Your browser does not allow storing cookies. We recommend enabling them.

SSH

Chapter 5 Authentication

Table of Contents

Supported User Authentication Methods
Compatibility with OpenSSH Keys
Server Authentication with Public Keys
Generating the Host Key
Notifying the Users of Host Key Changes
Server Authentication with Certificates
Certificate Enrollment Using ssh-cmpclient-g3
Server Authentication using External Host Keys
User Authentication with Passwords
User Logon Rights on Windows
User Authentication with Public Keys
Using the Authorization File
Using Keys Generated with OpenSSH
Special Considerations on Windows
User Authentication with Certificates
Configuring Certificates
Configuring User Authentication with Certificates on Windows
Host-Based User Authentication
Using Conventional Public Keys
Using Certificates
User Authentication with Keyboard-Interactive
Password Submethod
Pluggable Authentication Module (PAM) Submethod
RSA SecurID Submethod
RADIUS Submethod
LAM Submethod on AIX
User Authentication with GSSAPI
Configuring User Authentication Chains
Basic Example
Example with Selectors
Authentication Chain Example
Example of Using the Deny Action
Forwarding User Authentication
Forwarding User Authentication to a Kerberos Realm
Reporting User Login Failures
User Name Handling on Windows
Requirements for Trusted Domain Authentication on Windows
Accessing Resources on Windows Network from Logon Sessions Created by Tectia Server
Network Resource Access from Terminal Session
Network Resource Access from SFTP Subsystem
Accessing Network Shares Using Another User's Account
Accessing Shares on a Computer That Is Not a Member of a Domain
Access to DFS Shares
Accessing Files Stored on EFS on Windows from Logon Sessions Created by Tectia Server

The Secure Shell protocol used by the Tectia Client/Server solution provides mutual authentication – the client authenticates the server and the server authenticates the client users. Both parties are assured of the identity of the other party.

The Tectia Server host can authenticate itself to the client using either public-key authentication or certificate authentication.

Different methods can be used to authenticate Secure Shell client users. These authentication methods can be used separately or combined, depending on the level of functionality and security you want. The server defines what methods are allowed, and the client defines the order in which they will be tried. The least interactive methods should be tried first. In case several interactive authentication methods are defined for user authentication, the client-side will alternate between the methods on each failed authentication attempt.

User authentication methods

Figure 5.1. User authentication methods

Tectia Server allows GSSAPI, public-key, keyboard-interactive, and password in user authentication by default.

For general information on the user authentication methods, see technical note Tectia Client/Server User Authentication Methods at http://www.ssh.com/services/online-resources.


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more