![]() ![]() |
To configure the server to allow user authentication with certificates, perform the following tasks:
Acquire the CA certificate and copy it to the server machine. You can either copy the X.509 certificate(s) as such or you can copy a PKCS #7 package including the CA certificate(s). Certificates can be extracted from a PKCS #7 package by specifying the
-7
flag withssh-keygen-g3
.Certificate authentication is a part of the
publickey
authentication method. Make sure that you have enabled it in the/opt/tectia/etc/sshd2_config
file:AllowedAuthentications publickey AuthPublicKey.Cert.Required no
Setting the
AuthPublicKey.Cert.Required
option toyes
defines that the user must authenticate with a certificate or else the authentication will fail.Specify the trusted CA certificate and the mapping file(s) in the
ssh_certd_config
file:Pki <ca-cert-path> MapFile <map-file-path>
You can define several CA certificates by using several
Pki
keywords.Pki test-ca1.crt MapFile cert-user-mapping1.txt Pki test-ca2.crt MapFile cert-user-mapping2a.txt MapFile cert-user-mapping2b.txt
Note that multiple
MapFile
keywords are permitted perPki
keyword. Also, if no mapping file is defined, all connections are denied even if user certificates can be verified using the defined CA certificate. The server will accept only certificates issued by defined CA(s).Also define the LDAP server(s) used for CRL checks in the
ssh_certd_config
file. If the CA services (OCSP, CRLs) are located behind a firewall, define also the SOCKS server.LdapServers ldap://ldap.example.com:389 SocksServer socks://fw.example.com:1080
Defining the LDAP server is not necessary if the CA certificate contains a
CRL Distribution Point
or anAuthority Info Access
extension.Create the certificate user mapping file as described in Certificate User Mapping File.
Restart
ssh-certd
as instructed in Restarting and Stoppingssh-certd
.
For more information on the configuration file options, see sshd2_config
and ssh_certd_config
.