SSH

Authentication

On the Authentication page you can configure the allowed and required user authentication methods.

Authentication options are specified as chains of authentication rules. In the Simple GUI mode, there is only one authentication rule that is used for all connections. In the Advanced GUI mode, the view always contains the Default-Authentication rule, but the administrator can define more rules according to need.

An authentication rule can include one or more selectors and different authentication methods. The selectors define to which users an authentication rule applies. If no selectors (or only empty selectors) are specified in an authentication rule, the rule matches all users.

An authentication rule may also include other authentication rules, forming an authentication chain. When authentication rules are nested within each other, the child rules are interpreted as required (all must be passed for the authentication to succeed). You can set multiple authentication methods in the same authentication rule, and the methods are interpreted as optional (one of the methods must be passed for the authentication to succeed).

The order of the rules is important. Out of the rules on the same level, the first matching rule is used and the remaining rules are ignored. If the rule has nested child rules, they are matched next using the same procedure.

For more information on authentication chains, see Configuring User Authentication Chains.

To add a new authentication rule, click the Add button below the tree view. Each rule will have a sub-page with two tabs. On the Selectors tab, you can edit the selectors of the rule and define whether the authentication is allowed or denied, and on the Parameters tab, you can configure the settings for the rule.

To edit an authentication rule, select an authentication item on the tree view. For more information, see Editing Authentication Items.

To change the order of the rules, select an authentication item on the tree view and use the Up and Down buttons.

To add a child authentication rule, select an authentication item on the tree view and click the Add Child button.

To delete an authentication rule, select an authentication item and click Delete.

Editing Authentication Items

Each item under Authentication has two tabs, Selectors and Parameters. The Selectors tab is shown only in the advanced GUI mode.

Selectors (Advanced Mode)

On the Selectors tab, you can configure the selectors that apply to the authentication rule and define whether the result of the rule is allow or deny.

Tectia Server Configuration - Authentication page - Selectors tab

Figure 4.30. Tectia Server Configuration - Authentication page - Selectors tab

Name

Enter a name for the authentication rule.

Selector list view

The selector list view shows the selectors that apply to the rule.

To add a new selector to the rule, click Add Selector. The new selector will contain automatically at least one attribute. The Add Selector dialog box opens allowing you to specify the selector type. For more information on the different selector attributes, see Editing Selectors.

To remove a selector, choose the selector from the list view on the Selectors tab and click Delete Selector. This will delete the selector and all its attributes.

To add a new attribute to a selector, choose a selector from the list and click Add Attribute. The Add Selector dialog box opens. For more information on the different selector attributes, see Editing Selectors.

To edit a selector attribute, choose the attribute from the list and click Edit Attribute. The relevant selector dialog box opens. For more information on the different selector attributes, see Editing Selectors.

To remove a selector attribute, choose the attribute from the list and click Delete Attribute. Note that a selector with no attributes will match everything.

General

Select whether authentication is allowed or denied.

If an authentication chain ends in a deny action, or if the user does not match any selectors in the authentication rules, the user is not allowed to log in.

In a nested chain of authentication rules, it is possible, for example, to set the parent rule to deny authentication and a child rule with a selector to allow authentication. If the user name matches the selector and successfully completes the authentication method(s), login is allowed.

For more information on the authentication chains, see Configuring User Authentication Chains .

Set Services group

You can optionally select a group name in the Set Services group field. This sets a group for the users that pass the particular authentication chain. The group definition is later used when defining the allowed services for the user.

If the group is set here, it overrides any group selectors on the Services page. See Services.

Parameters

On the Parameters tab, you can configure which authentication methods are allowed, and how they are used.

Tectia Server Configuration - Authentication page - Parameters tab

Figure 4.31. Tectia Server Configuration - Authentication page - Parameters tab

Password Authentication

Select the Allow password authentication check box if you want to allow password authentication. For more information, see User Authentication with Passwords.

Failure delay

Set a delay (in seconds) between a failed attempt and a retry. The default delay is 2 seconds.

Max tries

Set the maximum number of authentication attempts. By default, 3 attempts are allowed.

Public-Key Authentication

Select the Allow public-key authentication check box when you want to allow public-key authentication. For more information, see User Authentication with Public Keys and User Authentication with Certificates.

Try all offered public keys

This option can be used when the authentication rule contains a child rule with certificate selectors.

Select the Try all offered public keys check box when you expect the user to have several certificates of which only some allow logon (that is, match the selectors in the child authentication rule).

If the check box is not selected, Tectia Server will try to match only the first certificate offered by the client. If the check box is selected, Tectia Server will try all offered certificates until a match is found.

Require DNS match

Select the check box to require that the host name given by the client matches the one found in DNS. If the host name does not match, the authentication fails. This corresponds to the require-dns-match attribute in the server configuration file, see auth-publickey.

Authorized-keys directory

Specify a path to the directory that contains the user public keys that are authorized for login. As with the Authorization file, the path can contain a pattern string that is expanded by Tectia Server. See the options below. The default is %D/.ssh2/authorized_keys.

Authorization file

Specify a path to the file that lists the user public keys that are authorized for login. The path can contain a pattern string that is expanded by Tectia Server.

The following pattern strings can be used:

  • %D or %homedir% is the user's home directory

  • %U or %username% is the user's login name

    For Windows domain users, these strings are substituted differently:

    • %U is expanded to domain.username

    • %username% is expanded to domain\username

  • %username-without-domain% is the user's login name without the domain part.

The default is %D/.ssh2/authorization.

For more information on the syntax of the authorization file, see the section called “Authorization File Options”.

OpenSSH authorized-keys file

Optionally specify a path to an OpenSSH-style authorized_keys file that contains the user public keys that are authorized for login. As above, the path can contain a pattern string that is expanded by Tectia Server.

Signature algorithms

Select the public-key signature algorithms used for user authentication. To deselect an already selected algorithm, click on it again.

The supported and default public-key signature algorithms are the same as those listed for host key algorithms. See Host key algorithms.

These authorization file and public-key directory settings will override the User configuration directory setting made in the General view.

Tectia Server looks for a matching public-key in the following order:

  1. In the file defined in Authorization file

  2. In the directory defined in Authorized-keys directory, if no authorization file is available or reading it fails.

  3. In the filed defined in OpenSSH authorized-keys file, if no matching key was found in the Tectia-related authorization file or key directory.

  4. In the User configuration directory defined in the General view, if none of the above locations produced a matching key.

  5. In the default public-key storage location, if no setting was made in User configuration directory in the General view.

GSSAPI

Select the Allow GSSAPI check box to allow GSSAPI authentication. See User Authentication with GSSAPI for more information.

Allow ticket forwarding

Select the check box to allow forwarding the Kerberos ticket over several connections.

[Note]Note
On Microsoft Windows version 5.2 (Server 2003) and newer the possibility to allow Kerberos ticket forwarding is determined by the domain's Kerberos policy. For more information, see "How the Kerberos Version 5 Authentication Protocol Works".
Host-Based Authentication

Select the Allow host-based authentication check box to allow host-based authentication. For more information, see Host-Based User Authentication.

Require DNS match

Select the check box to require that the host name given by the client matches the one found in DNS. If the host name does not match, the authentication fails.

Keyboard-Interactive Authentication

Select the Allow keyboard-interactive authentication check box to allow keyboard-interactive authentication. For more information, see User Authentication with Keyboard-Interactive.

Failure delay / Max tries

Set the delay between failed attempts in seconds (Failure delay) and the maximum number of attempts (Max tries). The default delay is 2 seconds and default maximum is 3 attempts.

Submethods

For keyboard-interactive authentication, several submethods can be specified.

To edit the submethods, click the Submethods button. The Keyboard-Interactive Submethods dialog box opens (Figure 4.32).

Password Cache

Select the Enable Password Cache check box to enable server password cache. For more information, see Password Cache.

Keyboard-Interactive Submethods

In the Keyboard-Interactive Submethods dialog box you can configure the allowed submethods. On Windows, the password, RSA SecurID, RADIUS, and generic submethods are available.

Keyboard-interactive submethods

Figure 4.32. Keyboard-interactive submethods

Password

Select the Allow password over keyboard-interactive to allow the password submethod. For more information, see Password Submethod.

SecurID

Select the Allow SecurID over keyboard-interactive to allow the RSA SecurID submethod. For more information, see RSA SecurID Submethod.

DLL Path

Enter the path to the SecurID DLL.

RADIUS

Select the Allow RADIUS over keyboard-interactive to allow the RADIUS submethod. For more information, see RADIUS Submethod.

Servers

Click Add to add a new RADIUS server. The RADIUS Submethod dialog box opens.

For each RADIUS server, define a Shared secret file, server IP Address, Port, Timeout, and Client NAS identifier.

To change the order of the RADIUS servers, select a server from the list, and click Up and Down to move it. The servers are tried in the specified order.

To edit a RADIUS server, select the server from the list and click Edit.

To remove a RADIUS server, select the server from the list and click Delete.

Generic

Click Add to add a new generic submethod. The Generic Submethod dialog box opens.

Enter the Name of the method and the initialization Parameters.