Your browser does not allow storing cookies. We recommend enabling them.


Tectia® Server 6.3

Administrator Manual

SSH Communications Security Corporation

This software and documentation are protected by international copyright laws and treaties. All rights reserved.

ssh® and Tectia® are registered trademarks of SSH Communications Security Corporation in the United States and in certain other jurisdictions.

SSH and Tectia logos and names of products and services are trademarks of SSH Communications Security Corporation. Logos and names of products may be registered in certain jurisdictions.

All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corporation.


For Open Source Software acknowledgements, see appendix Open Source Software License Acknowledgements in the User Manual.

30 March 2016

Table of Contents

1. About This Document
Documentation Conventions
Operating System Names
Directory Paths
Customer Support
Component Terminology
2. Installing Tectia Server
Preparing for Installation
System Requirements
Hardware and Disk Space Requirements
Installation Packages
Upgrading Previously Installed Tectia Server Software
Downloading Tectia Releases
Installing the Tectia Server Software
Installing on AIX
Installing on HP-UX
Installing on Linux
Installing on Solaris
Installing on Windows
Installing on VMware ESX
Installing on Linux on IBM System z
Removing the Tectia Server Software
Removing from AIX
Removing from HP-UX
Removing from Linux
Removing from Solaris
Removing from Windows
Removing from VMware ESX
Removing from Linux on IBM System z
Files Related to Tectia Server
File Locations and Permissions on Unix
File Locations on Windows
Registry Keys on Windows
3. Getting Started
Starting and Stopping the Server
Starting and Stopping on AIX
Starting and Stopping on Other Unix Platforms
Starting and Stopping on Windows
4. Configuring Tectia Server
Tectia Server Configuration Tool
Tectia Server
Proxy Rules
Domain Policy
Password Cache
Certificate Validation
Defining Access Rules Using Selectors (Advanced Mode)
Connections and Encryption
Configuration File for Tectia Server
Dividing the Configuration into Several Files
Using Selectors in Configuration File
5. Authentication
Supported User Authentication Methods
Compatibility with OpenSSH Keys
Server Authentication with Public Keys
Generating the Host Key
Notifying the Users of Host Key Changes
Server Authentication with Certificates
Certificate Enrollment Using ssh-cmpclient-g3
Server Authentication using External Host Keys
User Authentication with Passwords
User Logon Rights on Windows
User Authentication with Public Keys
Using the Authorization File
Using Keys Generated with OpenSSH
Special Considerations on Windows
User Authentication with Certificates
Configuring Certificates
Configuring User Authentication with Certificates on Windows
Host-Based User Authentication
Using Conventional Public Keys
Using Certificates
User Authentication with Keyboard-Interactive
Password Submethod
Pluggable Authentication Module (PAM) Submethod
RSA SecurID Submethod
RADIUS Submethod
LAM Submethod on AIX
User Authentication with GSSAPI
Configuring User Authentication Chains
Basic Example
Example with Selectors
Authentication Chain Example
Example of Using the Deny Action
Forwarding User Authentication
Forwarding User Authentication to a Kerberos Realm
Reporting User Login Failures
User Name Handling on Windows
Requirements for Trusted Domain Authentication on Windows
Accessing Resources on Windows Network from Logon Sessions Created by Tectia Server
Network Resource Access from Terminal Session
Network Resource Access from SFTP Subsystem
Accessing Network Shares Using Another User's Account
Accessing Shares on a Computer That Is Not a Member of a Domain
Access to DFS Shares
Accessing Files Stored on EFS on Windows from Logon Sessions Created by Tectia Server
6. System Administration
Tectia Client Privileged User
Disabling Root Login (Unix)
Restricting Connections
Chrooting (Unix)
Forced Commands
Customizing Logging
Auditing with Solaris BSM
7. File Transfer
Tectia Client File Transfer User
Encryption and Authentication Methods
Restricting Services
Settings on the Client Side
Automated File Transfer Script
8. Tunneling
Transparent TCP Tunneling from Server Perspective
Using a Shared Account
Restricting Services
Local Tunnels
Local Tunneling Rule Examples
Remote Tunnels
Remote Tunneling Rule Examples
X11 Forwarding (Unix)
Agent Forwarding (Unix)
9. Troubleshooting Tectia Server
Starting Tectia Server in Debug Mode
Starting Tectia Server in Debug Mode on Unix
Starting Tectia Server in Debug Mode on Windows
Debugging Secure File Transfer
Collecting System Information for Troubleshooting
Solving Problem Situations
CPU Overload on Tectia Server on HP-UX
Invalid Host Key Permissions on Windows
Authentication Fails for Domain Account on Tectia Server on Windows
Last Login Time is Incorrect on Windows
Virtual Folders Defined on Windows Network Shared Folders Are Not Available on Tectia Server on Windows
A. Server Configuration File Syntax
B. Command-Line Tools and Man Pages
ssh-server-g3 - Secure Shell server - Generation 3
ssh-server-ctl - Tectia Server control utility.
ssh-troubleshoot - tool for collecting system information
ssh-keygen-g3 - authentication key pair generator
ssh-keyfetch - Host key tool for the Secure Shell client
ssh-cmpclient-g3 - CMP enrollment client
ssh-scepclient-g3 - SCEP enrollment client
ssh-certview-g3 - certificate viewer
ssh-ekview-g3 - external key viewer
C. Audit Messages
D. Removing OpenSSL from Tectia Server
Background Information
OpenSSL in Tectia
Should I Remove the OpenSSL Library?
What Happens If I Remove the OpenSSL Library?
Removing the OpenSSL Cryptographic Library
E. Open Source Software License Acknowledgements




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now