SSH Tectia Server can use either X.509 certificates or Entrust certificates for authenticating itself.
To configure SSH Tectia Server to authenticate itself using X.509 certificates, perform the following tasks:
- Enroll a certificate for the server. This can be done with the
ssh-cmpclient command-line tool. Note that the DNS address parameter (
dns) needs to correspond to the fully qualified domain name of the server.Example: Enrollment using
$ ssh-cmpclient INITIALIZE \
-P generate://ssh2@rsa:1024/testserv-rsa \
-o /etc/ssh2/testserv-rsa \
-p 62154:ssh \
-s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \
'C=FI, O=SSH Communications Security Corp, CN=Secure Shell Test CA'
Remember to define also the SOCKS server (
-S) before the CA URL, if required. For more information on the
ssh-cmpclient syntax, see the
ssh-cmpclient man page.
- Define the private key and the server certificate in the
HostKeyFile <private key>
- Restart the server as instructed in Section Starting the Server.
SSH Tectia Server supports also the use of Entrust keys and certificates for authentication. Entrust keys are handled as external keys.
The Entrust external key provider described in this section is a component designed by SSH Communications Security Corp.
Entrust Entelligence and the
*.epf files are components designed by Entrust, Inc.
The server is configured to use the Entrust key and certificate with the following
The initialization string for the Entrust provider has the following components:
This defines the name of the shared Entrust FileToolkit object. This setting has decent defaults, so the authentication should work without this setting, but if you need to, you can override the defaults. For example, on Solaris, this would be
(On one line, without the '\' character.)
This defines how the password is queried from the user. If the value is
entrust, only the Entrust dialogs are used in querying the password. If the value is
native, the password will be queried using the native authentication callback. If the field contains something else (e.g.
both), both methods are used.
The location of the initialization file. If it is not set, this will be searched first from
$HOME/entrust.ini (the user's home directory), and if it is not found, from
/etc/entrust.ini. On Windows, the default location is
entrust.ini in the Windows directory (
The location of the user's profile. If it is not set, this will be searched from
$HOME/profile.epf on Unix, and from the user's
My Documents\Entrust Profile\profile.epf on Windows.
This can be used to set the password (for host-key profiles, for example).
An example of an initialization string:
dll(entapi32.dll) password(foobar) ini-file(solo.ini)
Environment variables are substituted when the initialization string is parsed.