name) string format. The issuer name may contain glob patterns ('*' and '?') but only in the component values, not names. For example,
"C=FI, O=SSH, CN=*"is a legal pattern, but
"C=FI, *=SSH, CN=TestCA"is not).
subject-name: The pattern is the required subject name in LDAP DN (distinguished name) string format. Matching is done in similar manner as with the issuer name described above.
serial-number: The pattern is the required serial number of the certificate. A combination of issuer name and serial number can be used to uniquely identify a certificate.
altname-email: The pattern is the e-mail address that must be present in the certificate as a subject alternative name.
altname-upn: The pattern is the principal name that must be present in the certificate as a subject alternative name.
altname-ip: The pattern is the IP address that must be present in the certificate as a subject alternative name. Also a range of addresses can be given (for example,
altname-fqdn: The pattern is a list of fully qualified domain names (FQDN) that may contain glob patterns ('*' and '?'). One of the listed domain names must match with a subject alternative name of type FQDN in the certificate.
The patterns of type
altname-upncan also contain special strings which are processed before comparing the pattern with the user's certificate. These strings are
%username%(user's login name),
%username-without-domain%(Windows only, user's login name without the domain part),
%homedir%(user's home directory), and
%hostname%(the name of the host the user is logging from, reverse mapped from the IP).
When creating the certificate selectors, make sure that every
selectorelement ties the user name to the certificate, either by including a
usersub-element, or putting the special substitution string
%username-without-domain%to a field used to match the corresponding field in the certificate.
Failing to do this may cause unintended consequences, for example authentication succeeding with many different user names with a single certificate.
On Windows, using the SSH Tectia Server Configuration tool, certificate authentication rules can be configured on the Authentication page. See Authentication.
ssh-server-config-toolto take the new configuration in use. See ssh-server-config-tool(8).
On Windows, click Apply to take the new settings in use.