Your browser does not allow storing cookies. We recommend enabling them.

SSH

Certificates Stored in File

To configure the server to allow user authentication with certificates, perform the following tasks:

  1. Acquire the CA certificate and copy it to the server machine. You can either copy the X.509 certificate(s) as such or you can copy a PKCS #7 package including the CA certificate(s). Certificates can be extracted from a PKCS #7 package by specifying the -7 option with ssh-keygen-g3.

  2. Certificate authentication is a part of the publickey authentication method. Make sure that you have enabled it in the /opt/tectia/etc/sshd2_config file:

    AllowedAuthentications        publickey
    AuthPublicKey.Cert.Required   no 
    

    Setting the AuthPublicKey.Cert.Required option to yes defines that the user must authenticate with a certificate or else the authentication will fail.

  3. Specify the trusted CA certificate and the mapping file(s) in the ssh_certd_config file:

    Pki                           <ca-cert-path>
    MapFile                       <map-file-path>
    

    You can define several CA certificates by using several Pki keywords.

    Pki                           test-ca1.crt
    MapFile                       cert-user-mapping1.txt
    Pki                           test-ca2.crt
    MapFile                       cert-user-mapping2a.txt
    MapFile                       cert-user-mapping2b.txt
    

    Note that multiple MapFile keywords are permitted per Pki keyword. Also, if no mapping file is defined, all connections are denied even if user certificates can be verified using the defined CA certificate. The server will accept only certificates issued by defined CA(s).

  4. Also define the LDAP server(s) used for CRL checks in the ssh_certd_config file. If the CA services (OCSP, CRLs) are located behind a firewall, define also the SOCKS server.

    LdapServers                   ldap://ldap.example.com:389
    SocksServer                   socks://fw.example.com:1080
    

    Defining the LDAP server is not necessary if the CA certificate contains a CRL Distribution Point or an Authority Info Access extension.

  5. Create the certificate user mapping file as described in Certificate User Mapping File.

  6. Restart ssh-certd as instructed in Restarting the Certificate Validator.

For more information on the configuration file options, see sshd2_config(5) and ssh_certd_config(5).


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more