SSH Tectia Server (A/F/T) 5.0
Contents
1. Authentication methods element gt lt ELEMENT authentication methods banner message auth file modes authentication lt ATTLIST authentication methods login grace time CDATA default login grace time seconds gt l Banner message element gt lt ELEMENT banner message PCDATA gt lt ATTLIST banner message file CDATA IMPLIED gt Authentication file permission checks gt lt ELEMENT auth file modes EMPTY gt lt ATTLIST auth file modes SMIC yes no default strict modes mask bits CDATA Sdefault file mask bits gt lt Authentication element In an authentication element different gt e maehentucatuonunemebhodssaresmeoRceedasmoncmEUserEmustepdssmonewote e adl gt cp T HMENIMEauthentacacm ond selector auth publickey auth hostbased auth password auth keyboard interactive auth gssapi authentication gt SUMS a rte LY dati ISI CO TO name ID IMPLIED action allow deny default authentication action set group CDATA IMPLIED gt Publickey authentication gt lt ELEMENT auth publickey EMPTY gt Hostbased authentication gt lt ELEMENT auth hostbased EMPTY gt lt ATTLIST auth hostbased require dns match yes no default auth hostbased require dns match Password authentication gt lt ELEMENT auth password EMPTY gt 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Ad2. 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 59 R SSH Tectia Server Configuration 3 E lol xl Network SSH Tectia Server Configure network settings ID listener Add t Connections and Encryption Delete Authentication i Services listener Settings Port 22 Listen address proue OK Cancel Figure 4 4 SSH Tectia Server Configuration Network page The ID list shows the interfaces SSH Tectia Server is listening to You can specify several listeners to different addresses Also multiple ports at the same address can be listened to To add a new network listener click the Add button and give the ID in the text box below The ID must be unique Give also the Port and Listen address see below To remove a listener select an ID from the list and click Delete Port Specify the port number that the server listens on allowed values are 1 65535 The server has to be restarted in order to use the changed setting The default port is 22 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 60 Configuring SSH Tectia Server Listen address Specify the IP address of the network interface card where the Secure Shell server socket is bound The server has to be restarted to use the changed setting 4 1 5 Logging The Logging page of the SSH Tectia Server Configuration tool
3. Several authentication methods can be set as required by nesting the authentication elements inside each other If the authentication methods element does not exist the server allows by default GSSAPI public key keyboard interactive and password authentication one of them must succeed SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 40 Configuring SSH Tectia Server However if you put an empty authentication methods element in the ssn server config xml file all users will be allowed to log in without authentication Likewise if you leave empty authentication elements inside authentication methods the matching users everyone if no selectors are used will be allowed to log in without authentication de Caution Do not leave the authentication methods element empty in the ssn server config xml file or else all users are allowed to log in without authentication Either remove the element completely to use the default authentication methods or add authentication elements with authentication methods of your choice banner message This element specifies the path to the message that is sent to the client before authentication The path is given as a value of the i1e attribute Alternatively the banner message can be given as the contents of the banner message element Note however that the client is not obliged to show this message lt banner message file
4. 5 9 User Authentication with GSSAPI GSSAPI Generic Security Service Application Programming Interface is a function interface that provides security services for applications in a mechanism independent way This allows different security mechanisms to be used via one standardized API GSSAPI is often linked with Kerberos which is the most common mechanism of GSSAPI 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 97 For Windows GSSAPI offers integrated authentication for both old NT4 networks with NTLM authentication and for new Windows 2000 2003 networks with Kerberos This method utilizes domain accounts since local accounts are not transferable across machine boundaries To enable GSSAPI authentication on the server the authentication methods element of the ssh server config xml file must contain an auth gssapi element For example authentication methods authentication action allow auth gssapi dll path path to gssapi dll gt lt authentication gt lt authentication methods gt Also other authentication methods can be listed Place the least interactive method first On Windows using the SSH Tectia Server Configuration tool GSSAPI authentication can be configured on the Authentication page See Section 4 1 9 i Note SSH Communications Security does not provide technical support on how to configure Kerberos Our support only covers SSH
5. For each RADIUS server define a Shared secret file server IP Address Port Timeout and Client NAS identifier To change the order of the RADIUS servers select a server from the list and click Up and Down to move it The servers are tried in the specified order To remove a RADIUS server select a server from the list and click Delete 4 1 10 Services On the Services page you can set restrictions on the services e g terminal tunneling SFTP that the server provides Selectors can be used to define groups for users and different services can be allowed to each group The order of the groups is important The user is put to the first matching group and the remaining groups are ignored SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 74 Configuring SSH Tectia Server If no selectors or only empty selectors are specified in a group element the group matches to all users However creating a group like this is not sensible If the user was already put to a group during authentication using Set group the group definitions on the Services page are ignored The order of rules is also important Rules for specified groups can be in any order because they must match exactly to the group names but the last rule should be a general rule with no group definition This rule is used for all users that do not have a group R SSH Tectia Server Configuration 4
6. lt ATTLIST externalkey type CDATA REQUIRED init info CDATA IMPLIED gt StS CANE SO gt lt ELEMENT ca certificate PCDATA gt lt ATTLIST ca certificate file CDATA IMPLIED name CDATA REQUIRED disable crls yes no default disable crls usecexpisnBedccrisscbpATDA E detraultocusecexpisn5ecdccendsr KI COrrclrisste Cachan gt lt ELEMENT cert cache file EMPTY gt SIE eebe E Le file CDATA REQUIRED gt lt J ORL EE ment LE vocet gt lt ELEMENT crl auto update EMPTY gt AATILISN bDrl auto update update before CDATA IMPLIED minimum interval CDATA IMPLIED gt lt l Ib parer gt SIE MENTA om ere ECM O 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 141 SIATTLEST Clean interval DATAS default cni pn5esetckemisenmvals CsI CDATA REQUIRED gt elen HNS Servers gt GENEE eve rar MEME SSES ASS eve address CDATA REQUIRED Bor CDATA default ldap server port SO SEM CSI 9n clc T gt lt ELEMENT ocsp responder EMPTY gt lt ATTLIST ocsp responder validity period CDATA IMPLIED Url CDATA REQUIRED gt i mnei le DOD DAE eoim bienes gt lt ELEMENT dod pki EMPTY gt lt ATTLIST dod pki enable yes no Sdefault dod pki gt sl aem IST gt lt ELEMENT listener EMPTY gt lt ATTLIST listener id ID REQUIRED PO CDI UU address CDATA IMPLIED gt lt 1 Areler gt
7. local2 local3 local4 locals local6 local or discard Setting the facility to discard causes the server to ignore the specified log events On Windows only the normal and discard facilities are used The severity can be informational notice warning error critical security success Or security failure Any events that are not specifically defined in the configuration file use the default values The defaults can be overridden for all remaining events by giving an empty 1og events element after all other definitions and setting a severity value for it For a complete list of log events see Appendix D The following example sets the facility of the connect 1ogin and 1ogout events to daemon and the severity to not ice It also sets the facility of the ilexfer start and filexfer_end events to discard the events will not be logged All other events use the default settings logging lt log events facility daemon severity notice gt connect login logout lt log events gt lt log events facility discard gt filexfer_start filexfer_end lt log events gt lt logging gt limits This element sets the maximum number of connections and processes the server will handle SSH Tectia Server uses a distributed architecture where the master server process launches several servant server processes that handle the actual connections The max processes attribute defines the maximum number of servant processes the
8. passphrase Specifies the passphrase used Specifies that the key will be saved with an empty passphrase Displays help and exits Hides the progress indicator file Converts a key from the SSH1 format to the SSH2 format file Loads and displays information on file file Derives the public key from the private key file number Specifies the number base for displaying key information default 10 Displays version string and exits SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 124 Command Line Tools r file Adds entropy from file to the random pool If i1e contains relatively random data i e data unpredict able by a potential attacker the randomness of the pool is increased Good randomness is essential for the security of the generated keys overwrite yes no Overwrite files with the same filenames The default is to overwrite x file Converts a private key from the X 509 format to the SSH2 format k file Converts a PKCS 12 file to an SSH2 format certificate and private key 7 file Extracts certificates from a PKCS 7 file F file Dumps the fingerprint of the given public key The fingerprint is given in the Bubble Babble format which makes the fingerprint look like a string of real words making it easier to pronounce H hostkey Generates a Secure Shell host key pair and stores the key pair in the
9. private file etvie ssh2 hostcertorsa gt lt x509 certificate file etc ssh2 hostcert_rsa crt gt lt hostkey gt listener This element is used to specify where the server listens for connections The element has three attributes id address and port The ia must be given as an attribute and it must be unique Also the port and address can be given The default port for listeners is 22 Several listeners can be created to the same IP address to different ports Each must have an unique ID Sample listener elements are shown below lt listener id internet address 172 56 34 1 gt listener id intranet address 10 0 0 1 gt listener id admin private port 222 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 34 Configuring SSH Tectia Server logging This element changes the logging settings that define the log event severities and logging facilities The element contains one or more 1og events elements log events This element sets the severity and facility of different logging events The events have reasonable default values which are used if no explicit logging settings are made This setting allows customizing the default values For the events facility and severity can be set as attributes The events itself should be listed inside the 1og events element The facility can be normal daemon user auth local0 Local
10. ssh TE SSH Tectia Server A F T 5 0 Administrator Manual 19 September 2005 SSH Tectia Server A F T 5 0 Administrator Manual 19 September 2005 Copyright 1995 2005 SSH Communications Security Corp This software is protected by international copyright laws All rights reserved ssh is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions The SSH logo and Tectia are trademarks of SSH Communications Security Corp and may be registered in certain jurisdictions All other names and marks are property of their respective owners No part of this publication may be reproduced published stored in an electronic database or transmitted in any form or by any means electronic mechanical recording or otherwise for any purpose without the prior written permission of SSH Communications Security Corp THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING SSH Communications Security Corp Valimotie 17 FIN 00380 Helsinki Finland Table of Contents 1 About This Document 23224000 oot teet hat ebore ort io eso es Ene En ERI eet EEN 7 1 1 Component Terminology etorri ss t ettet rtt gos FO Se Re ET Ie ge e ta anti AE da tite 8 1 2 Documentation Conventions ss 10 1 3 Customer Support ss ceo pet ee Ier RE e Po Debe Rei guo SP Seats reae oreet ree COP E SUR 10 2
11. 14 Lightweight Directory Access Protocol LDAP 82 87 Linux installation 18 uninstallation 21 Linux on POWER 18 Linux on zSeries 18 listen address 33 59 100 listener 33 59 local port forwarding 114 local tunnel 114 local user account 85 location installed files 23 log message reference 151 log on locally rights 85 logging 34 53 60 101 151 customizing 102 login grace time 39 55 M MACs 39 69 man pages 149 man in the middle attack 82 maximum number of connections 34 54 maximum number of processes 34 54 message before login 102 Microsoft Windows 19 MSI package 19 multiple host keys 80 N Network Address Translation NAT 91 network interface binding 100 network interface card 59 network settings 58 O OCSP responders 36 63 87 Online Certificate Status Protocol OCSP 82 87 outgoing tunnel 111 114 P PAM authentication 44 93 94 password authentication 43 44 71 72 84 85 93 PEM encoding 126 Personal Information Exchange PFX 57 PKCS 7 package 87 planning the installation 13 Pluggable Authentication Module PAM 94 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 184 Index port forwarding 111 local 114 remote 116 restricting 111 port number default 33 59 private key host 32 57 80 83 privileged users 99 processes maximum number 34 54 profile director
12. 37 use expired crls 36 user config dir 31 xauth path 31 XML DTD 27 137 XML element 27 attribute 48 auth file modes 40 106 auth gssapi 45 auth hostbased 43 auth keyboard interactive 43 auth password 43 auth publickey 43 authentication 40 45 authentication methods 39 banner message 40 ca certificate 36 cert cache file 36 cert validation 35 cipher 38 command 49 connection 37 connections 37 crl auto update 36 crl prefetch 36 crypto lib 31 dod pki 36 environment 48 externalkey 33 group 46 hostkey 32 http proxy url 35 Idap server 35 limits 34 listener 33 log events 34 logging 34 mac 39 ocsp responder 36 params 31 private 32 public 33 radius server 44 radius shared secret 44 rekey 38 rule 47 selector 38 41 selector blackboard 42 selector certificate 41 selector host certificate 42 selector interface 38 42 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 187 selector ip 38 42 selector publickey passed 43 selector user 42 selector user group 42 selector user password change needed 43 selector user privileged 42 services 46 settings 31 socks server url 35 submethod generic 44 submethod pam 44 submethod password 44 submethod radius 44 submethod securid 44 subsystem 48 terminal 48 tunnel agent 49 tunnel local 49 tunnel local dst 50 tunnel local src 50
13. Installing SSH Tectia Server 13 2 1 Planning the Installation ss 13 2 1 1 System Requirements 3 rite dett EPOD eet ei ep tenant E 13 A E TEE 14 LANI 14 2 1 4 Upgrading from Version 4 x to 50 2 drehte river p dire Pee Pe rend 15 2 1 5 Upgrading from Version 5 0 15 2 2 Installing the SSH Tectia Server Software 16 2 2 Installmg on AIX sess o oe SUR er do Ee WI een ep EE 16 2 252 Instalung on HP UX oue cete reU EIER nn Einer E eR Rene 17 2 2 3 Installing n LINUX iuit eee xm RE Fr P MERE Ee 18 2 2 4 Installing EE 18 2 2 5 Installing on WindOWS sisas Eee beet ee ee ge been eo ee ae eee iii nie 19 2 3 Removing the SSH Tectia Server Software 20 2 3 1 Removing from AIX sun eite ENNEN EENS pe eet eere derer uet ede uaa cnet ee epe 20 2 3 2 Removing from HP UX ee ose doc dene te pop t Meer eee Pets NEEN eeh De dtes 21 2 3 3 Removing from Linux A en UU p A da 21 2 3 4 Removing from Solaris einen 22 2 3 5 Removing from Windows ot e E pe e ee ar Poo Dare E Ie EEN PR DRE 22 3 Getting arte iii eese oe E Ed e I Hoc od ero e voir ee oe ccr 23 3 1 Location or Installed Piles 2 2 205 nee ere er teet e eee pereo rete dee ege 23 3 1 T File Locations on Unix iri ete reet RR si EE TI NEEN 23 3 1 2 File Locations on Windows cece cece eee e cence mm mI mH Hem eme hene hen hen trennen 24 3 2 Starting and Stopping the Server 2425 etes frite dee ev tes he eene
14. The possible type values are ip email dn dns uri and rid u key usage name key usage name Requested key usage purpose code The following codes are recognized digitalSignature non Repudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly and help The special keyword help lists the supported key usages which are defined in RFC 3280 U extended key usage name extended key usage name Requested extended key usage code The following codes in addition to user specified dotted OID values are recognized serverAuth clientAuth codeSigning emailProtection timeStamping ikeIntermediate and smartCardLogon access Specifies the CA address in URL format Possible access methods are HTTP http host port path or plain TCP tcp host port path If the host address is an IPv6 address it must be enclosed in square brackets http IPv6 address port name Optionally specifies the destination CA name for the operation in case a CA certificate was not given using the option c Examples Initial Certificate Enrollment This example provides commands for enrolling an initial certificate for digital signature use It generates a private key into a PKCS 8 plaintext file named initial prv and stores the enrolled certificate into file initial 0 crt The user is authenticated to the CA with the key identifier refnum 62154 and the key ssh The subject name and alter
15. You only need to regenerate it if you want to change your host key pair The command line tool ssh keygen 93 can be used to generate the host key pair It can be used for creating the user key pairs as well On Unix to re generate the host key give the following command with root privileges ssh keygen g3 P H hostkey On Windows to re generate the host key give the following command ssl asa a lel Inocielkayy This will generate a 2048 bit DSA key pair without a passphrase and save it in the default host key directory etc ssh2 on Unix C Program Files SSH Communications Security SSH Tectia SSH Tectia Server on Windows with the names host key and host key pub For more information on the key generation options see ssh keygen g3 1 After the new key pair has been created run ssh server config tool to reconfigure the server See ssh server config tool 8 e Note Itis of utmost importance that the private key is never readable by anyone but the server itself Store the private key of the server in a safe directory where access is denied for all users 5 1 2 Notifying the Users of the Host Key Change Administrators that have other users connecting to their server should notify the users of the host key change If you do not the users will receive a warning the next time they connect because the host key the users have saved on their disk for your server does not match the host key now being actually provided
16. e SUSE LINUX Enterprise Server 9 x86 POWER zSeries Sun Solaris 2 6 7 8 9 and 10 SPARC e Microsoft Windows 2000 with SP4 XP with SP1 SP2 and Server 2003 with SP1 x86 SSH Tectia Server T only The following minimum hardware is required SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 14 Installing SSH Tectia Server SSH Tectia Server A and SSH Tectia Server F e Any standard hardware 100 MB free disk space e CD ROM drive optional if installed from network e TCP IP connection SSH Tectia Server T e 1 GB RAM for hundreds of simultaneous tunnels 100 MB free disk space e CD ROM drive optional if installed from network es TCP IP connection 2 1 2 Packaging On Unix and Linux platforms SSH Tectia Server comes in two installation packages The first package contains the common components of SSH Tectia Client and Server The second contains the specific components of SSH Tectia Server On Windows SSH Tectia Server comes in a single MSI installation package SSH Tectia Server A Server F and Server T use the same installation package The functionality of the server is controlled by the license file See Section 2 1 3 Table 2 1 summarizes the required SSH Tectia Server packages on different platforms Table 2 1 The SSH Tectia Server installation packages SSH Tectia Server A F T on Unix and Linux SSH Tectia Server A F T
17. lt ELEMENT logging log events gt O SIS gt lt ELEMENT log events PCDATA gt KLAUS loc Een Faca lle normal daemon user auth loca1l0 local1 local2 local3 local4 local5 local6 local7 discard default log event facility severity informational notice warning error critical security success security failure default log event severity O SS A gt lt ELEMENT cert validation ldap server ocsp responder cert cache file crl auto update crl prefetch dod pki ca certificate gt lt ATTLIST cert validation http proxy url CDATA IMPLIED Socks server url CDATA IMPLIED gt lc babes gt SSH Tectia Server A F T 5 0 Administrator Manual O 1995 2005 SSH Communications Security Corp 142 Server Configuration File Syntax lt ELEMENT limits EMPTY STATTLIST limits max connections CDATA IMPLIED max processes CDATA IMPLIED gt ELLE Sessions lt ELEMENT connections connectiont gt SU Ee eet lt ELEMENT connection selector rekey cipher mac lt ATTLIST connection name ID IMPLIED action allow deny default connection action tcp keepalive yes no Sdefault tcp keepalive gt Kd RSR er dlc e lt ELEMENT rekey EMPTY gt lt ATTLIST rekey Seconds CDATA default rekey interval seconds bytes CDATA default rekey interval bytes cs Cilia gt lt ELEMENT cipher EMPTY gt lt ATTLIST cipher name CDATA R
18. on Windows Common Server Server 2 1 3 Licensing SSH Tectia Server requires a license file to function Each Server type A F and T uses a license file of its own Depending on the platform and the Server type you have purchased you have one of the following files OnUnix tectia server A 50 1lic tectia server P 50 lic Or tectia server T 50 lic 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 2 1 4 Upgrading from Version 4 x to 5 0 15 On Windows sts50 dat the contents of the file is different with each SSH Tectia Server type In the CD ROM the license files can be found in the insta11 platform directory After installation the license file should be located in etc ssh2 1icenses on Unix and in lt INSTALLDIR gt SSH Tectia AUX licenses on Windows the default installation directory is C Program Files VSSH Communic ations Security SSH Tectia On Windows when installing from the CD ROM the license file is automatically copied to the right directory In other cases the license file has to be copied manually 2 1 4 Upgrading from Version 4 x to 5 0 On Unix and Linux platforms earlier versions of SSH Tectia Server should be removed before installing SSH Tectia Server 5 0 When installing via SSH Tectia Manager this is handled automatically On Windows SSH Tectia Server 4 1 and later can be upgraded by installing a newer ver
19. tunnel remote 50 tunnel remote listen 50 tunnel remote src 50 tunnel x11 49 x509 certificate 33 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 188 Index 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual
20. ver is the package version of SSH Tectia Server to be removed for example 5 0 0 777 3 Ifyou want to remove also the components that are common with SSH Tectia Client give the following command rpm e ssh tectia common ver SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 22 Installing SSH Tectia Server eb Note The uninstallation procedure removes only the files that were created when installing the software Any configuration files and host keys have to be removed manually 2 3 4 Removing from Solaris To remove SSH Tectia Server from a Solaris environment do the following 1 Stop SSH Tectia Server with the following command etc init d ssh server g3 stop 2 Remove the installation by issuing the following command with root privileges pkgrm SSHG3srvr 3 If you want to remove also the components that are common with SSH Tectia Client give the following command pkgrm SSHG3cmmn e Note The uninstallation procedure removes only the files that were created when installing the software Any configuration files and host keys have to be removed manually 2 3 5 Removing from Windows To remove SSH Tectia Server from a Windows environment do the following 1 From the Start menu open the Windows Control Panel and double click Add or Remove Programs 2 From the program list select SSH Tectia Server and click Remove 3 Click Yes t
21. 0 Administrator Manual 175 Argument Description Ctx Context pointer that identifies the search 1112 CM cert not in search interval Level informational Origin SSH Tectia Server Connection Broker The certificate is not valid during the required time period Default log facility normal Argument Description SubjectName Subject name of the certificate Text Error description Ctx Search context 1113 CM certificate revoked Level informational Origin SSH Tectia Server Connection Broker A certificate was found to be revoked Default log facility normal Argument Description SubjectName Subject name of the certificate Ctx The context pointer of the search 1114 CM cert search constraint mismatch Level informational Origin SSH Tectia Server Connection Broker The certificate did not satisfy the constraints set for the search Default log facility normal Argument Description SubjectName Subject name of the certificate Text Description of the mismatch Ctx Search context 1115 CM dap search started Level informational Origin SSH Tectia Server Connection Broker An LDAP search for a CRL or a sub CA is being started Default log facility normal SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 176 Audit Messages Argument Description Text Search details 1116 CM dap search success Level informational Origin SSH Tectia Server Conne
22. 23 27 syntax 137 connection rules 37 68 connections maximum number 34 54 CRL disabling 36 64 CRL auto update 36 63 CRL distribution point 82 87 CRL prefetch 36 63 CryptiCore 106 cryptographic library 31 55 customer support 10 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 182 Index D default port 33 59 default settings 53 denying commands 49 77 denying connection attempts 100 denying file transfers 114 denying subsystems 48 76 denying terminal access 48 78 107 113 denying tunneling 49 50 77 78 107 Diffie Hellman key exchange 82 directory profile 86 root 86 virtual 108 disabling CRL 36 64 disclaimer before login 102 disk space requirement 13 Document Type Definition DTD 137 documentation 8 documentation conventions 10 DOD PKI 36 63 domain controller 85 domain user account 85 DSA key pair 80 E editing selectors 64 enrolling host certificate 83 environment variables 48 76 event log 34 53 60 101 151 examples of using SSH Tectia Server 26 expired CRL 36 64 external host key 33 58 84 external key viewer 135 F Federal Information Processing Standard FIPS 31 55 file locations installed files 23 file transfer 105 automated 109 fingerprint 81 124 FIPS 140 2 certification 31 55 FIPS mode 38 39 55 firewall 87 forced commands 49 77 100 forwarding 111
23. Dst Port Text 410 Login_success Level security success Origin SSH Tectia Server Description Remote port Local port Description Reason for disconnect Remote hostname Remote IP address Local interface ID Local IP address Remote port Local port Textual description of the disconnect reason The user has logged in after successful authentication account validity and other checks Default log facility normal Argument Username Src Src IP Dst IFace Dst IP Src Port Dst Port Ver Session Id 411 Login failure Level security failure Origin SSH Tectia Server Description The user s login name Remote hostname Remote IP address Local interface ID Local IP address Remote port Local port Client s version string Session identifier An unsuccessful login attempt was made to the server 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 157 Default log facility normal Argument Username Reason Src Src IP Dst IFace Dst IP Src Port Dst Port Text Session Id 412 Logout Level informational Origin SSH Tectia Server The user has logged out Default log facility normal Argument Username Reason Src Src IP Dst IFace Dst IP Src Port Dst Port Text Session Id 420 Session channel open Level informational Origin SSH Tectia Server Description The user s login name Reason for disconnect Remote hostnam
24. Java APIs for customization This chapter gives the typical SSH Tectia Server settings when it is used for secure file transfer and gives an example of an SSH Tectia Server F configuration SSH Tectia Client F SSH Tectia SSH Tectia SFTP API Server F Client F SFTP B 000000000000000000000 l 0000000 BD Business application Sex Daily data e Update using e SCP e SFTP N SSH Tectia af Server BD We ua Database maf mur Server SSH Tectia File transfer Client Win using SFTP Automated database backup using SCP SSH Tectia Server Backup Server Figure 7 1 Secure file transfer SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 106 File Transfer For more information on the advanced file transfer features available with SSH Tectia Server F and SSH Tectia Client F see SSH Tectia Client Server Product Description and the documentation for the C and Java APIs in the CD ROM 7 1 SSH Tectia Client File Transfer User When SSH Tectia Server is used for automated file transfer separate user accounts can be created for the file transfer users Non interactive authentication with public keys and scripted commands can be set for these accounts 7 1 1 Encryption and Authentication Methods The CryptiCore algorithm and public key authentication should be enabled on the server Enabling CryptiCore The CryptiCore algorithm is supported
25. Live abeo Poe eoe Fe ner ee dat 24 3 2 1 Starting and Stopping on Unix sise 25 3 2 2 Starting and Stopping on Windows HH emere 25 3 3 Examples of Use ier deh erret Er RE p RO E REPRE RE E PR P ERRORS 26 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 4 SSH Tectia Server A F T 5 0 4 Configuring SSH Tectia Server 27 Ssli server conflg e uice teretes dete et ees bee du ie be vant ee een Pan en fee Teu n 27 4 1 Configuration Tool Windows sise 52 4 T SSH Tectia Setveras eoe CU DE EI RUE IER E E ARE rU d dH dede 52 A V2 G n ral do T ET 54 2 1 3 Identity n Ter e urere eo PEE OPERE REPE aa PR UR RE Smead 56 All As Network 2020 RE 58 EE ME SSIN Biss EE 60 4 1 6 Certificate Validation c e eee Ced Een 61 4 17 Editing Selectors oerte RIDERE MINE PIDE 64 4 1 8 Connections and Encryption sss ine e ete Rd DP eR Eth ERR EPIRI pentes 67 4 1 9 Authentication ec ort reU e et ede REP Ue UU He BUR ed 69 4 ATO QUU MNT PLE 73 5 Authentication EE 79 5 1 Server Authentication with Public Keys sess emere 79 Jk T Generatingithe Host Key sas erc e repe stor Sew tentent teens tendent 81 5 1 2 Notifying the Users of the Host Key Change 81 5 2 Server Authentication with Certificates ss 82 5 2 1 Certificate Enrollment Using ssh cmpclient esesse Hee 83 5 3 Server Authentication using E
26. P generate ssh2 rsa 1024 hostcert_rsa o etc ssh2 hostcert_rsa p 62154 ssh 8 C FI O0 S5H CN testserv dns testserv ssh com http pki ssh com 8080 pkix C FI O SSH Communications Security Corp CN Secure Shell Test CA Note that the DNS address parameter dns needs to correspond to the fully qualified domain name of the server Remember to define also the SOCKS server s before the CA URL if required For more information on the ssh cmpclient syntax see ssh cmpclient g3 1 2 Define the private key and the server certificate in the ssh server config xml file lt params gt lt hostkey gt lt private file etc ssh2 hostcert_rsa gt lt x509 certificate file etc ssh2 hostcert_rsa crt gt lt hostkey gt lt params gt Alternatively on Windows when using the SSH Tectia Server Configuration tool enter the private key and certificate filenames on the Identity page See Section 4 1 3 3 Run ssh server config tool to take the new configuration in use See ssh server config tool 8 On Windows click Save to take the new settings in use SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 84 Authentication 5 3 Server Authentication using External Host Keys In addition to conventional keys and certificates stored as files on disk several external key providers are available for accessing keys and certificates stored in hardware tokens or ext
27. SSH Tectia Server A TCP forwarding channel has closed Default log facility normal Argument Username Sub ID Session Id Description User s login name Success or error description Server to client Receiving listener address Receiving listener port Channel number Session identifier Error message Description User s login name Channel number Session identifier 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 159 424 Auth channel open Level informational Origin SSH Tectia Server An authorization agent forwarding channel opening has completed successfully or unsuccessfully Default log facility normal Argument Username Sub ID File name Success Error Session Id 425 Auth channel close Level informational Origin SSH Tectia Server Description User s login name Channel number Path to the listener Success or error description Session identifier An authorization agent forwarding channel has closed Default log facility normal Argument Username Sub ID File name Session Id 426 Forwarding listener open Level informational Origin SSH Tectia Server Description User s login name Channel number Path to the listener Session identifier A TCP forwarding listener opening has completed successfully or unsuccessfully Default log facility normal Argument Username Success Error Listener IP Listener Po
28. Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 150 Man Pages and Help Files 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 151 Appendix D Audit Messages This appendix lists the audit messages generated by the server 100 Server starting Level notice Origin SSH Tectia Server The server is starting Default log facility daemon 101 Server start failed Level error Origin SSH Tectia Server The server has encountered a fatal error condition and cannot proceed Default log facility daemon Argument Description Success Error Error code Text Description of the error 102 Server running Level notice Origin SSH Tectia Server The server has started and is running normally Default log facility daemon 103 Server stopping Level notice Origin SSH Tectia Server The server is shutting down Default log facility daemon SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 152 Audit Messages 104 Server exiting Level notice Origin SSH Tectia Server The server is exiting Default log facility daemon 105 Server reconfig started Level informational Origin SSH Tectia Server The server is starting the reconfiguration operation Default log facility daemon Argument File name 106 Server reconfig finished Level notice Origin SSH Tectia Ser
29. Tectia Server A F T 5 0 Administrator Manual The params Element 31 lt secsh server gt e Note Itis not mandatory to include all elements in the configuration file If an element is missing the default values shown in the ssh server config default xml file are used However the configuration file should always contain the poctyPe declaration If the Document Type Declaration is omitted the server will not be able to parse the configuration properly The params Element The params element defines the general server parameters such as the location of the host key file the listen address logging connection limits and certificate validation settings crypto lib This element selects the cryptographic library mode to be used Either the standard version standard or the FIPS 140 2 certified version fips of the crypto library can be used The library name is given as a value of the mode attribute By default standard crypto libraries are used lt crypto lib mode standard gt settings This element contains miscellaneous settings It has four attributes proxy scheme xauth path ignore aix rlogin and user config dir The proxy scheme attribute defines rules for HTTP or SOCKS proxy servers that SSH Tectia Server uses when a client forwards a connection local tunnel The format of the attribute value is a sequence of rules delimited by semicolons Each rule has a format that resembles the URL format In
30. Tectia Server configuration Any other exec and shell requests will be denied for the users This includes forced commands with public keys described in Section 6 1 3 and the legacy style password changing when performed as forced command Defining Virtual Directories on Windows If virtual folders are not defined HOME and drive letters are use as defaults If the Home attribute is defined its value is used otherwise SUSERPROFILE is used in HOME If any virtual folders are defined none of the defaults are used drive letters HOME If you still want to use HOME and the drive letters they need to be defined as virtual folders Virtual directories for SFTP can be defined as follows subsystem type sftp application sft server g3 action allow gt EE slit tlle SP MW CIOWSEES IE CHEERS mesemsumpisresc detulit yate ttolideersearesonmivesete emo virtual folders are set in the configuration If you set ANY virtual folders none of the following will be set gt attribute name home value SUSERPROFILES attribute name virtual folder value C C attribute name virtual folder value D D gt attribute name virtual folder value E E gt lt l all available drives gt lt subsystem gt 7 1 3 Settings on the Client Side For example the following configuration can be used in the ssh broker config xml file profile name sftexa all Uso host sftexa ssh com port 123
31. Tectia applications SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 98 Authentication 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 99 Chapter 6 System Administration Secure system administration is the most common use case for Secure Shell This chapter describes typical system administration settings and available auditing options of SSH Tectia Server and gives an example of an SSH Tectia Server A configuration eeeeeeeeeeo Encrypted and authenticated SSH Tectia SSH Tectia communications Client Secure remote administration Server A Figure 6 1 Secure system administration 6 1 SSH Tectia Client Privileged User The configuration of SSH Tectia Server A typically sets limitations on secure system administration SSH Tectia Server A often resides in the DMZ Strong two factor authentication is often required from privileged users and connections are allowed only from certain hosts 6 1 1 Disabling Root Login Restrictions on Secure Shell services as described for non privileged users in Section 7 1 2 and Section 8 1 2 do not prevent users with shell access to the system from setting up the equivalent services It is also possible to limit users with administrative privileges to predefined commands if shell access is not needed Shell access is often desired for remote administration of the
32. This element specifies the number of seconds or transferred bytes after which the key exchange is done again If a value for both seconds and bytes is specified rekeying is done whenever one of the values is reached after which the counters are reset The defaults are 3600 seconds 1 hour and 1000000000 bytes 1 GB The value 0 zero turns rekey requests off This does not prevent the client from requesting rekeys cipher This element selects a cipher name allowed by the server for data encryption The supported ciphers are 3des cbc aes128 cbc aes192 cbc aes256 cbc arcfour blowfish cbc twofish cbc twofishl28 cbc twofishl92 cbc twofish256 cbc crypticorel28 ssh com seed cbc ssh com and none no encryption In the FIPS mode the supported ciphers are 3des cbc aes128 cbc aes192 cbc and aes256 cbc 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual The authentication methods Element 39 Multiple ciphers can be specified by using multiple cipher elements The server allows 3des aes128 cbc and crypticorel28 ssh com by default mac This element selects a MAC name allowed by the server for data integrity verification The supported MAC algorithms are hmac md5 hmac md5 96 hmac shal hmac shal 96 crypticore mac ssh com and none no data integrity verification In the FIPS mode only nmac sna1 is supported Multiple MACs can be specified by using multiple
33. To change the order of the logging rules select a rule from the list and click Up and Down to move the log event If several rules match to the same log event the first matching rule on the list is used Click Delete to delete a logging rule 4 1 6 Certificate Validation On the Certificate Validation page you can configure certification authorities CA that are trusted in user authentication SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 62 Configuring SSH Tectia Server R SSH Tectia Server Configuration Certificate Validation SSH Tectia Server i General Configure certificate validation settings Identity Genetic Settings Network Logging HTTP proxy URL ertificate Validation e Connections and Encryption Socks server URL socks fw example com 1 080 Authentication Menton i Services xs zd IV CRL auto update Update before seconds 30 Minimum interval seconds Jon Enable DOD PKI Servers OCSP Responders CRL Prefetch CA Certificates Add Name ftest ca2 Delete File ftest ca2 crt Disable CRLs Use expired CALs seconds proue DK Cancel Figure 4 6 SSH Tectia Server Configuration Certificate Validation page Generic Settings Generic settings apply to all CA certificates and CRL fetching HTTP proxy URL Define a HTTP proxy address if such is required for making LDAP
34. a rule the connection type is given first The type can be direct Socks socks4 socks5 Or http connect socks is a synonym for socks4 This is followed by the server address and port If the port is not given the default ports 1080 for SOCKS and 80 for HTTP are used After the address zero or more conditions delimited by commas are given direc i Mi condi eon t el socks server cond cond Socks4 server cond cond socks5 server cond cond http connect server cond cond The IP address port conditions have an address pattern and an optional port range ip_pattern port_range The ip_pattern may have one of the following forms SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 32 Configuring SSH Tectia Server e P asingle IP address e FROM TO an IP address range from FROM to TO e IP MASK a sub network with a network mask with MASK significant bits DNS name conditions consist of a hostname which may be a regular expression containing the characters and and a port range name pattern port range An example proxy scheme is shown below It causes the server to access the callback address and the ssh com domain directly access example with HTTP CONNECT and all other destinations with SOCKSA Mesas 1127 c 0 E exem o eror http connect http proxy ssh com 8080 example socks fw ssh com 1080 The xauth path attri
35. abnormal happened during the Keyboard interactive PAM authentication method but the method may still complete successfully Default log facility auth Argument Username Algorithm Text Session Id 719 Keyboard interactive radius auth success Level informational Origin SSH Tectia Server Description User s login name Authentication method name Warning description Session identifier SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 168 Audit Messages The user successfully completed the Keyboard interactive Radius authentication method Default log facility auth Argument Description Username User s login name Algorithm Keyboard interactive Radius Text Acceptance description Session Id Session identifier 720 Keyboard interactive radius auth error Level warning Origin SSH Tectia Server Error in the Keyboard interactive Radius authentication method This means that the current user authentication attempt with the Keyboard interactive Radius method has failed Default log facility auth Argument Description Username User s login name Algorithm Authentication method name Text Error description Session Id Session identifier 721 Keyboard interactive radius auth warning Level informational Origin SSH Tectia Server Warning during the Keyboard interactive Radius authentication method This means that something abnormal happened during
36. and altname upn the principal name The a1tname fqdn altname upn altname email subject name and issuer name Selectors may contain the susername keyword which is replaced with the user s name before comparing with the actual certificate data The shostname keyword can be used in the same way and it is replaced by the client s FQDN These patterns may also contain and globbing characters Patterns are normally matched case insensitively Alternatively the pattern can be specified using the pattern case sensitive attribute host certificate This selector matches to a pattern in a specified field of the client host certificate The field can be either ca list issuer name subject name serial number altname email altname upn altname ip Of altname fqdn Patterns are normally matched case insensitively Alternatively the pattern can be specified using the pattern case sensitive attribute interface This selector matches to the listener interface id or address and or port Ip This selector matches to an IP address or fqan fully qualified domain name of the client user This selector matches to a user name or id A list of usernames or IDs can be given as a comma separated list Names are normally matched case insensitively Alternatively the names can be specified using the name case sensitive attribute user group This selector matches to a user group name or id A list of user group names or IDs
37. banner message 102 server certificate 33 57 82 server configuration file 23 27 server host key 23 server settings 52 server status 53 server versions 7 services 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 185 restricting 47 75 107 112 setting users to a group 41 46 71 74 settings default 53 SFT subsystem 107 shared user account 112 shell access 99 socket 59 SOCKS server URL 35 62 Solaris installation 18 uninstallation 22 SSH Tectia Client 9 SSH Tectia Client F 9 SSH Tectia Connector 9 SSH Tectia Server 9 starting 24 stopping 24 SSH Tectia Server A 9 SSH Tectia Server F 10 SSH Tectia Server M 10 SSH Tectia Server T 10 SSH Tectia Server Configuration tool 52 SSH Tectia Server versions 7 ssh certview g3 exe 125 ssh cmpclient g3 exe 128 ssh ekview g3 exe 135 ssh keygen g3 exe 81 122 ssh server config tool exe 121 ssh server config xml 23 27 ssh server g3 exe 119 starting the server 24 status 53 stopping the server 24 subsystems 48 76 Sun Solaris 18 supported platforms 13 SUSE LINUX 18 system configuration 27 system log 34 53 60 101 system requirements 13 T technical support 10 terminal access 48 78 99 terminology 8 ticket forwarding 45 72 trusted CA 87 tunnel agent 49 118 incoming 116 local 49 114 outgoing 114 remote 50 116 XII 49 117
38. by your server The users may not know how to respond to this error SSH Tectia Manager available separately provides an automatic mechanism for distributing the host keys You can run ssh keygen g3 to generate a fingerprint for your new public host key which you can provide to your users via some unalterable method for example by a digitally signed e mail or by displaying the fingerprint on secured bulletin board On Unix the command for generating the fingerprint is ssh keygen g3 F hostkey pub On Windows the command is SAMI keygen og SKS cm lese ous SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 82 Authentication When the users connect and receive the error message about the host key having changed they can compare the fingerprint of the new key with the fingerprint you have provided in your e mail and ensure that they are connecting to the correct SSH Tectia Server Inform your users to notify you if the fingerprints do not match or if they receive a message about a host key change and do not receive a corresponding message from you notifying them of the change This procedure can help ensure that you do not become a victim of a man in the middle attack as your users will notify you if the host key fingerprints do not match You will also be aware if the users encounter host key change messages when you have not regenerated your host key pair It is also p
39. checks do not produce a positive result the certificate s subject name is checked If it has a CN component that matches the client s reverse mapped fully qualified domain name or IP address the certificate is accepted Client Configuration To enable host based authentication with certificates on Client do the following as ClientUser 1 Add the following line in the ssh broker config xml file authentication methods authentication method name hostbased lt authentication methods gt 2 Enroll a certificate for Client See Section 5 6 for more information The certificate must contain a dns extension which contains the fully qualified domain name FQDN of Client Note that the private key associated with the certificate needs to be stored with an empty passphrase 3 Define the private key and certificate in ssh server config xml on Client lt params gt lt hostkey gt private tl n ee teen lt x509 certificate file etc ssh2 hostcert crt gt lt hostkey gt lt params gt If SSH Tectia Server is not installed on Client create the configuration file manually and save it in the etc ssh2 directory 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 5 8 User Authentication with Keyboard Interactive 93 Server Configuration Do the following as the server administrator 1 Specify the CA certificate in the ssh server config xml file cer
40. directory e opt tectia sbin system binaries such as ssh server g3 e opt tectia bin user binaries such as ssh keygen g3 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 24 Getting Started e opt tectia libexec library binaries e opt tectia lib sshsecsh library binaries 3 1 2 File Locations on Windows On Windows the default installation directory for SSH Tectia products is C Program Files SSH Commu nications Security SSH Tectia On Windows the SSH Tectia Server files are located in the following directories e lt INSTALLDIR gt SSH Tectia Server system binaries such as ssh server g3 exe e lt INSTALLDIR gt SSH Tectia Server ssh server config xml server configuration file see ssh server config 5 e lt INSTAL e lt INSTAL e lt INSTALLD e lt INSTAL e lt INSTAL LDIR gt SSH Tectia Server hostkey default server host private key file LDIR gt SSH Tectia Server hostkey pub default server host public key file not required R gt SSH Tectia AUX auxiliary binaries such as ssh keygen exe LDIR gt SSH Tectia AUX ssh server ng server configuration file DTD directory LDIR gt SSH Tectia AUX licenses license file directory see Section 2 1 3 Figure 3 1 shows the SSH Tectia directory structure when also SSH Tectia Client and SSH Tectia Connector have been installed on the same machine M C Program Files SSH
41. dst fqdn example com port 443 gt tunnel local tunnel local action deny tunnel remote action deny lt rule gt lt services gt Note that the fqan pattern does not match if the tunneled application uses IP addresses instead of DNS names for connections The address pattern will match to both xxx Disabling Terminal Access The following configuration options of SSH Tectia Server will deny the user tunne1 terminal access services lt group name tunnel selector user name tunnel lt selector gt lt group gt rule group tunnel gt lt terminal action deny gt command action forced application no shell rule services Denying terminal denies also X11 and agent forwarding and shell commands unless some commands are explicitly allowed The command action in this example provides an alternative method of informing the user of denied shell access using the bin no she11 script introduced in Section 8 1 1 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 114 Tunneling This method can be used if the risk of gaining access via other means than Secure Shell can be eliminated This way each user s shell does not have to be set separately and the setting can be easily scaled to several users Disabling File Transfers To deny all users the access to the SFTP server change the
42. etc ssh2 banner message gt This is the server banner message If file attribute is set this inlined text is ignored and the file is read instead like in this example lt banner message gt auth file modes This element specifies whether SSH Tectia Server on Unix platforms should check permissions and ownership of the user s key files used for public key authentication The word yes or no is given as a value of the strict attribute If set to yes the permissions and ownership of the ssn2 directory the ssh2 authorization file if used the ssh2 authorized keys directory f used and the keys listed in the authorization file or present in the authorized keys directory are checked This is normally desirable because novices sometimes accidentally leave their directory or files world writable in which case anyone can edit the authorization and key files The default is yes The mask bits attribute can be used to specify the forbidden permission bits in octal format The default is 022 group and others must not have the write permission The ownership of the checked files and directories must be either root or the user auth file modes strict yes mask bits 022 authentication Each authentication element specifies a chain of authentication methods It can include one or more selectors and different authentication methods It may also include other authentication elements 1995 2005 SSH Communications Se
43. file var cert cache dat gt lt crl auto update update before 30 minimum interval 600 gt lt crl prefetch interval 1800 url http ca example com default crl gt lt dod pki enable no gt lt ca certificate name exa cal file etc ssh2 exa cal crt gt ca certificate name exa ca2 file etc ssh2 exa ca2 crt use expired crls 3600 ca certificate name testonly ca file etc ssh2 testonly ca crt disable crls yes cert validation The connections Element The connections element defines the basic rules for allowing and denying connections The connections element includes one or more connect ion elements connection Each connection element specifies either an allow or deny rule for connections The element can have three attributes name action and tcp keepalive The word allow or deny is given as a value of the action attribute By default if the action attribute 1s omitted the connection is allowed The name attribute can be used to give an identifier to the connection rule This can be used for example in auditing The tcp keepalive attribute defines whether the system should send keepalive messages to the other side If they are sent a broken connection or crash of one of the machines will be properly noticed However this means that connections will die if the route is down temporarily and this can be annoying in some situations On the other hand if keepalive mes
44. has returned a failure 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 161 Default log facility normal Argument Username Sub ID Failure code Text Session Id 431 X11 listener open Level informational Origin SSH Tectia Server Description User s login name Channel number Error code from the other end Textual description of the error from the other end Session identifier An X11 forwarding listener opening has completed successfully or unsuccessfully Default log facility normal Argument Username Display Success Error Text Session Id 432 X11 listener close Level informational Origin SSH Tectia Server An X11 forwarding listener has closed Default log facility normal Argument Username Display Session Id 433 X11 channel open Level informational Origin SSH Tectia Server Description User s login name Display name Success or error description Textual description of the error optional Session identifier Description User s login name Display name Session identifier An X11 forwarding channel opening has completed successfully or unsuccessfully Default log facility normal Argument Username Description User s login name SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 162 Audit Messages Argument Sub ID Display Success E
45. insta11 windows directory SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 20 Installing SSH Tectia Server Q Note You must have administrator rights to install SSH Tectia Server on Windows To install SSH Tectia Server on Windows do the following 1 Locate the installation file ssh tectia server lt ver gt msi where ver corresponds to the version and build number for example 5 0 0 777 Double click the installation file and the installation wizard will start 2 Follow the wizard through the installation steps and fill in information as requested The server host key is generated during the installation Key generation may take several minutes on slower machines 3 When the installation has finished click Finish to exit the wizard 4 The installation should re start the server automatically If the server does not start because of a missing license for example you can start it after correcting the problem from the Windows Services console See Section 3 2 2 2 3 Removing the SSH Tectia Server Software This section gives instructions on removing SSH Tectia Server from the supported operating systems 2 3 1 Removing from AIX To remove SSH Tectia Server from an AIX environment do the following 1 Stop SSH Tectia Server with the following command opt tectia sbin rc ssh server g3 stop 2 Remove the installation by issuing the following comman
46. installation packages to a suitable place The standard place is var spool pkg in a Solaris environment uncompress ssh tectia common ver sparc solaris2 6 10 pkg Z uncompress ssh tectia server ver sparc solaris2 6 10 pkg Z In the command ver is the current package version of SSH Tectia Server for example 5 0 0 777 3 Then install the packages with the pkgadd tool with root privileges pkgadd d ssh tectia common ver sparc solaris2 6 10 pkg all pkgadd d ssh tectia server ver sparc solaris2 6 10 pkg all The server host key is generated during the installation Key generation may take several minutes on slower machines 4 The installation should re start the server automatically If the server does not start because of a missing license for example you can start it after correcting the problem by issuing the command etc init d ssh server g3 start 2 2 5 Installing on Windows The Windows installation packages are provided in the MSI Microsoft Installer format SSH Tectia Server includes support for Entrust certificates on Windows The necessary libraries are automat ically included in the installation The installation is carried out by a standard installation wizard The wizard will prompt you for information and will copy the program files install the services and generate the host key pair for the server On the CD ROM the installation package for Windows is located in the
47. interactive methods such as SecurID or RADIUS public key authentication with certificates on smart cards and GSSAPI if the SSH Tectia Server and SSH Tectia Connector computers are part of the same Windows domain or SSH Tectia Server can perform initial login to MIT Kerberos realm on behalf of the SSH Tectia Connector user User interaction is required for the keyboard interactive authentication methods and typically at least the first time when the private key stored on a smart card is accessed in public key authentication Please see Chapter 5 for details of the user authentication methods 8 1 1 Using a Shared Account In case the tunneled applications provide sufficient user authentication it is possible to use a shared user ac count for example with a shared password not requiring user interaction Note that the shared account and password must only be used for tunneling as the account is common to several users and the shared password is stored as plaintext in the SSH Tectia Connector configuration file See the operating system documentation for instructions on how to create a new user account for example tunnel with minimal privileges It is very important that the shared user account is properly configured on the operating system level The user should be denied at least shell access and the file system permissions should be restricted This is done as a precaution in case the user is able to access the system using some o
48. is required To display for example the following text to the users before login you can define a banner message element in the ssh server config xml file See the section called The authentication methods Element Unauthorized use of this system is prohibited All actions are logged 6 2 2 Customizing Logging SSH Tectia Server allows customizing the severity and facility of different logging events The events have reasonable default values which are used if no explicit logging settings are made The logging settings are made in the logging element of the ssh server config xml file On Windows the settings can be made with the SSH Tectia Server Configuration tool See the section called The params Element and Section 4 1 5 for more information The default logging setting of SSH Tectia Server in the ssh server config xml file is shown below logging lt log events facility auth severity informational Auth method success Auth method failure Auth methods completed Auth methods available Hostbased auth warning Publickey auth warning Publickey auth success GSSAPI auth warning Keyboard interactive pam auth warning Keyboard interactive radius auth warning Keyboard interactive password auth warning Keyboard interactive securid auth warning GSSAPI auth success Keyboard interactive pam auth success Keyboard interactive radius auth success Keyboard interactive password auth success Keyboard interactive
49. localhost kukkuu kukkuu ES 6 2 Auditing SSH Tectia Server logs events in the syslog on Unix and in the Windows Event Log on Windows Logging auditing is very important for security You should check your logs often or use tools to analyze them From the logs you can see for example whether unauthorized access has been attempted and take further action if needed For example you could set the hosts from which the attempts have been made as denied or drop the packets from the domain completely at your firewall The logs also provide troubleshooting information The log events are classified in seven levels in decreasing order of importance Security failure Windows only A user tried to log on but failed Security success Windows only A user logged successfully on Critical Unix only A critical problem has occurred By default this is not used by SSH Tectia Server SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 102 System Administration Error A serious problem has occurred preventing the intended operation from completing successfully Warning A problem has occurred but the operation can continue Notice Unix only An action has been done Informational Extra troubleshooting information 6 2 1 Notification It is recommended to notify the users before they decide to log in that their actions are logged In some juris dictions this
50. mac elements The server allows hmac md5 and hmac shal by default A sample connect ion element that allows connections from a specified IP address range is shown below connection name connl action allow tcp keepalive yes gt electron lt io across 192 TH 0 122192 LO Q1 SAI fs selector rekey seconds 600 bytes 500000000 lt cipher name crypticorel28 ssh com gt mac name crypticore mac ssh com gt lt connection gt A sample connection element that denies all connections is shown below As the element does not contain any selectors it matches always This can be used as the last element in the connect ions element to deny all connections that were not explicitly allowed by the previous elements By default non matching connections would be allowed lt connection action deny gt The authentication methods Element The authentication methods element defines the authentication methods that are allowed and required by the server It can have one attribute login grace time It can contain a banner message and a auth file modes element and multiple authentication elements The 1ogin grace time attribute is used to specify a time after which the server disconnects if the user has not successfully logged in If the value is set to 0 there is no time limit The default is 600 seconds The authentication elements that are on the same level are considered allowed one of them must succeed
51. name Algorithm Keyboard interactive SecurID Text Acceptance description Session Id Session identifier 726 Keyboard interactive securid auth error Level warning Origin SSH Tectia Server Error in the Keyboard interactive SecurID authentication method This means that the current user authentic ation attempt with the Keyboard interactive SecurID method has failed Default log facility auth SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 170 Audit Messages Argument Description Username User s login name Algorithm Authentication method name Text Error description Session Id Session identifier 727 Keyboard interactive securid auth warning Level informational Origin SSH Tectia Server Warning during the Keyboard interactive SecurID authentication method This means that something abnormal happened during the Keyboard interactive SecurID authentication method but the method may still complete successfully Default log facility auth Argument Description Username User s login name Algorithm Authentication method name Text Warning description Session Id Session identifier 728 GSSAPI auth success Level informational Origin SSH Tectia Server The user successfully completed the GSSAPI authentication method Default log facility auth Argument Description Username User s login name Algorithm GSSAPI Text Acceptance description Session Id Session i
52. next input file type is auto detected default Cert The next input file is a certificate certpair The next input file is a cross certificate pair crmf The next input file is a CRMF certification request SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 126 Command Line Tools req The next input file is a PKCS 10 certification request cEl The next input file is a CRL prv The next input file is a private key pkcs12 The next input file is a PKCS 12 package ssh2 The next input file is an SSH2 public key spkac The next input file is a Netscape generated SPK AC request noverify Does not check the validity of the signature on the input certificate autoenc Determines PEM DER automatically default pem Assumes that the input file is in PEM ASCII base 64 format This option allows both actual PEM with headers and footers and plain base 64 without headers and footers An example of PEM header and footer is shown below der Assumes that the input file is in DER format hexl Assumes that the input file is in Hexl format Hexl is a common Unix tool for outputting binary files in a certain hexadecimal representation skip number Skips number bytes from the beginning of input before trying to decode This is useful if the file contains some garbage before the actual contents ldap Prints names i
53. or OCSP queries for certificate validity SOCKS server URL Define a SOCKS server address if such is required for making LDAP or OCSP queries for certificate validity Certificate cache file Select the check box to enable certificate caching 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 63 Click the ellipsis button to select the cache file where the certificates and CRLs are stored when the SSH Tectia Server service is stopped and read back in when the service is restarted The Select File dialog appears allowing you to specify the desired file You can also type the path and file name directly in the text field CRL auto update Select the check box to enable CRL auto update When auto update is on SSH Tectia Server periodically tries to download the new CRL before the old one has expired The Update before field specifies how many seconds before the expiration the update takes place The Minimum interval field sets a limit for the maximum update frequency Enable DOD PKI Select this check box if the certificates are required to be compliant with the DoD PKI US Department of Defense Public Key Infrastructure LDAP Servers On the LDAP Servers tab you can define LDAP servers that are used for fetching certificate revocation lists CRLs If a CRL distribution point is defined in the certificate the CRL is automatically retrieved from that address Otherwi
54. rule click Add To delete a tunnel rule select a rule form the list and click Delete To change the order of the rules select a rule from the list and click Up and Down to move it The rules are read in order and the first matching rule is used The tunneling Action can be Allow or Deny For more information on tunneling see Section 8 2 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 78 Configuring SSH Tectia Server Definitions Under Definitions you can fine tune the tunneling settings by adding source and destination restrictions To add a source address definition click Add and select Source To add a destination address definition click Add and select Destination The IP Address or the FQDN not both and the Port can be given for the Source and Destin ation definitions To delete a tunnel rule select a rule form the list and click Delete Remote Tunnels On the Remote Tunnels tab you can define rules for remote TCP tunnels port forwarding To add a tunnel rule click Add To delete a tunnel rule select a rule form the list and click Delete To change the order of the rules select a rule from the list and click Up and Down to move it The rules are read in order and the first matching rule is used The tunneling Action can be Allow or Deny For more information on tunneling see Section 8 3 Definitions Under Definitions you can fine tune the tunnelin
55. the hostname and the key type ssh dss Or ssh rsa and compares the received public key to the key on the disk If the public key matches and the user s login name in the remote end matches the name the user is trying to log in on the server the user is let in after the signature check 2 To enable host based authentication on the server in the ssh server config xml file under the au thentication methods element add an auth hostbased element authentication methods authentication action allow gt auth hostbased require dns match no lt authentication gt lt authentication methods gt If you want to allow multiple authentication methods place the least interactive method first this means usually the host based method To force an exact match between the hostname that the client sends to the server and the client s reverse mapped DNS entry set the require dns mat ch attribute to yes In this case make sure the etc hosts file has the fully qualified domain name listed before the short hostname for example WAS MAS MAS ES client example com client Even if you are not using etc hosts as your primary resolver you may need to add entries to it for the client and the server to allow them to resolve each other s fully qualified domain names if they are not able to do so otherwise Please note that when exact DNS matching is set as required host based authentication through NAT Network Addr
56. the server The word allow or deny can be given as the value of the action attribute By default X11 forwarding is allowed For more information see Section 8 4 tunnel local This element defines a rule for local TCP tunnels port forwarding The word a11ow or deny can be given as the value of the action attribute By default local tunnels are allowed Tunneling settings can be further defined with the src and dst elements SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 50 Configuring SSH Tectia Server For more information on tunneling see Section 8 2 src This element defines a source address for local and remote TCP tunnels The address or the fqdn not both can be given as an attribute Also the port can be given dst This element defines a destination address for local TCP tunnels The address or the fqdn not both can be given as an attribute Also the port can be given tunnel remote This element defines a rule for remote TCP tunnels port forwarding The word allow or deny can be given as the value of the act ion attribute By default remote tunnels are allowed Tunneling settings can be further defined with the src and listen elements For more information on tunneling see Section 8 3 src This element defines a source address for local and remote TCP tunnels The address or the fqdn not both can be given as an attribute Also the po
57. the user s input can be performed with keyboard interactive Currently the following keyboard interactive submethods are supported e password SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 94 Authentication e PAM Unix only see note below e RSA SecurID e RADIUS Methods that require passing some binary information such as public key authentication cannot be used as submethods of keyboard interactive But public key authentication for example can be used as an additional method alongside keyboard interactive authentication Ed Note PAM has support for binary messages and client side agents and those cannot be supported with keyboard interactive The client cannot request any specific keyboard interactive submethod if the server allows several optional submethods The order in which the submethods are offered depends on the server configuration However if the server allows for example the two optional submethods SecurID and password the user can skip Se curID by pressing enter when SecurID is offered by the server The user will then be prompted for a password 5 8 1 Password Submethod Password authentication can also be used over keyboard interactive The following example shows settings for keyboard interactive authentication using the password submethod in the ssh server config xml file authentication methods authentication action allow
58. which comes to port 1234 on the server will be forwarded to port 23 on the client See Figure 8 3 sshg3 R 1234 10calhost 23 username sshserver The forwarding address in the command is resolved at the local end point of the tunnel In this case localhost refers to the client host Internet SSH Tectia Client SSH Tectia Server Figure 8 3 Remote incoming tunnel By default remote tunnels are allowed from all addresses for all users The default setting equals the following in the ssh server config xml file lt services gt lt rule gt O 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 8 4 X11 Forwarding Unix 117 tunnel remote action allow lt rule gt lt services gt The connections can be restricted by specifying allowed addresses with the src and 1isten elements If any addresses are specified as allowed remote tunnels to all other addresses are implicitly denied In the SSH Tectia Server Configuration GUI on Windows tunneling settings are made on the Services page under Rules See Section 4 1 10 8 4 X11 Forwarding Unix X11 forwarding is a special case of remote tunneling SSH Tectia Server supports X11 forwarding on Unix platforms SSH Tectia Client supports X11 forwarding on both Unix and Windows platforms Internet SSH Tectia Client SSH Tectia Server Unix with 3rd party X Server with X Client applications Figure 8 4 X1
59. workstation from which the Secure Shell connection is initiated host key A public key pair used as the identification of the Secure Shell server 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual remote host Secure Shell client Secure Shell server server computer SFTP server SSH Tectia Client SSH Tectia Client F SSH Tectia client server solu tion SSH Tectia Connector SSH Tectia Server SSH Tectia Server A Refers to the other party of the connection client computer or server computer depending on the viewpoint A client side application that uses the Secure Shell version 2 protocol for example sshg3 sftpg3 or scpg3 of SSH Tectia Client or SSH Tectia Connector A server side application that uses the Secure Shell version 2 protocol The computer typically a server on which the Secure Shell service is running and to which the Secure Shell client is connected A server side application that provides a secure file transfer service as a subsystem of the Secure Shell server A software component installed on a workstation SSH Tectia Client provides secure interactive file transfer and terminal client functionality for remote users and system administrators to access and manage servers running SSH Tectia Server or other applications using the Secure Shell protocol It also supports non transparent static and dynamic tunneling of TCP b
60. 0 Administrator Manual 155 Argument Description Session Id Session identifier 117 Servant client debug Level informational Origin SSH Tectia Server The Client sent a low priority debug message Default log facility daemon Argument Description Text Client debug message Session Id Session identifier 400 Connect Level security success Origin SSH Tectia Server The server initially accepted an incoming connection Default log facility normal Argument Description Policy name Symbolic name for the connection policy definition in the server configuration optional Src Remote hostname Src IP Remote IP address Dst Face Local interface ID Dst IP Local IP address Src Port Remote port Dst Port Local port Ver Client s version string 401 Connection_denied Level security failure Origin SSH Tectia Server Connection was denied because maximum number of connections was reached Default log facility normal Argument Description Success Error Reason for the connection being denied Src IP Remote IP address Dst IFace Local interface ID Dst IP Local IP address SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 156 Audit Messages Argument Src Port Dst Port 402 Disconnect Level informational Origin SSH Tectia Server The connection has closed Default log facility normal Argument Reason Src Src IP Dst IFace Dst IP Src Port
61. 1 forwarding By default X11 forwarding is enabled for all users To enable X11 forwarding only for the specified users include an entry similar to the following in your ssh server config xml file services lt rule group admins gt tunnel x11 action allow lt rule gt eue tunnel x11 action deny lt rule gt lt services gt SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 118 Tunneling 8 5 Agent Forwarding Unix Agent forwarding is a special case of remote tunneling In agent forwarding Secure Shell connections and public key authentication data are forwarded from one server to another without the user having to authenticate separately for each server Authentication data does not have to be stored on any other machine than the local machine and authentication passphrases or private keys never go over the network SSH Tectia Client and Server support agent forwarding on Unix platforms The servers in the middle of the forwarding chain must have also a Secure Shell client component installed Internet Internet Agent tunnel Agent tunnel SSH Tectia Client SSH Tectia Server Unix SSH Tectia Server Unix SSH Tectia Client Unix Figure 8 5 Agent forwarding By default agent forwarding is enabled for all users To enable agent forwarding only for the specified users include an entry similar to the following in your ssh server
62. 2 0 Us Policy elements gt ln Mas Ae level Clement gt lt ELEMENT secsh server params connections authentication methods services gt Parameter element gt lt ELEMENT params crypto lib settings hostkey listener logging Limits cert validat iron gt lt I CisyorG ililo gt lt ELEMENT crypto lib EMPTY gt lt ATTLIST crypto lib mode fips standard default crypto lib mode si Siete wines a algek nene SEMI Lait 116 LOC Minor To Mays ZE own element in the params block gt lt ELEMENT settings EMPTY gt SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 140 Server Configuration File Syntax SV MIIMMIIESMR systole abiale is proxy scheme CDATA IMPLIED xauth path CDATA IMPLIED ignore aix rlogin yes no default aix ignore rlogin user config dir CDATA IMPLIED gt lt l HOS teke Spec onm lt ELEMENT hostkey private public x509 certificate externalkey gt Private key specification gt lt ELEMENT private PCDATA gt lt ATTLIST private file CDATA IMPLIED gt RTE amer ey gt lt ELEMENT public PCDATA gt lt ATTLIST public file CDATA IMPLIED gt lt l Ee Eegen ROSE gt lt ELEMENT x509 certificate PCDATA gt lt ATTLIST x509 certificate file CDATA IMPLIED gt Externel Key gt lt ELEMENT externalkey EMPTY gt
63. 45 connect on startup no USES BBs So lt ciphers gt lt cipher name crypticorel28 ssh com gt lt ciphers gt lt macs gt lt mac name crypticore mac ssh com gt lt macs gt transport distribution num transports 4 lt transport distribution gt lt authentication methods gt lt authentication method name publickey gt lt authentication methods gt 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 7 2 Automated File Transfer 109 compression name none gt server banners visible no profile To enable non interactive authentication the private key on the Client is stored with a NULL passphrase It is important that the key directory and the key file have the correct permissions for example 700 For more information see Section 5 5 7 2 Automated File Transfer This section gives an example of setting up automated file transfer between SSH Tectia Client and Server hosts using scripts The following example script first transfers a file from SSH Tectia Client to SSH Tectia Server and then transfers the file back The script logs the command and the return values to a file bin bash DATE date d m Y H SM SRV sftexa scpg3 put echo opt tectia bin scpg3 B q testfile SRV test gt gt scpg3 put SDATE opt tectia bin scpg3 B q testfile dat SRV test echo gt gt scpg3 put SDATE scpg3 get ec
64. 5 SSH Communications Security Corp 30 Configuring SSH Tectia Server However selector items in the same selector element matching to the same blackboard field are in an OR re lation to each other The following three examples produce the same result either the username exa or mple matches selector user name exa user name mple selector selector user name exa selector selector user name mple selector selector user name exa mple lt selector gt An empty selector always matches lt selector gt Also typically if an element accepts selectors but none are given the element is assumed to have an empty selector which will then always match Document Type Declaration and the Root Element The server configuration file is a valid XML file and starts with the Document Type Declaration The root element in the configuration file is secsh server It can include params connect ions authentic ation methods and services elements An example of an empty configuration file is shown below lt DOCTYPE secsh server SYSTEM auxdata ssh server ng ssh server ng config 1 dtd lt secsh server gt lt params gt lt connections gt lt connection gt lt connections gt authentication methods gt lt services gt lt rule gt lt services gt 1995 2005 SSH Communications Security Corp SSH
65. 60 25 using the Secure Shell default port 22 lt params gt lt listener id intranet address 10 1 60 25 gt lt params gt 6 1 3 Forced Commands If you have maintenance jobs requiring non interactive access to your server use public key authentication and forced commands This way if the private key is compromised the public key cannot be used to perform anything other than the predetermined command on the server This is of course also bad but it would be worse if the malicious attacker would have unrestricted access to the machine Do not use the root account for jobs where it is not absolutely necessary You can set up a forced command in the ssh server config xml file services rule group backup 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 6 2 Auditing 101 terminal action deny This account is only used to backup the disk drive gt command application dd if dev hda action forced gt lt tunnel local action deny gt tunnel remote action deny gt rule lt services gt This would on a successful login as the group backup force a backup job to start You can also use the command that was given on the sshg3 command line Services lt rule group admin gt command application echo SSH2 ORIGINAL COMMAND action forced gt rule lt services gt Running sshg3 sshg3
66. Authentication Q Note SSH Communications Security does not provide technical support on how to configure RSA ACE Server Our support only covers SSH Tectia applications 5 8 4 RADIUS Submethod RADIUS Remote Authentication Dial In User Service is a protocol for checking a user s authentication and authorization information from a remote server It was originally intended for authenticating dial in users but is also suitable for use with Secure Shell In SSH Tectia RADIUS is implemented as a submethod of keyboard interactive authentication The following example shows settings for keyboard interactive authentication using the RADIUS submethod in the ssh server config xml file authentication methods authentication action allow gt auth keyboard interactive max tries 3 failure delay 2 lt submethod radius gt lt radius server address 10 1 61 128 port 1812 client nas identifier nasid radius shared secret file amp configdir radius secret file radius server lt submethod radius gt lt auth keyboard interactive gt lt authentication gt lt authentication methods gt On Windows using the SSH Tectia Server Configuration tool keyboard interactive authentication can be configured on the Authentication page See Section 4 1 9 eb Note SSH Communications Security does not provide technical support on how to configure RADIUS Our support only covers SSH Tectia applications
67. Click OK to create the selector item To edit selector attributes choose a selector item from the lowermost list and click Edit The Edit Selector dialog box opens Figure 4 8 To remove a selector item choose a selector item from the list and click the lowermost Delete button To remove a selector choose a selector from the topmost list and click the topmost Delete button Click OK to the accept the changes and return to the main SSH Tectia Server Configuration page 4 1 8 Connections and Encryption On the Connections and Encryption page you can create connection rules that restrict connections based on various selectors and set ciphers and MACS used for the connections SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 68 Configuring SSH Tectia Server The selectors define which connections a connection rule applies to The order of the rules is important The first matching rule is used and the remaining rules are ignored If no selectors or only empty selectors are specified in a connection rule the rule matches to all connections R SSH Tectia Server Configuration E nl xl Connections and Encryption SSH Tectia Server t7 General Configure connection rules Identity Network Logging connection Add connection2 Connections Certificate Validation onnections and Encryption Authentication i Genee Down Delete Gen
68. Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual Chapter 1 About This Document SSH Tectia Server formerly SSH Secure Shell is a server side component for SSH Tectia Connector and Client There are four separate versions of the product available SSH Tectia Server A designed especially for system administration s SSH Tectia Server F designed especially for file transfer SSH Tectia Server T designed especially for application tunneling SSH Tectia Server M for IBM mainframes Table 1 1 shows the main features of the different SSH Tectia Server versions Table 1 1 SSH Tectia Server versions and features Functionality Server A Server F Server T Server M System administration functionality D D D D Client side tools and functionality X D D SFTP API D X D Checkpoint restart mechanism D D D Streaming for high speed transfers D D D CryptiCore encryption Intel only X X Transparent tunneling requires SSH X D Tectia Connector Support for centralized management re D D D quires SSH Tectia Manager Supported platforms Windows X X X Unix Linux X x x IBM Linux on POWER and zSeries X IBM z OS X SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 8 About This Document Includes secure terminal SFTP server and non transparent tunneling server Thi
69. Communications Security SSH Tectia File Edit View Favorites Tools Help Q Bak O Search Folders E Address CD C Program Files 55H Communications Security 55H Tectia Folders E Size Type File Folder 55H Tectia Broker File Folder 55H Tectia Client File Folder 55H Tectia Connector File Folder 55H Tectia Server File Folder Date Modified 31 5 2005 9 33 25 5 2005 9 27 25 5 2005 9 27 31 5 2005 9 41 31 5 2005 9 33 Figure 3 1 The SSH Tectia directory structure on Windows 3 2 Starting and Stopping the Server SSH Tectia Server is started automatically after installation and at boot time 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 3 2 1 Starting and Stopping on Unix 25 3 2 1 Starting and Stopping on Unix If the server needs to be started stopped or restarted manually the ssh server g3 script can be used The command has the following syntax ssh server g3 command The command can be either start stop restart Or reload start Start the server stop Stop the server Existing connections stay open until closed from the client side restart Start a new server process Existing connections stay open using the old server process The old process is closed after the last old connection is closed from the client side reload Reload the configuration file Existing connections stay open The path to the ssh server 93 scri
70. E 0 xl Services SSH Tectia Server t7 General Configure service rules Identity Groups Network Logging admin Add Certificate Validation Connections and Encryption Up Est Authentication sip Down Delete VICES Rules Add Up E dit Down Delete c DK Cancel Apply Figure 4 13 SSH Tectia Server Configuration Services page Groups To add a new group click Add next to the Groups list The Selector dialog box opens Figure 4 7 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 49 To change the order of the group elements select an element from the list and click Up and Down to move it The groups are read in order and the user is put to the first matching group If none of the groups match the user will not have a group set To edit the selectors of a group element select an element from the list and click Edit The Edit Selector dialog box opens See Section 4 1 7 To delete a group element select an element from the list and click Delete Rules A default unnamed rule allows all users access to all services The unnamed rule should be kept as the last rule so it will apply to users that are not set in any group but you should edit the rule according to your security policy To add a new rule click Add next to the Rules list The Rule dialog box opens Figure 4 14 To change the order of the ru
71. EQUIRED gt SSS MING lt ELEMENT mac EMPTY gt SIATILIST mac name CDATA REQUIRED gt Glen Sellcarg Gimme gt PEE MEINE EsSlecrormm Ginberrade cerr beat ellhiestsceeriiirea el user user group user privileged blackboard publickey passed user password change needed lt Porere selecuor Mo lecer One Eee mier los Cho Me NES gt set the others MUST NOT be set If id is not set either or both gt of address and port may be defined lt ELEMENT interface EMPTY gt lt ATTLIST interface id IDREF IMPLIED address CDATA IMPLIED port CDATA IMPLIED gt Publickey plain passed selector gt lt ELEMENT publickey passed EMPTY gt lt ATTLIST publickey passed length CDATA IMPLIED gt Certificate selector gt 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 143 lt ELEMENT certificate EMPTY gt KSUEASIMIEISES TE ETE ease field ca list issuer name subject name serial number altname email altname upn altname ip altname fqdn REQUIRED DA ten CDATA IMPLIED pattern case sensitive CDATA IMPLIED gt MESE crises liec lt ELEMENT host certificate EMPTY gt lt ATTLIST host certificate field ca list issuer name subject name serial number altname email altname upn altname ip altname fqdn REQUIRED pattern CDATA IMPLIED pattern case sensitive CDATA IMPLIED gt Ki IP access selecuos
72. IES 62744258451983124575595926849551 SSH Tectia Server A F T 5 0 Administrator Manual O 1995 2005 SSH Communications Security Corp 128 Command Line Tools Extensions Available authority key identifier subject key identifier key usage critical basic constraints critical authority information access KeyUsage DigitalSignature KeyEncipherment KeyCertSign CRLSign CRITICAL BasicConstraints PathLength 0 cA TRUE CRITICAL AuthorityKeyID Key it Sos EOS dolls sis 3 tee 4712353953009 37 eccl e Gel e lei glo ee 1 8 LO g vile 079 SubjectKeyID KeyId SOCIO SACS EEE ee CAES SES SERRES Ted ER dE celo pToy2 Bre do TUS e O AuthorityInfoAccess AceessMethod ed 3o 5 5E t AccessLocation Following names detected URI uniform resource indicator Viewing specific name types URI http pki ssh com 8090 ocsp 1 Fingerprints MBSR cya le EI Oe Eege o street ORI SIR 9 SHA 1 DUCTS ULGSAT STC EOE SOs diera 2 7 A DOS O SISI SIG TOS SO BAG IONS Authors SSH Communications Security Corp For more information see http www ssh com ssh cmpclient g3 ssh cmpclient g3 CMP enrollment client Synopsis ssh cmpclient g3 command options access name Where command is one of the following INITIALIZE psk racerts keypair template ENROLL certs racerts keypair template UPDATE certs keypair POLL psis iCenes sacerts ad 1995 2005 SSH Communications Security Corp SSH T
73. INITIALIZE Requests the user s initial certificate The request is authenticated using the reference number and the corresponding key PSK received from the CA or RA using some out of band mechanism The user must specify the PSK the asymmetric key pair and a subject name ENROLL Requests a new certificate when the user already has a valid certificate for the key This request is similar to initialize except that it is authenticated using public key methods POLL Polls for a certificate when a request was not immediately accepted UPDATE Requests an update of an existing certificate replacement The issued certificate will be similar to the existing certificate names flags and other extensions The user can change the key and the validity times are updated by the CA This request is authenticated by a valid existing key pair and a certificate RECOVER Requests recovery of a backed up key This request is authenticated either by PSK based or certificate based authentication The template describes the certificate whose private key has already been backed up and should be recovered Users can only recover keys they have backed up themselves REVOKE Requests revocation for a key specified in the template Authentication of the request is made using a PSK or a certificate belonging to the same user as the subject of revocation 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manua
74. REQUIRED CDATA IMPLIED gt name params PCDATA gt SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 146 Server Configuration File Syntax lt CSS MDI neen Mee kom gt lt ELEMENT auth gssapi EMPTY gt lt ATTLIST auth gssapi dll path CDATA IMPLIED allow ticket forwarding yes no default gssapi ticket forwarding policy gt Services element gt lt ELEMENT services group rule gt lt Group element gt lt ELEMENT group selector gt ESUATILIST group name ID REQUIRED gt Rule element gt lt ELEMENT rule environment terminal subsystem command tunnel agent tunnel x11 tunnel local tunnel remote group if defined will be used to match the rule gt lt ATTLIST rule group CDATA IMPLIED idle timeout CDATA default idle timeout print mota yeso sdetawlt print motd lt Environment gt The default allowed environment variables are me lt allowed case sensitive TERM PATH TZ LANG LC gt If neither allowed or allowed case sensitive is not set KI icine kaart abs ees lt ELEMENT environment EMPTY gt lt ATTLIST environment allowed CDATA IMPLIED allowed case sensitive CDATA IMPLIED gt p T va gt lt ELEMENT terminal EMPTY gt lt ATTLIST terminal action allow deny default te
75. SE PLIED PLIED gt TY gt address CDATA IMPLIED fqdn CDATA I port CDATA I gt Liscenar gt lt ELEMENT listen E lt ATTLIST listen PLIED ENDS MPTY gt address CDATA IMPLIED port CDATA IMPLIED gt SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 148 Server Configuration File Syntax lt l 9 ommo ci gt lt ELEMENT command EMPTY gt lt ATTLIST command action allow deny forced default command action application CDATA IMPLIED application case sensitive CDATA IMPLIED Chr CDATA IMPLIED gt 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 149 Appendix C Man Pages and Help Files On Unix the following manual pages are included in the SSH Tectia Server distribution e ssh server g3 8 Secure Shell server Generation 3 e Ssh server config 5 Secure Shell server configuration file format e Ssh server config tool 8 Secure Shell server configuration updater e ssh keygen g3 1 authentication key pair generator ssh cmpclient g3 1 certificate enrollment client e Ssh certview g3 1 certificate viewer e Ssh ekview g3 1 external key viewer On Windows the SSH Tectia Server program group includes links to SSH Tectia user documentation in PDF format The documents can be found in the lt INSTALLDIR gt SSH Tectia AUX documents directory SSH Tectia
76. ST Sets a list of allowed MACs fips mode yes no Sets the FIPS mode for the cryptographic library in use or not in use The default is no Authors SSH Communications Security Corp For more information see http www ssh com See Also ssh server config tool 8 ssh server config 5 ssh server config tool ssh server config tool SSH Tectia Server configuration tool Synopsis ssh server config tool D debug LEVEL h help p port V version Description ssh server config tool is a tool for initiating reconfiguration of SSH Tectia Server ssh server g3 It reads the configuration from the ssh server config xml file Existing connection stay open using the old configuration and the new connections will use the new configuration ssh server config tool returns 0 on success and a positive integer on failure Options D debug LEVEL Sets the debug level SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 122 Command Line Tools hy c help Prints a short summary of command line options and exits By part Specifies the port number of the server process being controlled V version Prints program version string and exits Authors SSH Communications Security Corp For more information see http www ssh com See Also ssh server g3 8 ssh server config 5 ssh keygen g3 ssh keygen g3 authentication key pai
77. TY default gssapi ticket forwarding policy no en Eegenen et etii adi datione lt ENTITY default use expired crls EA RENNES CRIS en Core velcro gt lt ENTITY default disable crls odore due KI Deel jolis ain core valications gt lt ENTITY default dod pki tients Wl DEE Server leute gore gt lt ENTITY default ldap server port LUS OUR 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 139 Default interval for CRL prefetching gt EEN lt l D reniie evo mode ruis oie Uert eege gt gt lt ENTITY default crypto lib mode DEST Tae lt i os EVENE ecu gt SENTI de oOo evee ae ay NOMAS S hogaeventesevenbtsy gt SIENTES detal LOG event Seve rity Tse abre I gt KI ONOS Abs loja Sucia gt lt ENTITY default aix ignore rlogin Mu CE le Teenz eer Mengt gt lt ENTITY default tcp keepalive DEMO n pesaudbteconnectqionedilestumeouteimsseconds ss Mhe velve Zero gt exa chiseloikes acl icaineyouic gt lt ENTITY default idle timeout uuu x ShouldgshesmessagssotishessadvesMONDNEeNonamtecdaongillogrnimn e ENTITY default print motd Uy e sm Should authentication file permissions be checked gt lt ENTITY default strict modes cc Default authentication file permission mask bits octal gt END ive S Ee 71 9
78. Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 174 Audit Messages 1100 Certificate validation failure Level informational Origin SSH Tectia Server Connection Broker A received certificate failed to validate correctly under any of the configured CAs Default log facility normal Argument Description Username User s login name not present for first KEX Text Resulting search states for all configured CAs Session Id Session identifier not present for first KEX 1101 Certificate validation success Level informational Origin SSH Tectia Server Connection Broker A received certificate validated correctly under one or more configured CAs Default log facility normal Argument Description Username User s login name CA List A list of CAs under which the user s certificate validated correctly Session Id Session identifier 1110 CM_find_started Level informational Origin SSH Tectia Server Connection Broker A low level search was started in the certificate validation subsystem Default log facility normal Argument Description Ctx Search context Search constraints Search constraints 1111 CM_find_finished Level informational Origin SSH Tectia Server Connection Broker A low level find operation has finished in the certificate validation subsystem Default log facility normal 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5
79. a key pair from the list and click Delete Key Type Select a key type for the key pair This can be plain Public key Certificate or External key Host Key or Certificate This setting is different depending on whether you have selected Public key or Certificate as the key type Private key file Click the ellipsis button on the right hand side of the text field to change the private host key file The Select File dialog appears allowing you to specify the desired file You can also type the path and filename directly in the text field The default file is host key located in the installation directory by default C Program Files SSH Communications Security SSH Tectia SSH Tectia Server The key file should be readable only by the server itself Click the Generate button to generate a new host key pair This launches the ssh keygen g3 exe command line tool and generates a 2048 bit DSA key pair If you want to generate some other type of key see Appendix ssh keygen g3 1 for instructions on how to manually generate the key pair Public key file This setting is active if you have selected plain Public key as the key type Click the ellipsis button on the right hand side of the text field to change the public host key file The Select File dialog appears allowing you to specify the desired file You can also type the path and filename directly in the text field If the public key is not specified it will be deriv
80. age Manager binary packages The RPMs are available for Red Hat and SUSE Linux running on Intel x86 i386 on IBM POWER ppc64pseries and on IBM S 390 or zSeries s390x platforms The package for the x86 architecture is compatible also with the 64 bit versions of Red Hat and SUSE Linux running on x86 64 platforms The IBM Linux packages are only available with SSH Tectia Server T On the installation CD ROM the installation packages for Linux are located in the install linux directory Two packages are required one for the common components of SSH Tectia Client and Server and another for the specific components of SSH Tectia Server To install SSH Tectia Server on Linux do the following l Not necessary in third digit maintenance updates Copy the license file to the etc ssh2 licenses directory See Section 2 1 3 If this is the initial installation of SSH Tectia Server 5 x the directory does not yet exist You can either create it manually or copy the license after the installation In the latter case you have to start the server manually after copying the license file 2 Install the packages with root privileges rpm Uvh ssh tectia common lt ver gt lt arch gt rpm deeem UVAS site ctas seve rover uam eh rpn In the commands ver is the current package version of SSH Tectia Server for example 5 0 0 777 and arch is the platform architecture 1386 ppc64pseries Or s390x The server host key is ge
81. agent 118 local 114 remote 116 X11 117 fully qualified domain name FQDN 66 83 91 G generating host key 57 81 Generic Security Service API GSSAPI 96 getting started with SSH Tectia Server 23 getting support 10 group 41 46 71 74 85 GSSAPI authentication 45 72 96 H help files 149 Hexl 126 host certificate 33 57 enrolling 83 host key 23 32 56 changing 81 external 33 58 84 multiple 80 private 32 57 public 33 57 host key generation 57 81 host based authentication 43 72 89 host based authentication with certificates 92 HP UX installation 17 uninstallation 21 HTTP proxy URL 35 62 HTTP repository 82 87 I IBM AIX 16 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 183 IBM Linux 18 identity 56 ignoring AIX rlogin restriction 32 incoming tunnel 111 116 installation planning 13 upgrading 15 installation packages 14 installed files 23 installing on AIX 16 installing on HP UX 17 installing on Linux 18 installing on Solaris 18 installing on Windows 19 K keepalive 37 69 Kerberos authentication 96 key host 32 56 key exchange 82 key fingerprint 81 124 key generation 81 keyboard interactive authentication 43 72 93 96 L LDAP servers 35 63 87 legal disclaimer 102 library cryptographic 31 55 library certification FIPS 140 2 31 55 license file 14 23 licensing
82. airly slow operation private This element gives the path to the private key file as a value of the file attribute 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 33 The key file should be located on a local drive Network or mapped drives should not be used as the server program may not have proper access rights for them The default is host key in the directory etc ssh2 on Unix and c Program Files SSH Communications Security SSH Tectia SSH Tectia Server on Windows The key file should be readable only by the server itself public This element gives the path to the public key file as a value of the i1e attribute The key file should be located on a local drive Network or mapped drives should not be used as the server program may not have proper access rights for them Alternatively the public key can be specified as a base64 encoded ASCII element x509 certificate This element gives the path to the X 509 user certificate file as a value of the i1e attribute Alternatively the certificate can be specified as a base64 encoded ASCII element externalkey This element defines an external host key The type must be given as an attribute The init info can also be given Sample hostkey elements are shown below lt hostkey gt lt private file etc ssh2 hostkey_dsa gt lt public file etc ssh2 hostkey_dsa pub gt lt hostkey gt lt hostkey gt
83. allows you to specify what kind of inform ation is logged in the event log EE LiB xl i Configure logging settings i Identity All log events have a default type these settings Network are used only to override the defaults R SSH Tectia Server Configuration SSH Tectia Server a General m Log events ceci ana Eran oup hdi suis Down Delete Action Facility noma xl Severity informational gt proue OK Cancel Figure 4 5 SSH Tectia Server Configuration Logging page You can set the type of different logging events The events have reasonable default values which are used if no explicit logging settings are made This page allows customizing the default values Click Add to add a new logging rule Enter the name of the log event in the text box and select the Facility and Severity from the drop down list See Appendix D for a full list of the log event names 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 4 1 6 Certificate Validation 61 On Windows only the Normal and Discard facilities are used Setting the facility to Discard causes the server to ignore the specified log events On Windows the following event severities are used Information Warning e Error e Security success Security failure Ignore The event is not logged See Section 6 2 for more information on the event types
84. an authentication element applies to The order of the elements is important For methods on the same level the first matching method is used and the remaining methods are ignored If the method has nested child methods they are matched next using the same procedure If no selectors or only empty selectors are specified in an authentication element the element matches to all users SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 70 Configuring SSH Tectia Server R SSH Tectia Server Configuration i g E lol xl Authentication SSH Tectia Server y General Configure authentication methods Identity Authentication Chains Network Ge Logging Add t Certificate Validation authentication Connections and Encryption i authentication2 u Add Child suthentication i E Down Edit General Allow authentication C Deny authentication Set group Authentication Methods GSSAPI 1 Add Public key 1 Keyboard interactive 1 Delete r Failure delay seconds 2 Max tries 3 Submethods 2 configured proue DK Cancel Figure 4 10 SSH Tectia Server Configuration Authentication page Authentication Chains To add a new authentication chain click Add next to the Authentication Chains list The Selector dialog box opens Figure 4 7 To change the order of the authentication elements select an ele
85. ased applications A software component installed on a workstation or a server SSH Tectia Client F is especially designed for secure file transfer in both interactive and automatic modes The SSH Tectia client server solution consists of three products SSH Tectia Server SSH Tectia Client and SSH Tectia Connector SSH Tectia Connector is a transparent end user desktop client that provides dynamic tunneling of client server connections without the need to re configure the tunneled applications It enables corporate end users to connect to business applications securely and automatically when an IP connection is established while being fully transparent to the user SSH Tectia Connector connects to SSH Tectia Server T and SSH Tectia Server M SSH Tectia Server is a server side component for SSH Tectia Connector and Client There are four separate versions of the product available SSH Tectia Server A for secure remote administration SSH Tectia Server F for secure file transfer SSH Tectia Server T for secure application connectivity and SSH Tectia Server M for IBM mainframes The administration A server is available for Linux Unix and Windows platforms It is a Secure Shell server for SSH Tectia Client SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 10 About This Document SSH Tectia Server F SSH Tectia Server M SSH Tectia Server T tunne
86. ated during installation and you can skip this step Otherwise give the following command ssh keygen g3 P etc ssh2 hostkey Optionally you can define a custom location or name for the host key in the ssn server config xml file If SSH Tectia Server is not installed on the client host you can create the configuration file manually and save it in the etc ssh2 directory 2 Add the following line in the ssh broker config xm1 file authentication methods authentication method name hostbased gt lt authentication methods gt Also other authentication methods can be listed Server Configuration Do the following as the server administrator 1 Copy the client s etc ssh2 hostkey pub file over to the server Note that this requires root permissions on the client and optionally on the server as well SSH Tectia Server looks for the host keys to use for host based authentication in the etc ssh2 trus ted hosts directory on Unix and in the c Program Files SSH Communications Security SSH Tectia SSH Tectia Server Ntrusted hosts directory on Windows You have to name the client s public key as follows on the server 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 91 client example com ssh dss pub In the example client example com is the hostname the client is sending to the server When the server receives the client s public key it forms a path based on
87. ation Default log facility normal Argument Username Policy name Session Id Description The user s login name A symbolic name for the authentication block Session identifier SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 172 Audit Messages 802 Authentication block allow Level informational Origin SSH Tectia Server The authentication chain terminated into an authentication block with an allow action Default log facility normal Argument Description Username The user s login name Policy name A symbolic name for the authentication block Session Id Session identifier 803 Authentication block deny Level informational Origin SSH Tectia Server The authentication chain terminated into an authentication block with a deny action Default log facility normal Argument Description Username The user s login name Policy name A symbolic name for the authentication block Session Id Session identifier 804 Group selected Level informational Origin SSH Tectia Server The connection matched a group in the configuration Default log facility normal Argument Description Username The user s login name Policy name A symbolic name for the group Session Id Session identifier 805 Rule selected Level informational Origin SSH Tectia Server The server selected a rule in the configuration Default log facility normal 1995 2005 SSH Commu
88. ator Manual 115 If you have three hosts for example sshclient sshserver and imapserver and you forward the traffic coming to the sshclient port 143 to the imapserver port 143 only the connection between sshclient and sshserver Will be secured The command you use would be similar to the following sshg3 L 143 imapserver 143 username sshserver Figure 8 2 shows an example where the Secure Shell server resides in the DMZ network The connection is encrypted from the Secure Shell client to the Secure Shell server and continues unencrypted in the corporate network to the IMAP server SSH Tectia Server Internet Outgoing tunnel SS Corporate GER network mu TL SSH Tectia Client SSH Tectia Connector Figure 8 2 Local outgoing tunnel to an IMAP server With SSH Tectia Connector there is no need to separately configure application software to use local ports to set up the tunnels The applications to be tunneled are defined in the Connection Broker configuration Filter Rules SSH Tectia Connector automatically captures the defined applications and the Connection Broker creates Secure Shell tunnels to the defined SSH Tectia Server T By default local tunnels are allowed to all addresses for all users The default setting equals the following in the ssh server config xml file services rule lt tunnel local action allow rule lt services gt The connections can be restricted by specif
89. authentication methods gt Also other authentication methods can be allowed Place the least interactive method first password is usually the last one By using selectors it is possible to allow or require password authentication only for a specified group of users See the section called Selectors for more information 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 5 4 1 Special Considerations on Windows 85 On Windows using the SSH Tectia Server Configuration tool password authentication can be allowed on the Authentication page See Section 4 1 9 D Note With passwords it is also possible to use keyboard interactive authentication See Section 5 8 1 for more information 5 4 1 Special Considerations on Windows Please note that if domain user accounts are used entering the password is always required Non interactive login is possible only for local accounts when public key authentication is used SSH Tectia Server does not need a user management program of its own the user accounts are created with the standard Windows User Manager SSH Tectia Server can use either local or domain user accounts However for domain user accounts the password authentication method is always required If a user attempts a public key login with a domain account an error is displayed Domain accounts should be specified using the domain user notation e Note Use
90. bute contains a path to a supplementary XAuth binary used with X11 forwarding on Unix platforms The ignore aix rlogin attribute defines whether the server should ignore the remote login restriction on AIX Local login permission is still honored The value must be yes or no The default is no The user config dir attribute can be used to specify where user specific configuration data is found With this the administrator can control those options that are usually controlled by the user This is given as a pattern string which is expanded by SSH Tectia Server In the string D is the user s home directory U is the user s login name IuU is the user s user ID uid and 316 is user s group ID gid settings proxy scheme direct 10 0 0 0 8 10calhost socks5 fw example com 1080 xauth path XAUTH PATH ignore aix rlogin no user config dir D ssh2 hostkey The nostkey element defines the location of the private host key and optionally the location of the public key and or certificate The elements inside the element must be given in the right order private key before public Inside one nostkey element either the public key or the certificate can be given not both Giving the public key in the configuration file is not mandatory It will be derived from the private key if it is not found otherwise However specifying the public key will decrease the start up time for the software as deriving the public key is a f
91. c key authentication method auth hostbased This element sets the host based authentication method The element can have one attribute require dns match If the require dns match attribute is set to yes host based authentication will require the hostname given by the client to match the one found in DNS If the hostname does not match the authentication will fail The default is no exact match not required auth password This element sets the password authentication method The delay between failed attempts in seconds ailure delay and the maximum number of attempts max tries can be given as attributes The default delay is 2 seconds and default maximum is 3 attempts auth keyboard interactive This element sets the keyboard interactive authentication method The delay between failed attempts in seconds ailure delay and the maximum number attempts max tries can be given as attributes The default delay is 2 seconds and default maximum is 3 attempts The keyboard interactive submethods are given as child elements The supported methods are sub method password submethod pam submethod securid and submethod radius and submethod generic SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 44 Configuring SSH Tectia Server submethod pam This element sets the keyboard interactive PAM submethod in use PAM is supported on Unix platforms The d11 path
92. can be given as a comma separated list Names are normally matched case insensitively Alternatively the names can be specified using the name case sensitive attribute user privileged This selector matches to a privileged user administrator or root or to a non privileged user The value can be yes match to a privileged user or no match to a normal user blackboard This selector matches to a pattern in a specified blackboard field 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 43 Patterns are normally matched case insensitively Alternatively the pattern can be specified using the pattern case sensitive attribute publickey passed This selector matches if authentication is passed using a normal public key without a certificate Using this selector requires that the authentication chain contains an auth publickey element Optionally the length range of the public key can be given as an attribute for example 1024 2048 keys from 1024 to 2048 bits match The range can also be left open for example 1536 keys over 1536 bits match user password change needed This selector matches on Unix platforms if the user password has expired and should be changed The actual password change can be done by defining a rule with a forced passwd command See the section called The services Element for an example auth publickey This element sets the publi
93. cate element are used e issuer name The pattern is the required certificate issuer name in LDAP DN distinguished name string format The issuer name may contain glob patterns and but only in the component values not names For example C FI O SSH CN isalegal pattern but C FI SSH CN TestCA is not e subject name The pattern is the required subject name in LDAP DN distinguished name string format Matching is done in similar manner as with the issuer name described above 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 5 7 Host Based User Authentication 89 e serial number The pattern is the required serial number of the certificate A combination of issuer name and serial number can be used to uniquely identify a certificate e altname email The pattern is the e mail address that must be present in the certificate as a subject alternative name altname upn The pattern is the principal name that must be present in the certificate as a subject alternative name e altname ip The pattern is the IP address that must be present in the certificate as a subject alternative name Also a range of addresses can be given for example 10 1 0 11 10 1 0 610r10 1 0 0 8 e altname fqdn The pattern is a list of fully qualified domain names FQDN that may contain glob patterns and one of which must match with a subject alternative name of typ
94. child elements but the first one has an empty selector or no selectors at all that connect ion element always matches and the remaining are never used Wild Cards in Selectors Simple wild cards can be used inside selector values An asterisk matches any string A question mark matches any character A dash can be used to specify a range For example the following selector matches to usernames jdoe and jdox but not to jdoel selector user name jdo lt selector gt For example the following selector matches to IP addresses between 192 168 0 42 and 192 168 0 82 lt selector gt lt ip address 192 168 0 42 192 168 0 82 gt lt selector gt Selector Handling Rules Selector elements are in an OR relation one of the selectors must match for the parent element to match For example the following block matches if either the IP address is 192 168 0 3 or the user ID is 11001001 sedie ip address 192 168 0 3 lt selector gt sedeo user id 11001001 lt selector gt Selector items in the same selector element are normally in an AND relation both selectors must match for the element to match For example the following element matches if both the IP address is 192 168 0 3 and the user ID is 11001001 lt selector gt lt ip address 192 168 0 3 gt lt user id 11001001 gt lt selector gt SSH Tectia Server A F T 5 0 Administrator Manual 1995 200
95. config xml file lt services gt lt rule group admins gt lt tunnel agent action allow gt lt rule gt lt rule gt tunnel agent action deny gt lt rule gt lt services gt 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 119 Appendix A Command Line Tools The functionality of the command line tools included in SSH Tectia Server is briefly explained in the following appendices ssh server g3 ssh server g3 Secure Shell server Generation 3 Synopsis ssh server g3 D debug LEVEL f config file FILE h help H hostkey FILE 1 listen ADDRESS PORT n num processes NuM V version plugin path PATA auxdata path PATH libexec path PATH allowed ciphers LIST allowed macs LIST fips mode yes no Description ssh server g3 is the Secure Shell server program for SSH Tectia Server The ssh server g3 command should not be used directly except for debugging purposes Use instead the startup script with the same name ssh server g3 The path to the ssh server g3 startup script is different on each operating system OnAIX opt tectia sbin rc ssh server g3 command On Linux and Solaris etc init d ssh server g3 command e On HP UX sbin init d ssh server g3 command SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Cor
96. ction Broker An LDAP search for a CRL or a sub CA completed successfully Default log facility normal Argument Description Text Search details 1117 CM dap search failure Level informational Origin SSH Tectia Server Connection Broker The attempt to contact an LDAP server was unsuccessful Default log facility normal Argument Description Text Error details 1118 CM http search started Level informational Origin SSH Tectia Server Connection Broker The certificate validation subsystem is initiating a search for a CRL or a sub CA through the HTTP protocol Default log facility normal Argument Description Text Search target 1119 CM http search success Level informational Origin SSH Tectia Server Connection Broker An HTTP request for a CRL or a sub CA completed successfully Default log facility normal Argument Description Text Status message detailing what was being retrieved 1120 CM http search failure 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 177 Level informational Origin SSH Tectia Server Connection Broker An HTTP request for a CRL or a sub CA failed Default log facility normal Argument Text 1121 CM crl added Level informational Origin SSH Tectia Server Connection Broker Description Error details A new CRL was successfully added to the certificate validation subsystem Default log facility normal Argum
97. curity Corp SSH Tectia Server A F T 5 0 Administrator Manual 41 Nesting authentication elements within each other sets the child methods as required all must be passed for the authentication to be successful Setting multiple autnentication elements at the same level sets them as optional one of the methods must be passed for the authentication to be successful The methods are read in order For methods on the same level the first matching method is used and the remaining methods are ignored If the method has nested child methods they are matched next using the same procedure The word allow or deny can be given as a value of the act ion attribute of the authentication element By default authentication is allowed If an authentication chain ends in a deny action the user is not allowed to log in In a nested chain of authentication elements it is possible for example to set the parent method to deny authentication and a child element with a selector to allow authentication If the user matches the selector and successfully completes the authentication methods login is allowed The authentication element can additionally take a set group attribute which sets a group for the users that pass the particular authentication chain The group definition can be later used in the services element If set group is used here it overrides any group definitions in the services element See the section called The services E
98. curity you want User authentication methods used by the client by default are in the following order GSSAPI public key keyboard interactive and password authentication if available Public key and certificate authentication are combined into the public key authentication method The server allows GSSAPI public key keyboard interactive and password authentication by default host based plain Kerberos public key Figure 5 1 User authentication methods Keyboard E 070 Interactive 5 1 Server Authentication with Public Keys At the beginning of the connection the server sends its public host key to the client for validation SSH Tectia Server A F T 5 0 Administrator Manual O 1995 2005 SSH Communications Security Corp 80 Authentication The key pair used for server authentication is defined on the server in the ssh server config xml file with the following elements lt params gt lt hostkey gt lt private file etc ssh2 hostkey gt lt public file etc ssh2 hostkey pub gt hostkey lt params gt Giving the public key in the configuration file is not mandatory It will be derived from the private key if it is not found otherwise Specifying the public key will however decrease start up time for the software as deriving the public key is a somewhat time consuming operation During the installation process one RSA key pair with the file names host key and host key pub i
99. d as in the au thentication methods element See the section called Selectors and the section called The authentication methods Element 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 47 A sample group element is shown below Ke MD umen gt group name partner gt Kc elfe o ip address 172 16 0 0 12 user name sjx id 24814 user name mtx id 17692 lt selector gt lt selector gt certificate field issuer name pattern C FI lt selector gt lt group gt ali Remote access gt lt group name remote access gt lt selector gt lt interface address 63 81 17 62 lt selector gt lt group gt lt l Bee losers ecc lt group name passwd change gt lt selector gt gt gt ZS O Friend Oyj gt user password change needed selector group PEUR CRU RE lt group name backup gt electron lt user name backup gt lt selector gt lt group gt rule CN FriendCA gt This element defines a rule for the specified group of users Rules can be used to restrict the services and commands the server allows to the users The element can have three attributes group idle timeout and print motd The rules are read in order and the first rule that matches the user s group is used The match must be exact No wild cards are allowed in the gr
100. d click Delete CA Certificates On the CA Certificates tab you can define the CA certificates that are trusted for user authentication To add a CA certificate as trusted click Add and enter the Name of the CA and the location of the certi ficate File The CA Name can be referred to in the selectors on the Authentication page See Section 4 1 9 Disable CRLs Select the check box to stop using the certificate revocation list This option is should be used for testing purposes only Use expired CRLs Specify in seconds how long expired CRLs are used To remove a CA from the trusted CAs select a CA from the list and click Delete 4 1 7 Editing Selectors On the Connections and Encryption Authentication and Services pages different selectors can be used to set access rules to users based on the user parameters such as username or location Users can be divided to groups dynamically for example based on the authentication method they used for logging in On the Services page each group can then be allowed or denied services such as tunneling file transfer and terminal access See the section called Selectors for more information on selector handling rules The Edit Selector dialog box is opened from the Connections and Encryption Authentication and Services pages whenever you create new items that can include selectors See Figure 4 7 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Admini
101. d interactive max tries 4 lt submethod radius gt lt radius server address 10 1 61 128 radius shared secret file amp configdir radius secret file radius server submethod radius lt auth keyboard interactive gt lt authentication gt authentication action allow set group finance inspector gt SSI aio user group name finance selector auth password lt authentication gt lt authentication gt In the example above all users are first required to authenticate using public key authentication Based on selector matching also a second method needs to be passed RADIUS via keyboard interactive or password A group is set based on the matched and passed authentication methods If a user does not match to either of SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 46 Configuring SSH Tectia Server the child authentication elements access is denied the parent authentication element has the action set to deny A sample authentication element that sets requirements for certificate authentication is shown below authentication action allow auth publickey authentication action allow set group admin cselecron lt user privileged value yes gt certificate field ca list pattern exa cal exa ca2 certificate field subject name pattern C FI O SSH CN username gt certificate field altna
102. d with root privileges installp u SSHTectia Server 3 If you want to remove also the components that are common with SSH Tectia Client give the following command installp u SSHTectia Common 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 2 3 2 Removing from HP UX 21 Q Note The uninstallation procedure removes only the files that were created when installing the software Any configuration files and host keys have to be removed manually 2 3 2 Removing from HP UX To remove SSH Tectia Server from an HP UX environment do the following 1 Stop SSH Tectia Server with the following command sbin init d ssh server g3 stop 2 Remove the installation by issuing the following command with root privileges swremove SSHG3server 3 If you want to remove also the components that are common with SSH Tectia Client give the following command swremove SSHG3common Note The uninstallation procedure removes only the files that were created when installing the software Any configuration files and host keys have to be removed manually 2 3 3 Removing from Linux To remove SSH Tectia Server from a Linux environment do the following 1 Stop SSH Tectia Server with the following command etc init d ssh server g3 stop 2 Remove the installation by issuing the following command with root privileges rpm e ssh tectia server ver In the command
103. dated according to the Federal Information Processing Standard FIPS 140 2 In this mode the cryptographic operations are performed according to the rules of the FIPS 140 2 standard The software uses standard libraries by default the FIPS 140 2 validated libraries are available separately If the FIPS certified cryptographic library has been installed SSH Tectia Server will detect and use it automatically For a list of platforms on which the FIPS library has been validated or tested see SSH Tectia Client Server Product Description Select the Enable FIPS Mode check box to use the FIPS certified version of the SSH cryptographic library i Note The system does not actually check whether the FIPS certified version of the library has been installed Banner message file Specify the path to the message that is sent to the client before authentication Note however that the client is not obliged to show this message Login grace time Specify a time after which the server disconnects if the user has not successfully logged in If the value is set to 0 there is no time limit The default is 600 seconds Proxy scheme Define rules for HTTP or SOCKS proxy servers that SSH Tectia Server will use when a client forwards a connection local tunnel For a format of the proxy scheme see the description of the settings element in ssh server config 5 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Comm
104. default SFTP subsystem configuration option of SSH Tectia Server to eue lt subsystem type sftp action deny gt rule 8 2 Local Tunnels A local outgoing tunnel forwards traffic coming to a local port to a specified remote port Setting up local tunneling allocates a listener port on the local client Whenever a connection is made to this listener the connection is tunneled over Secure Shell to the remote server and another connection is made from the server to a specified host and port The connection from the server onwards will not be secure as it is a normal TCP connection For example when you use SSH Tectia Client on the command line and issue the following command all traffic coming to port 1234 on the client will be forwarded to port 23 on the server See Figure 8 1 sshg3 L 1234 10calhost 23 username sshserver The forwarding address in the command is resolved at the remote end point of the tunnel In this case 1oc alhost refers to the server host sshserver Internet Outgoing tunnel SSH Tectia Client SSH Tectia Connector SSH Tectia Server Figure 8 1 Simple local outgoing tunnel To use the tunnel the application to be tunneled is set to connect to the local listener port instead of connecting to the server directly SSH Tectia Client forwards the connection securely to the remote server 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administr
105. default host key directory etc ssh2 on Unix C Program Files NSSH Communications Security SSH Tectia SSH Tectia Server On Windows import public key infile outfile Attempts to import a public key from infile and store it to out file in SSH2 native format import private key infile outfile Attempts to import an unencrypted private key from infile and store it to out file in SSH2 native private key format import sshl authorized keys infile outfile Imports an SSH1 style authorized keys file infi1e and generates an SSH2 style authorization file out file and stores the keys from infile to generated files into the same directory with out file Authors SSH Communications Security Corp For more information see http www ssh com 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual See Also 125 See Also sshg3 1 ssh certview g3 ssh certview g3 certificate viewer Synopsis ssh certview g3 options file options file Description The ssh certview g3 program ssh certview g3 exe on Windows is a simple command line application capable of decoding and showing X 509 certificates CRLs and certification requests The command output is written to the standard output Options The following options are available h Displays a short help verbose Gives more diagnostic output quiet Gives no diagnostic output auto The
106. dentifier 729 GSSAPI auth error Level warning Origin SSH Tectia Server Error in the GSSAPI authentication method This means that the current user authentication attempt with the GSSAPI method has failed Default log facility auth Argument Description Username User s login name 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 171 Argument Algorithm Text Session Id 730 GSSAPI auth warning Level informational Origin SSH Tectia Server Description publickey Error description Session identifier Warning during the GSSAPI authentication method This means that something abnormal happened during the GSSAPI method but the method may still complete successfully Default log facility auth Argument Username Algorithm Text Session Id 800 Rule engine failure Level error Origin SSH Tectia Server An internal error occurred in rule engine Default log facility normal Argument Username Policy name Text Session Id 801 Authentication block selected Level informational Origin SSH Tectia Server Description User s login name publickey Warning description Session identifier Description The user s login name if available Current authentication or rule element s symbolic name if available Textual representation of the error Session 1d if available The server selected an authentication block in the configur
107. dius shared secret element submethod generic This element sets the generic submethod in use This element can be used to add custom sub methods to keyboard interactive authentication 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 45 The name on the method must be given in the attribute Optional params for the submethod can be given as well auth gssapi This element sets the GSSAPI authentication method The a11 path can be given as an attribute This specifies where the necessary GSS API libraries are located If this attribute is not specified the libraries are searched for in a number of common locations The full path to the libraries should be given for example usr src krb5 1 3 5 src lib lib krb5 so usr src krb5 1 3 5 src lib libgssapi krb5 so The allow ticket forwarding attribute defines whether the server allows forwarding the Kerberos ticket over several connections The attribute can have a value of yes or no The default is no authentication The authentication elements can be nested within each other The child method s must be passed in addition to the parent method A sample authentication element is shown below lt authentication action deny gt auth publickey gt authentication action allow set group local user SSI aio lt ipikaddress u NIE OE user name johnd user name janed selector auth keyboar
108. e Remote IP address Local interface ID Local IP address Remote port Local port Textual description of the disconnect reason Session identifier Description The user s login name Reason for disconnect Remote hostname Remote IP address Local interface ID Local IP address Remote port Local port Textual description of the disconnect reason Session identifier A session channel opening has completed successfully or unsuccessfully Default log facility normal Argument Username Success Error Command Description User s login name Success or error description The requested command SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 158 Audit Messages Argument Sub ID Session Id 421 Session channel close Level informational Origin SSH Tectia Server A session channel has closed Default log facility normal Argument Username Sub ID Session Id 422 Forwarding channel open Level informational Origin SSH Tectia Server Description Channel number Session identifier Description User s login name Channel number Session identifier A TCP forwarding channel request to the client has completed successfully or unsuccessfully Default log facility normal Argument Username Success Error Tunnel type Listener IP Listener Port Sub ID Session Id Text 423 Forwarding channel close Level informational Origin
109. e See Section 4 1 10 Authentication Methods To add an authentication method click Add under Authentication Methods A dialog box opens Fig ure 4 11 Select the method from the list and click OK R Add Authentication Method E A4 xl Select authentication method Figure 4 11 Adding an authentication method The following authentication methods can be selected e Password Public key Host based e Keyboard interactive e GSSAPI Depending on the authentication method additional settings are available Failure delay Max tries For Password and Keyboard interactive authentication you can set the delay between failed attempts in seconds Failure delay and the maximum number of attempts Max tries The default delay is 2 seconds and default maximum is 3 attempts SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 72 Configuring SSH Tectia Server Require DNS match For Host based authentication select the check box to require the hostname given by the client to match the one found in DNS If the hostname does not match the authentication fails Allow ticket forwarding For GSSAPI authentication select the check box to allow forwarding the Kerberos ticket over sev eral connections DLL path For GSSAPI authentication DLL path specifies the location of the necessary GSSAPI libraries If this is not specified the libraries are searched for in a numbe
110. e EE 105 7 1 SSH Tectia Client File Transfer User 106 7 1 1 Encryption and Authentication Methode 106 71 2 Restricting Services qe eo ed EE ear etre etu 107 TE Settings on the Client Side euis thermes rtp e pre oh appro be lees op lee dee 108 7 2 Automated File Transfer orien rm AER ENEE Hr E REMO PESE Pee sees 109 e Dt EE 111 8 1 SSH Tectia Connector Tunneling User 111 8 Te Using a Shated ACCOUDBE de ae CU t deter e esie 112 8 1 2 Restricting Services geed HET pi ERN Nine PARET eis lues etant 112 8 2 Local Tunnels e ttt ER reto p E RE ESEE EAE EE SEE REPRE fees Te 114 8 3 Remote Tunnels uoo EM pt ette e C Pete SO cheat ted an to pra EU gena 116 8 4 X11 Forwarding Unix it a ia e 117 8 5 Agent Forwarding o AA ett roa ne entente Fe peo se barrens Me 118 A Command Line Tools deed tiet artis 119 SO servei 3 EE 119 Ssh server eonfig tool gd Eed EENEG 121 ssh keygen g3 iii ede esed Wve coi eee ee Eed 122 ssli certVIeW g3 ici cette ette be arte pe PO Te tere E Depto pirita bess 125 ssh cmpchent EE 128 eu us 135 BR Server Configuration File Syntax 2 iere Par EENS pe RETE RR Pret exi 137 C Man Pages and Help lee NEEN tete ded to sets ENEE AEN 149 D Audit Messages i eee e ene bees debe SERS 151 Index 4 es ERR e IRIURE eR QUEE ENEE 181 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 6 SSH Tectia Server A F T 5 0 1995 2005 SSH
111. e FQDN in the certificate The patterns of type subject name issuer name altname email and altname upn can also contain special strings which are processed before comparing the pattern with the user s certificate These strings are usernames user s login name homedirs user s home directory and shostname the name of the host the user is logging from reverse mapped from the IP On Windows using the SSH Tectia Server Configuration tool certificate authentication rules can be configured on the Authentication page See Section 4 1 9 4 Run ssh server config tool to take the new configuration in use See ssh server config tool 8 On Windows click Save to take the new settings in use 5 7 Host Based User Authentication Host based authentication uses a public host key of the client machine to authenticate a user to the remote server Host based authentication can be used with SSH Tectia Client on Unix The SSH Tectia Server can be either an Unix or Windows server Usually also SSH Tectia Server is installed on the client machine This provides a non interactive form of authentication and is best used in scripts and automated processes such as cron jobs Host based authentication can be used to automate backups and file transfers or in other situations where a user will not be present to input authentication information The nature of any non interactive login is inherently insecure Whenever authentication without user chall
112. ectia Server A F T 5 0 Administrator Manual 129 Most The following RECOVERA Sa css tacones enpilaice REVOKE psk certs racerts template TUNNEL racerts template o prefix O filename C file S dE Wael AW TUUN N file psk p D zd Congas a RACER Ie at Ie id ST template T access URL name LDA Le nu nu gat su ke ex wW p EZ Ei SLL LES commands can accept the following options Perform key backup for subject keys SAVE uc to Lles Ee Seve as result Aine e Semer Etes 18 emos es More Eemer cms estilo ile Chetsemeininomesulresrerenecrede GA teren Eeer Eet be Use timis SOCIS eren TO Ee Cne on Use this HTTP proxy to access the CA bob yenciyp onem ceniseicatesueeded re Protocol version 1 2 of the CA platform Default is 2 Non interactive mode All questions answered with y Speed tle same eo sitio 10 Stshcgmangdomm Wooon identifiers are used to specify options fnum key reference number and pre shared key e containing refnum key mber iteration count default 1024 EE EE key UE EE Ee Eege iS pel RAS private key URT private key URL mber polling ID le certificate template bject ldap type value y usage name key usage name tended key usage name extended key usage name here the CA listens for requests mame Eo idas Aerer CA ab C ie wo CHYEN a Key URLs are either valid external key paths or in the format genera
113. ed from the private key However specifying the public key will decrease the start up time for the software as deriving the public key is a fairly slow operation Certificate file This setting is active if you have selected Certificate as the key type Click the ellipsis button to select the host certificate file The Select File dialog appears allowing you to specify the desired file You can also type the path and file name directly in the text field Click the View button to display the current certificate Click the Import button to import a private key stored in the Personal Information Exchange PFX format The Select File dialog appears allowing you to specify the desired file SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 58 Configuring SSH Tectia Server External Key This setting is active only if you have selected External key as the key type Enter the Type of the external key for example ent rust in the text box Enter the Initialization info of the external key Please note that all key and certificate files should be located on a local drive Network or mapped drives should not be used as the server program may not have proper access rights for them See also Section 5 1 Section 5 2 and Section 5 3 4 1 4 Network The Network page of the SSH Tectia Server Configuration tool allows you to specify the basic network settings to be used
114. ee http www ssh com See Also ssh server g3 8 ssh server config tool 8 ssh broker config 5 4 1 Configuration Tool Windows On Windows the easiest way to configure the server is to use the SSH Tectia Server Configuration tool Start the program by clicking the SSH Tectia Server Configuration icon in the SSH Tectia Server program group or by running the ssh server gui exe program located in the installation directory The SSH Tectia Server Configuration tool displays the settings in a tree structure Select the desired config uration page by clicking the list displayed on the left 4 1 1 SSH Tectia Server The SSH Tectia Server page of the Configuration tool allows you to start and stop the server view the event log and restore the settings to their default values 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 53 R SSH Tectia Server Configuration 3 E nl xl SSH Tectia Server General Server Information Identity Version 5 0 0 538 Network Type SSH Tectia Server T Logging Certificate Validation Connections and Encryption Server Status Authentication Services Stopped Start Server Event Log The server reports important events in the system event log View event log contents with this button View Event Log Default Settings Restore factory default settings with this Restore Default Sett
115. element defines whether the certificates are required to be compliant with the DoD PKI US Department of Defense Public Key Infrastructure In practice this means that the Digital Signature bit must be set in the Key Usage of the certificate The enable attribute can have a value of yes or no The default is no ca certificate This element enables user authentication using certificates It can have four attributes name ile disable crls and use expired crls The name attribute must contain the name of the CA The element must either contain the path to the X 509 CA certificate file as a value of the file at tribute or include the certificate as a base64 encoded ASCII element CRL checking can be disabled by setting the disable cr1s attribute to yes The default is no 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual The connections Element 37 e Note CRL usage should only be disabled for testing purposes Otherwise it is highly recommended to always use CRLs Expired CRLs can be used by setting a numeric value in seconds for the use expired cr1s attribute The default is 0 do not use expired CRLs A sample cert validation element is shown below cert validation http proxy url http proxy example com 800 ldap server address ldap example com port 389 ocsp responder validity period 60 url https ca example com ocsp 1 lt cert cache file
116. en_failure Session_channel_open Session_channel_close Forwarding_channel_open Forwarding_channel_open Forwarding_channel_close Forwarding_listener_open Forwarding_listener_close Auth_listener_open Auth_listener_close Auth_channel_open Auth_channel_close lt log events gt lt log events facility normal lt log events gt lt log events facility normal Connect Login_success lt log events gt lt log events facility normal Algorithm_negotiation_fail severi Connection denied Login failure severi severi ty security failure ty security success gt ty warning gt lure KEX_failure Key store create failed Key store add provider failed Key store decrypt failed Key store sign failed Key store sign digest fail log events logging led SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 104 System Administration 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 105 Chapter 7 File Transfer All versions of SSH Tectia Client and SSH Tectia Server provide the secure file transfer functionality In addition to that SSH Tectia Client F and SSH Tectia Server F provide advanced file transfer functionality such as checkpoint restart for the transfer of very large files streaming for high speed file transfers and C and
117. enge is permitted some level of risk must be assumed If feasible public key authentication is preferred SSH Tectia Server provides host based authentication as a form of non interactive login that is more secure than the rhosts method used by the Berkeley d commands but it cannot resolve the inherent lack of security of non interactive logins SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 90 Authentication This means that you should take aggressive measures to ensure that any client machine set up for host based authentication is adequately secured both by software and hardware to prevent unauthorized logins to your server Host based authentication can be enabled either by using traditional public keys or by using certificates In the following instructions Server is the SSH Tectia Server to which you are trying to connect ServerUser is the username on the server that you are logging into Client is the machine running an SSH Tectia Client ClientUser is the username on the client machine that should be allowed to log in to Server as ServerUser 5 7 1 Using Traditional Public Keys Client Configuration To enable host based authentication with traditional public keys on the client do the following as ClientUser 1 Generate a host key If SSH Tectia Server has been installed on the same machine the host key pair etc ssh2 hostkey and etc ssh2 hostkey pub has been gener
118. ent Text 1200 Key store create Level informational Origin SSH Tectia Server Connection Broker Key store created Default log facility normal 1201 Key store create failed Level warning Origin SSH Tectia Server Connection Broker Key store creation failed Default log facility normal 1202 Key store destroy Level informational Origin SSH Tectia Server Connection Broker Key store destroyed Default log facility normal 1204 Key store add provider Level informational Origin SSH Tectia Server Connection Broker Description CRL s issuer and validity period SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 178 Audit Messages Added a provider to the key store Default log facility normal Argument Type Init info 1205 Key store add provider failed Level warning Origin SSH Tectia Server Connection Broker Adding a provider to the key store failed Default log facility normal Argument Type Init info EK error 1208 Key store decrypt Level informational Origin SSH Tectia Server Connection Broker A key was used successfully for decryption Default log facility normal Argument Key path Fwd path 1209 Key store decrypt failed Level warning Origin SSH Tectia Server Connection Broker A key was used unsuccessfully for decryption Default log facility normal Argument Key path Fwd path Crypto error 1210 Key sto
119. eral Allow connection Deny connection Keep connection alive Rekey Interval Seconds 3600 Bytes 1000000000 Encryption 3des cbc Ciphers aes 28 cbe aes192 cbc hmac md5 MACs hmac md5 96 hmac shal D anan Figure 4 9 SSH Tectia Server Configuration Connections and Encryption page Connections To add a new connection rule click Add next to the Connections list The Selector dialog box opens See Section 4 1 7 for information on editing the selectors Only the Interface and IP selectors are relevant for connection rules For example the username is not yet available when the connection rules are processed See the section called Selectors To edit a connection rule select a connection from the list and click Edit The Selector dialog box opens See Section 4 1 7 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 4 1 9 Authentication 69 To change the order of the connection rules choose a connection from the list and click the Up and Down buttons The rules are read in order and the first matching connection rule on the list is used To remove a connection rule select a rule from the list and click Delete General Select whether the connection is allowed or denied Keep connection alive Select this check box to send keepalive messages to the other side If they are sent a broken connection
120. ernal software modules The example below initializes the software external key provider which is used to access keys and certificates on disk and instructs it to read all keys in etc ssh2 hostkeys lt params gt lt hostkey gt lt externalkey type software init info directory etc ssh2 hostkeys gt lt hostkey gt lt params gt Each hostkey element can be used for setting up one external key provider Each provider may provide any number of keys to the server It should be noted that due to the limitations of the SSH2 protocol having more than one key of each type RSA DSA X 509 certificate with RSA key and X 509 certificate with DSA key is discouraged 5 4 User Authentication with Passwords The password authentication method is the easiest to implement as it is set up by default Since all commu nication is encrypted passwords are not available for eavesdroppers On a Unix system password authentication uses the etc passwd or etc shadow file depending on how the passwords are set up On Windows password authentication uses the Windows password to authenticate the user at login time To enable password authentication on the server the authentication methods element of the ssh server config xml file must contain an auth password element For example authentication methods authentication action allow auth password failure delay 2 max tries 3 lt authentication gt lt
121. ertificate was issued by a trusted CA In addition certificate authentication is more convenient because no local database of user public keys is required on the server It is also easy to deny a user s access to the system by revoking his or her certificate although this doesn t take effect until the next CRL update and requires that every other authentication method has been disabled The status of a certificate can be checked either by using the Online Certificate Status Protocol OCSP or certificate revocation lists CRLs which can be published either in an LDAP or HTTP repository OCSP is used if the certificate contains a valid Authority Info Access extension or if an ocsp responder has been defined in the ssh server config xml file If OCSP fails or is not defined CRLs are used The certificate should contain a valid CRL Distribution Point extension or an LDAP server for CRL fetching should be defined in the ssh server config xml file 5 6 1 Certificate Configuration To configure the server to allow user authentication with X 509 certificates perform the following tasks l Acquire the CA certificate and copy it to the server machine You can either copy the X 509 certificate s as such or you can copy a PKCS 7 package including the CA certificate s Certificates can be extracted from a PKCS 7 package by specifying the 7 flag with ssh keygen 93 2 Specify the CA certificate and the CRL and OCSP settings in the ssh server con
122. ervices rule subsystem type sftp application sft server g3 chroot homedir lt rule gt lt services gt Disabling Tunneling If you are sure you or your users do not need to create tunnels possibly going around firewall restrictions or such you can disable tunneling port forwarding altogether by adding the following to the ssh server config xml file lt services gt lt rule gt tunnel local action deny gt tunnel remote action deny gt lt rule gt lt services gt If you need more fine grained control you can define user groups in the services block and apply the restric tions only to the specified groups Tunneling restrictions can be further defined with the src dst and 1isten elements See Chapter 8 for more information Disabling Terminal Access If you only want to enable file transfers or tunneling for users in group remot e access you can disable ter minal access by adding the following to the ssn server config xml file Services rule group remote access terminal action deny lt rule gt lt services gt SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 108 File Transfer This setting denies also X11 and agent forwarding and shell commands for the specified group unless some commands are explicitly allowed The users will be able to use SFTP and other subsystems defined in the SSH
123. es Key update Before the certificate expires a new certificate with updated validity period should be enrolled ssh cmpcli ent g3 supports key update where a new private key is generated and the key update request is authenticated with the old still valid certificate The old certificate is also used as a template for issuing the new certificate so the identity of the user will not be changed during the key update With the following command you can update the key pair which was enrolled in the previous example Presenting the resulting certificate has been left out ssh cmpclient g3 UPDATE V dniedeul sory Mett tee P OW generate pkcs8 rsa 1024 updatedcert o updatedcert http pki ssh com 8080 pkix C FI O SSH Communications Security Corp CN SSH Test CA 1 No Liabilities The new key pair can be found in the files with the updatedcert prefix The policy of the issuing CA needs to also allow automatic key updates if ssh cmpclient g3 is used in the UPDATE mode 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual Authors 135 Authors SSH Communications Security Corp For more information see http www ssh com ssh ekview g3 ssh ekview g3 external key viewer Synopsis ssh ekview g3 options provider Description The ssh ekview g3 program ssh ekview g3 exe on Windows allows you to export certificates from ex ternal key providers such as Ent
124. ess Translation will not work On Windows using the SSH Tectia Server Configuration tool host based authentication can be con figured on the Authentication page See Section 4 1 9 3 Runssh server config tool to take the new configuration in use See ssh server config tool 8 On Windows click Save to take the new settings in use To test that host based authentication works log in to Client as ClientUser and run the following command sshg3 ServerUser server uptime You should get back the results of uptime on the server SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 92 Authentication 5 7 2 Using Certificates It is possible to use a certificate instead of the traditional public key pair to authenticate the client host The endpoint identity check where the server verifies that the certificate actually belongs to the client that is attempting host based authentication is performed according to the following rules 1 One of the DNS subject alternative names in the client certificate must match the client s fully qualified domain name obtained by doing a reverse lookup on the client s IP address The alternative names may have an asterisk as the first component in which case only the domain part is checked 2 If the client s IP address cannot be reverse mapped the IP address is compared to the certificate s IP subject alternative names 3 If the above
125. fig xml file An example is shown below lt params gt cert validation socks server url socks fw example com 1080 ldap server address ldap example com port 389 ocsp responder validity period 60 url https ca example com ocsp 1 lt cert cache file file var cert cache dat gt lt crl auto update update before 30 minimum interval 600 gt lt crl prefetch interval 1800 url http ca example com default crl lt dod pki enable no gt ca certificate name exa cal file etc ssh2 exa cal crt gt cert validation lt params gt You can define several CA certificates by using several ca certificate elements The server will accept only certificates issued by defined CA s Only the ca certificates are mandatory all other configuration items featured above are just examples that may be used as needed SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 88 Authentication The SOCKS server must be defined if the OCSP and CRL LDAP services are located behind a firewall On Windows using the SSH Tectia Server Configuration tool the corresponding settings can be made on the Certificate Validation page See Section 4 1 6 Certificate authentication is a part of the publickey authentication method Enable public key authen tication in the ssh server config xm1 file and create rules that specify which certificates authorize lo
126. g settings by adding source and listener restric tions To add a source address definition click Add and select Source To add a listener address definition click Add and select Listen The IP Address or the FQDN not both and the Port can be given for the Source definition The IP Address and the Port can be given for the Listen definition To delete a tunnel rule select a rule form the list and click Delete Terminal The Allow terminal setting defines whether terminal access is allowed or denied for the user group If terminal access is denied also shell commands are denied unless the commands are specifically allowed on the Commands tab Click OK to the accept the changes and return to the main SSH Tectia Server Configuration page 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 79 Chapter 5 Authentication The Secure Shell protocol used by the SSH Tectia client server solution provides mutual authentication the client authenticates the server and the server authenticates the client Both parties are assured of the identity of the other party The remote SSH Tectia Server host can authenticate itself using either traditional public key authentication or certificate authentication Different methods can be used to authenticate SSH Tectia Client users These authentication methods can be combined or used separately depending on the level of functionality and se
127. gging into which accounts The following is an example of certificate authentication rules in the ssh server config xml file lt authentication methods gt authentication action allow gt auth publickey authentication action allow gt lt Selscroz gt certificate field ca list pattern exa cal exa ca2 certificate field issuer name pattern C FI O SSH CN certificate field subject name pattern C FI O SSH CN username gt certificate field serial number pattern 123456 certificate field altname email pattern Susernamesftssh com gt certificate field altname fqdn pattern client ssh com gt certificate field altname upn pattern username 8ssh gt certificate field altname ip pattern 10 2 3 5 selector lt authentication gt lt authentication action deny gt lt authentication gt lt authentication methods gt In this example as the last action access is denied for all users whose certificates were not explicitly allowed This is not strictly needed since the server automatically inserts a authentication block named implicit certificate deny after other blocks to catch all certificate authentications that do not match anything else Certificate authentication can be restricted using the following field attributes ca list The pattern is a comma separated list of CA names The names that are defined in the ca certifi
128. gt The address will be one of the following UE S EA EEEN E QUE EMS AO RER RON ON ENT gt UE Gil Pass Of las sO Lo HS gt ie fi irem Ie addres Soo e up gt Glo an FQDN pattern form not checked gt lt I gt Cilicia ac melEclales ola moje EIE lt l Bauen Lo ome iE alos ue co muet Jos SEL gt lt ELEMENT ip EMPTY gt ip GS Ze address CDATA IMPLIED fgdn CDATA IMPLIED gt ASS SAN AMS SSIES gt lt ELEMENT user EMPTY gt ATTLIST user name CDATA IMPLIED name case sensitive CDATA IMPLIED id CDATA IMPLIED gt re User group selertar gt lt ELEMENT user group EMPTY gt SANS S Ss OO name CDATA IMPLIED name case sensitive CDATA IMPLIED id CDATA IMPLIED gt User privileged selector gt lt ELEMENT user privileged EMPTY gt SATILI teera iv e qe d value yes no Sdefault user privileged value gt lt l Selector Hoi das NESC OT scr pessmorzal Chances gt lt ELEMENT user password change needed EMPTY gt SSH Tectia Server A F T 5 0 Administrator Manual O 1995 2005 SSH Communications Security Corp 144 Server Configuration File Syntax lt ATTLIST user password change needed value yes no default user password change needed value gt lt l Bilacidoosuzol cile so gt lt ELEMENT blackboard EMPTY gt lt ATTLIST blackboard field CDATA REQUIRED Da ten CDATA IMPLIED pattern case sensitive CDATA IMPLIED gt
129. gt auth keyboard interactive max tries 3 failure delay 2 submethod password lt auth keyboard interactive gt lt authentication gt lt authentication methods gt On Windows using the SSH Tectia Server Configuration tool keyboard interactive authentication can be configured on the Authentication page See Section 4 1 9 5 8 2 Pluggable Authentication Module PAM Submethod Pluggable Authentication Module is an authentication framework used in Unix systems In SSH Tectia support for PAM is enabled as a submethod of keyboard interactive authentication When PAM is used SSH Tectia Server transfers the control of authentication to the PAM library which will then load the modules specified in the PAM configuration file Finally the PAM library tells SSH Tectia 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 5 8 3 RSA SecurID Submethod 95 Server whether or not the authentication was successful SSH Tectia Server is not aware of the details of the actual authentication method employed by PAM Only the final result is of interest The following example shows settings for keyboard interactive authentication using the PAM submethod in the ssh server config xml file authentication methods authentication action allow auth keyboard interactive max tries 3 failure delay 2 submethod pam dll path path to pam dll lt auth keyb
130. guring SSH Tectia Server SSH Tectia Server uses an XML based configuration file ssh server config xml that allows flexible im plementation of real life enterprise security policies The configuration file follows the same logic that is used in setting up a Secure Shell connection 1 The client initiates a connection to the server 2 The server checks whether connections from the client address are allowed The client and server perform key exchange where the server authenticates itself to the client and ciphers and MACs are selected for the connection 3 The server requests the user to authenticate itself to the server The server may offer a selection of au thentication methods or require several authentication methods to be passed in succession 4 The server determines the services the client is allowed to use The configuration file can be edited with an ASCII text editor or an XML editor see ssh server config 5 On Windows you can use the included SSH Tectia Server Configuration tool see Section 4 1 ssh server config ssh server config SSH Tectia Server configuration file format The SSH Tectia Server configuration file ssh server config xml is a valid XML file On Unix the file is stored in the etc ssh2 directory The XML DTD can be found in the etc ssh2 ssh tectia auxdata ssh server ng directory On Windows the file is stored by default in the c Program Files SSH Communications Security SSH Tectia SSH Tec
131. he SSH Tectia FAQ and Knowledge Base at http support ssh com If you have purchased a maintenance agreement you are entitled to technical support from SSH Communic ations Security Review your agreement for specific terms 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 11 Please see the following page for more information on submitting support requests feature requests or bug reports and on accessing the available online resources http www ssh com support contact SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 12 About This Document 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual Chapter 2 Installing SSH Tectia Server This chapter contains instructions on installing and removing SSH Tectia Server on the supported Unix Linux Windows platforms 2 1 Planning the Installation This section lists the supported platforms and gives the necessary pre requisites for the SSH Tectia Server installation 2 1 1 System Requirements The following operating systems are supported as SSH Tectia Server A F T platforms e IBM AIX 5L 5 1 5 2 and 5 3 POWER e HP UX 11 00 and 11i v1 11 11 PA RISC e HP UX lli v1 6 11 22 and 11i v2 11 23 1464 e Red Hat Enterprise Linux 3 and 4 x86 POWER zSeries e SUSE LINUX Professional 9 1 and 9 2 x86
132. he verification of the signature using the public key contained in the X 509 certificate when doing certificate authentication are done identically with conventional public keys and cer tificates The major difference is in determining whether a specific user is allowed to log in with a specific public key or certificate With conventional public keys every server must have every user s public key whereas with certificates the users public keys do not have to be distributed to the servers distributing the public key of the CA self signed certificate is enough In brief certificate authentication works in the following way 1 The client sends the user certificate which includes the user s public key to the server The packet also contains random data unique to the session and signed by the user s private key 2 The server uses the CA certificate and external resources as required to check that the user s certificate Is valid 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 5 6 1 Certificate Configuration 87 3 The server verifies that the user has a valid private key by checking the signature in the initial packet 4 The server matches the user certificate against the rules in the server configuration file to decide whether login is allowed or not Compared to traditional public key authentication this method is more secure because the system checks that the user c
133. ho opt tectia bin scpg3 B q SRV test test gt gt scpg3 get S DATE opt tectia bin scpg3 B q SRV test test echo gt gt scpg3 get DATE The script can be set to run as a forced command See Section 6 1 3 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 110 File Transfer 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 111 Chapter 8 Tunneling Tunneling is a way to forward otherwise unsecured TCP traffic through Secure Shell Tunneling can provide secure application connectivity for example to POP3 SMTP and HTTP based applications that would otherwise be unsecured The Secure Shell v2 connection protocol provides channels that can be used for a wide range of purposes All of these channels are multiplexed into a single encrypted tunnel and can be used for tunneling forwarding arbitrary TCP IP ports and X11 connections The client server applications using the tunnel will carry out their own authentication procedures if any the same way they would without the encrypted tunnel The protocol application might only be able to connect to a fixed port number e g IMAP 143 Otherwise any available port can be chosen for tunneling For remote incoming tunnels the ports under 1024 the well known service ports are not allowed for the regular users but are available only for system administrators
134. ings button proue OK Cancel Figure 4 1 SSH Tectia Server Configuration SSH Tectia Server page Server Information The server version release date and server type A F or T are shown at the top of the page Server Status The server status is displayed on the left The status can be either Stopped Starting Running Stopping or Failure To start or stop the server click the Start Server Stop Server button Event Log Important events are logged in the system event log Click the View Event Log button to launch the Event Viewer program that allows you to examine the log contents See Section 6 2 for more information Default Settings To discard any changes you have made to the configuration settings and restore the factory default values click the Restore Default Settings button and click OK in the confirmation dialog SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 54 Configuring SSH Tectia Server Note that the settings will not revert back to the previously saved values but to the initial values that are built into the program 4 1 2 General The General page of the SSH Tectia Server Configuration tool contains the general server settings for example the maximum number of connections FIPS mode and banner message R SSH Tectia Server Configuration E Bl xj ECC Configure general server settings Identity Maximum number 256 0 unli
135. l Options 131 TUNNEL Operates in RA tunnel mode Reads requests and optionally modifies the subject name alternative names and extensions based on the command line Approves the request and sends it to the CA Options The ssh cmpclient g3 command line options are listed below Note that when a file name is specified an existing file with the same name will be overwritten When subject names or other strings that contain spaces are given on the command line they should be enclosed in double quotes B Requests private key backup to be performed for the initialize enroll and update commands o prefix Saves resulting certificates and CRLs into files with the given prefix The prefix is first appended by a number followed by the file extension crt or cr1 depending on the type of object O filename Saves the result into the specified absolute filename If there is more than one result file the remaining results are rejected C file Specifies the file path that contains the CA certificate If key backup is done the file name must be given but in most cases the LDAP name of the CA can be given instead S url Specifies the SOCKS URL if the CA is located behind a SOCKS enabled firewall The format of the URL is socks username server port network bits network bits H url Uses the given HTTP proxy server to access the CA The format of the URL is http server port Performs encryptio
136. l Origin SSH Tectia Server Warning during the password authentication method This means that something abnormal happened in the password method but the method may still complete successfully Default log facility auth Argument Description Username User s login name Algorithm password Text Warning description Session Id Session identifier 716 Keyboard interactive pam auth success Level informational 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 167 Origin SSH Tectia Server The user successfully completed the Keyboard interactive PAM authentication method Default log facility auth Argument Username Algorithm Text Session Id 717 Keyboard interactive pam auth error Level warning Origin SSH Tectia Server Description User s login name Keyboard interactive PAM Acceptance description Session identifier Error in the Keyboard interactive PAM authentication method This means that the current user authentication attempt with the Keyboard interactive PAM method has failed Default log facility auth Argument Username Algorithm Text Session Id 718 Keyboard interactive pam auth warning Level informational Origin SSH Tectia Server Description User s login name Authentication method name Error description Session identifier Warning during the Keyboard interactive PAM authentication method This means that something
137. led application The file transfer F server is available for Linux Unix and Windows platforms It is a Secure Shell server for SSH Tectia Client and Client F The mainframe M server is available for IBM z OS platforms It is a Secure Shell server for SSH Tectia Connector Client F and Client The tunneling T server is available for Linux Unix and Windows platforms It is a Secure Shell server for SSH Tectia Connector Client F and Client TCP application secured by a Secure Shell connection 1 2 Documentation Conventions The following special conventions are used in this document Table 1 2 Documentation conventions Convention Usage Example Bold Menus GUI elements strong emphasis Click Apply or OK gt Series of menu selections Select File Save Monospace Filenames commands directories URLs etc Refer to readme txt Italics Reference to other documents or products emphasis See SSH Tectia Client User Manual i Note Indicates neutral or positive information that emphasizes or supplements important points of the main text Supplies information that may apply only in special cases memory limitations equipment configurations specific versions of a program T Caution Advises users that failure to take or avoid a specified action could result in loss of data 1 3 Customer Support If the product documentation does not answer all your questions you can find t
138. lement The authentication name can be optionally given as an attribute This can be used for example in auditing Q Caution Do not leave an authentication element empty in the ssn server config xml file It will allow the matching users everyone if no selectors are used to log in without authentication selector The selectors define to which connections this authentication method applies to All selectors can be used in the authent icat ion methods element See the section called Selectors and the section called The connections Element certificate This selector matches to a pattern in a specified fiela of the user certificate Using this selector requires that the authentication chain contains an auth publickey element The field can be either ca list issuer name subject name serial number altname email altname upn altname ip Or altname fqdn The format of the pattern depends on the type of the field The ca 1ist field contains a list of CA names separated by commas The names that are defined in the ca certificate element are used The issuer name and subject name fields contain distinguished names serial number a positive integer The a1tname qdn field contains a hostname and altname ip an IP SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 42 Configuring SSH Tectia Server address or a range The altname email field contains an email address
139. les select a rule from the list and click Up and Down to move it The rules are read in order and the rule set that matches the user s group is used The unnamed rule should be the last on the list To edit a rule select a rule from the list and click Edit The Rule dialog box opens Figure 4 14 To delete a rule element select an element from the list and click Delete SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 76 Configuring SSH Tectia Server ue x Group Name admin Idle timeout fo Environment variables Subsystems Commands Local Tunnels Remote Tunnels Selections Local tunnel 1 Up Add Down Delete Action Allow C Deny Definitions Destination 1 Add Delete C Source Address Destination F DN imap example com Port f 19 Figure 4 14 The Rule dialog box the Local Tunnels tab Group Enter the Name of the group to which this rule set applies The Idle timeout field sets the idle timeout limit in seconds If the connection has been idle all channels this long the connection is closed Default is 0 zero which disables idle timeouts Environment Variables On the Environment Variables tab you can define the environment variables the user group can set The variables are given in the Allowed field as a comma separated list Allowed variables are normally matched ca
140. master server will launch The max connections attribute defines the maximum number of client connections allowed by each servant 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 35 A value of 0 zero means that the number of connections or processes uses default values that depend on the operating system By default SSH Tectia Server will start with some number of servant processes running This setting is useful in systems with low resources The server has to be restarted to use the changed setting A sample limits element is shown below limits max connections 256 max processes 40 cert validation This element contains the CA certificates used in validation of the host based and public key authentication certificates The element can have two attributes http proxy url and socks server url The http proxy url attribute defines a HTTP proxy and the socks server ur1 attribute defines a SOCKS proxy for making LDAP or OCSP queries for certificate validity The address of the proxy is given as the value of the attribute The format of the address is socks username socks_server port network netmask network netmask with a SOCKS proxy or http username proxy_server port network netmask network netmask with an HTTP proxy For example by setting Socks server url to socks mylo gin socks ssh com 1080 203 123 0 0 16 198 74 23 0 24 the host socks
141. me User s login name Algorithm publickey Text Warning description Session Id Session identifier 711 Hostbased auth error Level warning Origin SSH Tectia Server Error in the hostbased authentication method This means that the current user authentication attempt with the hostbased method has failed Default log facility auth Argument Description Username User s login name Algorithm Authentication method name Text Error description Session Id Session identifier SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 166 Audit Messages 712 Hostbased auth warning Level informational Origin SSH Tectia Server Warning during the hostbased authentication method This means that something abnormal happened during the hostbased authentication method but the method may still complete successfully Default log facility auth Argument Description Username User s login name Algorithm Authentication method name Text Warning description Session Id Session identifier 714 Password auth error Level warning Origin SSH Tectia Server Error in the password authentication method This means that the current user authentication attempt with the password method has failed Default log facility auth Argument Description Username User s login name Algorithm password Text Error description Session Id Session identifier 715 Password auth warning Level informationa
142. me email pattern Susernames ssh com gt certificate field altname upn pattern username 8ssh gt selector lt authentication gt lt authentication action allow gt celeron publickey passed length 1024 2048 lt selector gt lt authentication gt lt authentication action deny gt lt authentication gt In the example above privileged users administrators are required to pass certificate authentication and the certificate must contain the correct fields Other users are allowed to log in using a plain public key of a size from 1024 to 2048 bits Specifying an explicit deny action last is necessary in a restrictive policy as otherwise a non matching con nection would use the implicit default a11ow rule which contains the default authentication methods Altern atively the action of the parent authentication element can be set to deny The services Element The services element defines the policy for the various services the server offers The services element contains one or more rules rule and optionally defines groups group group Creates a group that can be used a basis for restricting services Groups are defined based on selectors If the user was already put to a group during authentication using the set group attribute the group definitions in the services element are ignored selector The selectors define the users that belong to the group The same selectors can be use
143. ment from the list and click Up and Down to move it The methods are read in order and the first matching method on the list is used If the method has nested child methods they are matched next To add a nested authentication element click Add Child The Edit Selector dialog box opens See Sec tion 4 1 7 for information on editing the selectors To edit the selectors of an authentication element select an element from the list and click Edit The Edit Selector dialog box opens See Section 4 1 7 To delete an authentication element select an element from the list and click Delete 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 71 General Select whether authentication is allowed or denied If an authentication chain ends in a deny action the user is not allowed to log in In a nested chain of authentication elements it is possible for example to set the parent method to deny authentication and a child element with a selector to allow authentication If the user matches the selector and successfully completes the authentication methods login is allowed Set group You can optionally enter a group name in the Set group field This sets a group for the users that pass the particular authentication chain The group definition can be later used when defining the allowed services for the user If the group is set here it overrides any group definitions on the Services pag
144. ministrator Manual 145 lt ATTLIST auth password failure delay max tries Keyboard interactive authentication lt ELEMENT auth keyboard interactive submethod password submethod securid submethod radius submethod generic gt lt ATTLIST auth keyboard interactive failure delay Max tries Keyboard interactive sub methods bec PAM lt ELEMENT submethod pam EMPTY gt lt ATTLIST submethod pam gt CDATA Sdefault auth password failure delay CDATA default auth password max tries gt submethod pam CDATA default auth kbdint failure delay CDATA default auth kbdint max tries gt gt dll path CDATA IMPLIED gt Password gt lt ELEMENT submethod password EMPTY gt Ves Boch ei lt ELEMENT submethod securid EMPTY gt lt ATTLIST submethod securid dll path CDATA IMPLIED gt lt lo EUNDI gt lt ELEMENT submethod radius radius server gt lt RADTUS Sense S lt ELEMENT radius server radius shared secret gt lt ATTLIST radius server address CDATA REQUIRED port CDATA default radius server port timeout CDATA default radius server timeout client nas identifier CDATA IMPLIED gt Secret file has precedence over PCDATA lt ELEMENT radius shared secret VAT Mito TIUS Ssharedasecrer file CDATA IMPLIED gt ESSE SUIS END lt ELEMENT submethod generic EMPTY gt lt ATTLIST submethod generic CDATA
145. mited Network of connections Logging Certificate Validation Maximum number 40 0 unlimited Connections and Encryption of processes Authenticati ER FIPS mode Operate in FIPS mode Services Banner message file Login grace time seconds gp Proxy scheme IT User configuration directory O proue OK Cancel Figure 4 2 SSH Tectia Server Configuration General page Maximum number of connections Maximum number of processes Specify how many connections and processes at most the server program will handle simultaneously SSH Tectia Server uses a distributed architecture where the master server process launches several servant server processes that handle the actual connections 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 55 Maximum number of processes defines the maximum number of servant processes the server will launch Maximum number of connections defines the maximum number of client connections allowed by each servant If you specify 0 zero as the value the number of connections or processes uses the default values for the operating system Limiting the maximum number of connections is useful in systems where a high load in the server program when opening new connections may cause system overload FIPS mode SSH Tectia Server can be operated in FIPS mode using a version of the cryptographic library that has been vali
146. mpleted Default log facility auth Argument Username Auth method Session Id 701 Auth method failure Level informational Origin SSH Tectia Server An authentication method failed Default log facility auth Argument Username Auth method Session Id 702 Auth methods completed Level informational Origin SSH Tectia Server Description User s login name Authentication method s name Session identifier Description User s login name Authentication method s name Session identifier The cumulative list of completed authentication methods Default log facility auth Argument Username Auth methods Session Id 703 Auth methods available Level informational Origin SSH Tectia Server Description User s login name A list of completed authentication methods Session identifier SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 164 Audit Messages The list of authentication methods still available for the user Default log facility auth Argument Username Auth methods Session Id 705 Auth error Level warning Origin SSH Tectia Server An error occurred during authentication Default log facility auth Argument Username Text Session Id 706 Auth warning Level informational Origin SSH Tectia Server Description User s login name A list of available authentication methods Session identifier Description User
147. n Patterns are normally matched case insensitively Alternatively the pattern can be specified using the Pattern case sensitive attribute 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 4 1 8 Connections and Encryption 67 User This selector matches to a user Name or ID A list of usernames or IDs can be given as a comma separated list Names are normally matched case insensitively Alternatively the names can be specified using the Name case sensitive attribute User group This selector matches to a user group Name or ID A list of user group names or IDs can be given as a comma separated list Names are normally matched case insensitively Alternatively the names can be specified using the Name case sensitive attribute User privileged This selector matches to a privileged user administrator or root or to a non privileged user Select the Value check box to match to a privileged user or clear it to match to a normal user Blackboard This selector matches to a Pattern in a specified blackboard Field Patterns are normally matched case insensitively Alternatively the pattern can be specified using the Pattern case sensitive attribute Public key passed This selector matches if authentication is passed using a normal public key without a certificate Optionally the Length range of the public key can be given as an attribute for example 1024 2048
148. n LDAP order 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual Example 127 utf8 Prints names in UTF 8 latinl Prints names in ISO 8859 1 base10 Outputs big numbers in base 10 default basel6 Outputs big numbers in base 16 base64 Outputs big numbers in base 64 width number Sets output width number characters Example For example using a certificate downloaded from pki ssh com when the following command is given ssh certview g3 width 70 ca certificate cer The following output is produced Certificate SubjectName C FI Shell Test CA IssuerName C FI Shell Test CA SerialNumber 34679408 SignatureAlgorithm O SSH Communications Security Corp O SSH Communications Security Corp rtsa pkesl shal CN Secure CN Secure Certificate seems to be self signed ke ere veriri Geton Sues Validity NotBefore 2003 Dec 3rd 08 04 NotAfter 2005 Dec 2nd 08 04 PublicKeyInfo PublicKey Algorithm name SSH if modn Modulus n 1024 bits 27 GMT 27 GMT sign rsa pkcsl1 md5 9635680922805930263476549641957998756341022541202937865240553 93747409460794737674242240714 70837728840839320521621518323377 3593102350415987252300817926769968881159896955490274368606664 0759644131690750532665266218696466060377799358036735475902257 60860985629193639634709266901 903 EXPOSICI N 9515 1
149. n proof of possession if the CA supports it In this method of PoP the request is not signed but instead the PoP is established based on the ability to decrypt the certificates received from the CA The CA encrypts the certificates with the user s public key before sending them to the user v num Selects the CMP protocol version This is either value 1 for an RFC 2510 based protocol or 2 the default for CMPv2 N file Specifies a file to be used as an entropy source during key generation The usage line uses the following meta commands SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 132 Command Line Tools psk The reference number and the corresponding key value given by the CA or RA p refnum key file refnum and key are character strings shared among the CA and the user re fnum identifies the secret key used to authenticate the message The re num string must not contain colon characters Alternatively a filename containing the reference number and the key can be given as the argument i number number indicates the key hashing iteration count certs The user s existing key and certificate for authentication k l URL specifying the private key location This is an external key URL whose format is specified in Section the section called Synopsis c file Path to the file that contains the certificate issued to the public key given in the x op
150. native IP address are given as well as key usage flags The CA address is pki ssh com the port 8080 and the CA name to access Test CA 1 ssh cmpclient g3 INITIALIZE P generate pkcs8 rsa 1024 initial o initial p 62154 ssh SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 134 Command Line Tools 5 C r CSS Eemer e eat dal mes 2 3041 u digitalsignature http pki ssh com 8080 pkix C FI O SSH Communications Security Corp CN SSH Test CA 1 No Liabilities As a response the command presents the issued certificate to the user and the user accepts it by typing yes at the prompt Certificate SubjectName lt C FI O SSH CN Example initial gt IssuerName lt C FI O SSH Communications Security Corp CN SSH Test CA 1 No Liabilities gt SerialNumber 8017690 SignatureAlgorithm rsa pkcsl shal Validity PublicKeyInfo Extensions Viewing specific name types IP 1 2 3 4 KeyUsage DigitalSignature CRLDistributionPoints AuthorityKeyID Key DE SkelgreloslerSe 710 8 924 8 219 e 1L 5 9 lel 99 6167 SOS O 7 SS Os Ses 012 3 f 1 8 Zi eyglore le We SubjectKeyID KeyId 6c f4 0e ba b9 ef 44 37 db ad 1f fc 46 e0 25 9f c8 ce cb da Fingerprints MDS 1973 6cle Diog Acles0 s 94i c alle lie 3 exe sas e p exela i69 e exe e lows 856 SpA 4 ce 735 celo sides ele tas che ele see iirc 0 AS 7 162716 81918 dE ge Do you accept the certificate above y
151. nerated during the installation Key generation may take several minutes on slower machines 3 The installation should re start the server automatically If the server does not start because of a missing license for example you can start it after correcting the problem by issuing the command etc init d ssh server g3 start 2 2 4 Installing on Solaris SSH Tectia Server is available for Sun Solaris on the SPARC architecture SSH Tectia Server includes support for Entrust certificates on Solaris 7 and 8 The necessary libraries are automatically included in the installation 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 2 2 5 Installing on Windows 19 On the CD ROM the installation packages for Solaris are located in the insta11 solaris directory Two packages are required one for the common components of SSH Tectia Client and Server and another for the specific components of SSH Tectia Server To install SSH Tectia Server on Solaris do the following 1 Not necessary in third digit maintenance updates Copy the license file to the etc ssh2 licenses directory See Section 2 1 3 If this is the initial installation of SSH Tectia Server 5 x the directory does not yet exist You can either create it manually or copy the license after the installation In the latter case you have to start the server manually after copying the license file 2 Unpack the
152. nications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 173 Argument Username Policy name Session Id 1000 KEX failure Level warning Origin SSH Tectia Server Connection Broker The key exchange failed Default log facility normal Argument Username Algorithm Text Session Id 1001 Algorithm negotiation failure Level warning Origin SSH Tectia Server Connection Broker Description The user s login name A symbolic name for the rule Session identifier Description User s login name not present for first KEX KEX algorithm name not present if failure happens before choosing the algorithm Error description Session identifier not present for first KEX Algorithm negotiation failed there was no common algorithm in the client s and server s lists Default log facility normal Argument Username Algorithm Client algorithms Server algorithms Session Id 1002 Algorithm negotiation success Level informational Origin SSH Tectia Server Connection Broker Algorithm negotiation succeeded Default log facility normal Argument Username Text Session Id Description User s login name not present for first KEX Algorithm type Client s algorithm list Server s algorithm list Session identifier not present for first KEX Description User s login name not present for first KEX Negotiated algorithms Session identifier not present for first KEX SSH
153. nt specifies an OCSP Online Certificate Status Protocol responder service address in URL format ur1 Several OCSP responders can be specified by using several ocsp responder elements If the certificate has a valid Authority Info Access extension with an OCSP Responder URL it is used instead of this setting Note that for the OCSP validation to succeed both the end entity cer tificate and the OCSP Responder certificate must be issued by the same CA The validity period in seconds for the OCSP data can be optionally defined During this time new OCSP queries for the same certificate are not made but the old result is used cert cache file This element specifies the name of the file where the certificates and CRLs are stored when the SSH Tectia Server service is stopped and read back in when the service is restarted crl auto update This element turns on the CRL auto update feature When it is on SSH Tectia Server periodically tries to download the new CRL before the old one has expired The update before attribute can be used to specify how many seconds before the expiration the update takes place The minimum interval Sets a limit for the maximum update frequency the default minimum interval is 30 seconds crl prefetch This element instructs SSH Tectia Server to periodically download a CRL from the specified url The interval attribute specifies how often the CRL is downloaded The default is 3600 seconds dod pki This
154. o confirm GD Note The uninstallation procedure removes only the files that were created when installing the software Any configuration files and host keys have to be removed manually 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 23 Chapter 3 Getting Started This chapter provides information on how to get started with SSH Tectia Server software after it has been successfully installed Before you proceed please see the separate document SSH Tectia Client Server Product Description for background information such as choosing the authentication method The default configuration of SSH Tectia Server is aimed toward usability Chapter 6 Chapter 7 and Chapter 8 give advice on configuring the servers for their intended use 3 1 Location of Installed Files This section lists the locations of the installed executables configuration files key files and the license file 3 1 1 File Locations on Unix On Unix platforms the SSH Tectia Server files are located in the following directories e etc ssh2 e etc ssh2 ssh server config xml Server configuration file see ssh server config 5 e etc ssh2 hostkey default server host private key file e etc ssh2 hostkey pub default server host public key file not required e etc ssh2 licenses license file directory see Section 2 1 3 e etc ssh2 ssh tectia auxdata ssh server ng server configuration file DTD
155. oard interactive gt lt authentication gt lt authentication methods gt On Windows using the SSH Tectia Server Configuration tool keyboard interactive authentication can be configured on the Authentication page See Section 4 1 9 e Note SSH Communications Security does not provide technical support on how to configure PAM Our support only covers SSH Tectia applications 5 8 3 RSA SecurID Submethod RSA SecurID is a widely used two factor authentication method based on the use of SecurID Authenticator tokens In SSH Tectia support for RSA SecurID is enabled as a submethod of keyboard interactive authentic ation To use SecurID authentication you should be familiar with the operation of RSA ACE Server RSA Authen tication Manager The following example shows settings for keyboard interactive authentication using the SecurID submethod in the ssh server config xml file authentication methods authentication action allow auth keyboard interactive max tries 3 failure delay 2 submethod securid dll path path to securid dll gt lt auth keyboard interactive gt lt authentication gt lt authentication methods gt On Windows using the SSH Tectia Server Configuration tool keyboard interactive authentication can be configured on the Authentication page See Section 4 1 9 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 96
156. on x86 based processor architectures with SSH Tectia Server F and Server T It allows increased file transfer speeds for large file transfers To use CryptiCore include the following in the ssh server config xm1 file connections connection action allow tcp keepalive no rekey seconds 3600 bytes 1000000000 lt cipher name crypticorel28 ssh com gt mac name crypticore mac ssh com gt lt connection gt lt connections gt Enabling Public Key Authentication To enable public key authentication on the server include the following in the ssh server config xml file authentication methods login grace time 600 lt banner message gt auth file modes strict yes mask bits 022 authentication auth publickey lt authentication gt lt authentication methods gt The auth file modes element should be set to strict This specifies that SSH Tectia Server on Unix checks the permissions and ownership of the user s key files used for public key authentication 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 7 1 2 Restricting Services 107 7 1 2 Restricting Services If SSH Tectia Server is used for file transfer only it is typically sensible to disable tunneling and terminal access to the server Enabling the SFT Subsystem The secure file transfer subsystem can be defined in the ssn server config xml file s
157. or crash of one of the machines will be properly noticed This also means that connections will die if the route is down temporarily Rekey Interval Specify the number of Seconds or transferred Bytes after which the key exchange is done again If a value for both Seconds and Bytes is specified rekeying is done whenever one of the values is reached after which the counters are reset The defaults are 3600 seconds 1 hour and 1000000000 bytes 1 GB The value 0 zero turns rekey requests off This does not prevent the client from requesting rekeys Encryption Under Encryption select the Ciphers and MACS allowed for the connection from the list To select several ciphers or MACs hold down the Shift key while clicking 4 1 9 Authentication On the Authentication page you can configure the allowed and required user authentication methods Authentication options are specified as chains of authentication elements An authentication element can include one or more selectors and different authentication methods It may also include other authentication elements forming an authentication chain Nesting authentication elements within each other sets the child methods as required all must be passed for the authentication to be successful Setting multiple authentication elements at the same level sets them as optional one of the methods must be passed for the authentication to be successful The selectors define to which users
158. ossible to send the public host key to the users via an unalterable method The users can save the key in the HOME ssh2 hostkeys directory on Unix or in the USERPROFILE Application Data SSH HostKeys directory on Windows as key port host pub for example key 22 ba nana ssh com pub In this case a manual fingerprint check is not needed SSH Tectia Manager can distribute the host keys to these directories automatically 5 2 Server Authentication with Certificates Server authentication with certificates happens similarly to server authentication with public keys except that the possibility of a man in the middle attack during the first connection to a particular server is eliminated The signature of a certification authority in the server certificate guarantees the authenticity of the server certificate even in the first connection A short outline of the server authentication process with certificates is detailed below 1 The server sends its certificate which contains a public key to the client The packet also contains random data unique to the session signed by the server s private key 2 As the server certificate is signed with the private key of a certification authority CA the client can verify the validity of the server certificate by using the CA certificate 3 The client checks that the certificate matches the name of the server This check can be disabled by setting the end point identity check attribute of
159. oup attribute If no group is specified the rule matches to all users The idle timeout attribute sets the idle timeout limit in seconds If the connection has been idle all channels this long the connection is closed Default is 0 zero which disables idle timeouts The print mota attribute defines whether the message of the day etc motd is printed when a user logs in interactively to a Unix server The value must be yes or no The default is yes SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 48 Configuring SSH Tectia Server Each rule can contain environment terminal subsystem tunnel agent tunnel x11 tunnel local tunnel remote and command elements An empty rule allows the specified group to perform all actions A default unnamed rule allows all users access to all services The unnamed rule should be kept as the last rule so it will match to users that are not set in any group but you should edit the rule according to your security policy environment This element defines the environment variables the user group can set The variables are given as a value of the allowed attribute By default the user can set the TERM PATH TZ LANG and LC vari ables Allowed variables are normally matched case insensitively Alternatively the variables can be spe cified using the allowed case sensitive attribute terminal This element defines whe
160. p 120 Command Line Tools The command can be either start stop restart Or reload start Start the server stop Stop the server Existing connections stay open until closed from the client side restart Start a new server process Existing connections stay open using the old server process The old process is closed after the last old connection is closed from the client side reload Reload the configuration file Existing connections stay open Options When the ssh server g3 command is used directly it accepts the following options D debug LEVEL Sets the debug level f config file FILE Specifies the configuration file to be used shy help Prints a short summary of command line options and exits H hostkey FILE Specifies the host key file to be used 1 listen ADDRESS PORT Specifies the listen address and port If ADDRESS is unspecified listen on any IP address n num processes NUM Sets the initial number of Servant processes V version Prints program version string and exits plugin path PATH Sets the path to the plugin directory auxdata path PATH Sets the path to the auxiliary data directory 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual Authors 121 libexec path PATH Sets the path to the 1ibexec directory allowed ciphers LIST Sets a list of allowed ciphers allowed macs LI
161. p For more information see http www ssh com See Also ssh certview g3 1 ssh server config 5 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 137 Appendix B Server Configuration File Syntax The DTD of the server configuration file is shown below lt gt 1 gt f Ssecsh server dua ou 1 gt Author Markku Rossi lt mtr ssh com gt gt Sees Sami Lehtinen lt sjl ssh com gt an 1 EE lt l Coin co 200 2005 82 erreneren latin lkenavel gt lt Mie ghessresenved To 1 gt Document type definition for SecSh server XML configuration gt lt lo s Files gt 1 gt lt gt Tunable parameters used in the policy gt Default connection action gt lt ENTITY default connection action 2 US eu Default terminal action gt lt ENTITY default terminal action ms eg Te Default subsystem action gt lt ENTITY default subsystem action Phe Low lt gt eat merate veero leee ve lues gt lt ENTITY default user privileged value yes SPSS D raulte eT derworaceomcrer ecc c values gt lt IENTITY default user password change needed value yes D faite isles ero gt lt ENTITY default tunnel action Mo SSH Tectia Server A F T 5 0 Administrator Manual O 1995 2005 SSH Communication
162. pattern is not checked Certificate This selector matches to a Pattern in a specified Field of the user certificate The field can be either ca list issuer name subject name serial number altname email altname upn altname ip or altname fqdn The format of the pattern depends on the type of the field The ca list field contains a list of CA names separated by commas The names that are defined in the ca certificate element are used The issuer name and subject name fields contain distinguished names serial number a positive integer The altname fqdn field contains a hostname and altname ip an IP address or a range The altname email field contains an email address and altname upn the principal name The altname fqdn altname upn altname email subject name and issuer name selectors may contain the username keyword which is replaced with the user s name before comparing with the actual certificate data The GG hostname keyword can be used in the same way and it is replaced by the client s FQDN These patterns may also contain and globbing characters Patterns are normally matched case insensitively Alternatively the pattern can be specified using the Pattern case sensitive attribute Host certificate This selector matches to a Pattern in a specified Field of the client host certificate The field can be either ca list issuer name subject name serial number altname email altname upn altname ip or altname fqd
163. pt is different on each operating system OnAIX opt tectia sbin rc ssh server g3 command On Linux and Solaris etc init d ssh server g3 command OnHP UX sbin init d ssh server g3 command 3 2 2 Starting and Stopping on Windows To start and stop SSH Tectia Server on Windows use the Services console 1 From the Start menu open the Windows Control Panel and double click Administrative Tools 2 Double click Services The Services console opens 3 From the list right click on SSH Tectia Server From the shortcut menu you can now Start Stop Pause Resume or Restart the server SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 26 Getting Started If the server is paused the existing connections will stay open but the server will not accept new connec tions Name Description Status Startup Type Log On As Si 55H Tectia Manager Manageme Started T 3 Automatic Local System Start Stop Pause Resume Restart All Tasks gt Refresh Properties Help Figure 3 2 Starting and stopping SSH Tectia Server from the Windows Services console 3 3 Examples of Use For examples of using SSH Tectia Server see the Compatibility Note documents at ht tp www ssh com products material compatability 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 27 Chapter 4 Confi
164. r generator Synopsis ssh keygen g3 options key1 key2 Description ssh keygen g3 ssh keygen g3 exe on Windows is a tool that generates and manages authentication keys for Secure Shell Each user wishing to use a Secure Shell client with public key authentication can run this tool to create authentication keys Additionally the system administrator can use this to generate host keys for the Secure Shell server By default if no path for the key files is specified the key pair is generated under the user s home directory SHOME ssh2 on Unix 3USERPROFILE Application Data SSH UserKeys on Windows If no filename is specified the key pair is likewise stored under the user s home directory with such filenames as id_dsa_1024_a and id_dsa_1024_a pub Options The following options are available 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 123 t bits Specifies the length of the key in bits default 2048 dsalrsa Selects the type of the key Valid options are dsa default and rsa fips mode yes no Generates the key using the FIPS mode for the cryptographic library The default is no fips crypto dll path path Specifies the location of the FIPS cryptographic DLL comment string Specifies the key s comment string file Edits the specified key Makes ssh keygen g3 interactive You can change the key s passphrase or comment
165. r login requires the log on locally right On domain controllers this right is disabled by default If SSH Tectia Server has been installed on a domain controller the log on locally permission must be enabled on the domain controller for the Domain Users group 5 5 User Authentication with Public Keys Public key authentication is based on the use of digital signatures and provides the best authentication security To use public key authentication the user must first create a key pair on the client and upload the public key to the server The default directory for the user s public keys is HOME ssh2 authorized keys on Unix and 3USERPROFILES ssh2 Nauthorized keys On Windows To enable public key authentication on the server the authentication methods element of the ssh server config xml file must contain an auth publickey element For example lt authentication methods gt lt authentication action allow gt lt auth publickey gt lt authentication gt lt authentication methods gt Also other authentication methods can be allowed Place the least interactive method first SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 86 Authentication By using selectors it is possible to allow or require public key authentication only for a specified group of users See the section called Selectors for more information On Windows using the SSH Tectia Server Config
166. r of common locations Submethods For Keyboard interactive authentication several submethods can be specified To edit the submethods click the Submethods button A dialog box opens Figure 4 12 R Keyboard Interactive Submethods Up Add Down Delete Type C Password SeculD C RADIUS C Generic DLL path Cw NDOWS system32 4CECLNT Saceclnt dll RADIUS Settings Server Up Add Down Delete Shared secret file Ed Address Port Timeout Client NAS identifier Figure 4 12 Keyboard interactive submethods To add a submethod click Add and select the Type of the submethod below 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 4 1 10 Services 73 The following submethods can be selected Password e SecurID e RADIUS Generic Depending on the submethod additional settings are available To change the order of the submethods select a submethod from the list and click Up and Down to move it The submethods are tried in the specified order To remove a submethod select a method from the list and click Delete DLL Path For the SecurID submethod enter the path to the SecurID DLL Name For the Generic submethod enter the name of the method Params For the Generic submethod enter the initialization parameters RADIUS Settings For the RADIUS submethod click Add to add a RADIUS server
167. re sign Level informational Description Provider type Initialization info Description Provider type Initialization info Error message Description Key path Fwd path Description Key path Fwd path Error string 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 179 Origin SSH Tectia Server Connection Broker A key was used successfully for signing Default log facility normal Argument Description Key path Key path Fwd path Fwd path 1211 Key store sign failed Level warning Origin SSH Tectia Server Connection Broker A key was used unsuccessfully for signing Default log facility normal Argument Description Key path Key path Fwd path Fwd path Crypto error Error string 1212 Key store sign digest Level informational Origin SSH Tectia Server Connection Broker A key was used successfully for signing a digest Default log facility normal Argument Description Key path Key path Fwd path Fwd path 1213 Key store sign digest failed Level warning Origin SSH Tectia Server Connection Broker A key was used unsuccessfully for signing a digest Default log facility normal Argument Description Key path Key path Fwd path Fwd path Crypto error Error string SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 180 Audit Messages 1995 2005 SSH Communications Securi
168. rminal action chroot CDATA IMPLIED gt Cle Supsystem 25 lt ELEMENT subsystem attribute gt lt ATTLIST subsystem type CDATA REQUIRED action allow deny default subsystem action application CDATA IMPLIED chroot CDATA IMPLIED gt 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 147 lt ELEMENT attribute EMPTY gt lt ATTLIST attribut e name CDATA REQUIRED value CDATA IMPLIED gt abusum lt ELEMENT tunnel x11 EMPTY gt lt ATTLIST tunnel x action allow d lt ELEMENT tunnel a lt ATTLIST tunnel a action allow d lt ELEMENT tunnel 1 lt ATTLIST tunnel 1 action allow d Tat eny Sdefault tunnel action gt gent EMPTY gt gent eny ocal ocal eny Sdefault tunnel action gt isrspdsct wye default tunnel action gt exactly one must be set gt lt ELEMENT tunnel remote src listen gt lt ATTLIST tunnel remote action allow deny default tunnel action lt Tunnel selectors These apply only to TCP local and remote AVES nines ex les eRe Ane ask are ror ATOS IRC gt src and listen are for remote tcp gt al Address or dan are not mandatory If set Wl moi looi s gt SS OS lt ELEMENT src EMP SUMMING IESE suas JF address CDATA IMPLIED fqdn CDATA 1 port CDATA 1 lt 1 Destination lt ELEMENT dst EMP elt A
169. root privileges There are two basic kinds of tunnels local and remote They are also called outgoing and incoming tunnels respectively X11 forwarding and agent forwarding are special cases of a remote tunnel SSH Tectia Client and all versions of SSH Tectia Server provide the basic tunneling functionality SSH Tectia Connector and SSH Tectia Server T used together provide dynamic secure application tunneling that is transparent to the end user secure application connectivity This chapter gives an example of SSH Tectia Server T settings for an SSH Tectia Connector tunneling user and describes the different tunneling options available with SSH Tectia Client and SSH Tectia Server 8 1 SSH Tectia Connector Tunneling User SSH Tectia Connector will connect only to SSH Tectia Server T or Server M The SSH Tectia Connector users must be able to log in to an existing user account preferably a non privileged user account on the server SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 112 Tunneling Users can have their own user accounts If the Windows login name can be used also as the server side login name the variable susERNAMES can be conveniently used in the configuration of SSH Tectia Connector Most of the authentication methods supported by SSH Tectia Server can be used with SSH Tectia Connector users The authentication methods include password any keyboard
170. rror Text Session Id 434 X11 channel close Level informational Origin SSH Tectia Server An X11 forwarding channel has closed Default log facility normal Argument Username Sub ID Session Id 460 Session env request failure Level informational Origin SSH Tectia Server Description Channel number Display name Success or error description Extra textual information optional Session identifier Description User s login name Channel number Session identifier A session channel request to set an environment variable has failed Default log facility normal Argument Username Success Error Text Sub ID Session Id 461 Session env file failure Level informational Origin SSH Tectia Server Description User s login name Success or error description Description of the error Channel number Session identifier When reading the user s environment file an illegal environment variable was encountered Default log facility normal Argument Username Success Error File name Description User s login name Success or error description Environment file name 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 163 Argument Text Session Id 700 Auth method success Level informational Origin SSH Tectia Server Description Description of the error Session identifier An authentication method was successfully co
171. rt Session Id Text 427 Forwarding listener close Level informational Description User s login name Success or error description Listener s IP address Listener s port Session identifier Error description SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 160 Audit Messages Origin SSH Tectia Server Trying to destroy a non existing TCP listener Default log facility normal Argument Username Listener IP Listener Port Session Id Success Error Text 428 Auth listener open Level informational Origin SSH Tectia Server Description User s login name Listener s IP address Listener s port Session identifier Error description Error message An authorization agent forwarding listener opening has completed successfully or unsuccessfully Default log facility normal Argument Username File name Success Error Session Id 429 Auth listener close Level informational Origin SSH Tectia Server Description User s login name Path to the listener Success or error description Session identifier An authorization agent forwarding listener has closed Default log facility normal Argument Username File name Session Id 430 Channel open failure Level informational Origin SSH Tectia Server Description User s login name Path to the listener Session identifier Opening a channel has failed because the other end
172. rt can be given listen This element defines a listen address for remote TCP tunnels The address and the port can be given as attributes A sample rule element is shown below The finance inspector gt rule group finance inspector print motd no gt tunnel local action allow gt lh Buceo SOL moss gt dst fadn finance db example com port 1433 dst fadn finance db example com port 1434 tunnel local lt Can execute commands and shells as no overriding behavior is defined gt rule Administrators are allowed to do anything gt rule group admin lt l Remote access rule group remote access idle timeout 600 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 51 UE SeImgassenmimaeliec on co easy also cemies scu commands unless they are specifically allowed gt lt terminal action deny gt subsystem type sftp application sft server g3 chroot homedir tunnel local action allow gt lt MN gt dst fqdn imap example com port 143 dst fqdn imap example com port 993 gt ate i EE dst fqdn mail example com port 109 dst fqdn mail example com port 110 dst fadn mail example com port 995 gt tunnel local rule rule group backup gt terminal action deny This accoun
173. rted operating systems SSH Tectia Server can also be installed via SSH Tectia Manager See SSH Tectia Manager Administrator Manual for more information 2 2 1 Installing on AIX On the CD ROM the installation packages for AIX SL platforms are located in the insta11 aix directory Two packages are required one for the common components of SSH Tectia Client and Server and another for the specific components of SSH Tectia Server i Note You need GNU gzip in order to install SSH Tectia Server on AIX To install SSH Tectia Server on AIX do the following 1 Not necessary in third digit maintenance updates Copy the license file to the etc ssh2 licenses directory See Section 2 1 3 If this is the initial installation of SSH Tectia Server 5 x the directory does not yet exist You can either create it manually or copy the license after the installation In the latter case you have to start the server manually after copying the license file 2 Unpack the packages using the following commands gzip d ssh tectia common ver aix5 x bff gz gzip d ssh tectia server ver aix5 x bff gz In the commands vec is the current package version of SSH Tectia Server for example 5 0 0 777 3 Install the packages by running the following commands with root privileges if Instalilp sc ssh vtectta common lt ver gt alxo x birt SshHtectia Common sto Ee EE ver six bit too He Cram Sene The server host key i
174. rust You can further study these certificates with ssh certview g3 This is useful when you want to generate for example entries for allowing certificate authentication in the ssh server config xml file You might need to know the subject names on the certificate With ssh ekview g3 you can export the certificate and get the information you need from the certificates with ssh certview g3 Options The following options are available h Displays a short help i info Uses info as the initialization string for the provider Prints the key paths only e keypath Exports certificates at keypath to files Exports all found certificates to files SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 136 Command Line Tools b base Uses base when printing integers For example the decimal 10 is a in base 16 d debug level Prints extensive debug information to stderr debug level is either a number from O to 99 where 99 specifies that all debug information should be displayed or a comma separated list of assignments of the format ModulePattern debug level for example 10 sshd2 2 This should be the first argument on the command line Example For example the following command will dump all certificates in the entrust provider to files ssh ekview g3 a i ini file HOME my ini profile file HOME solo ini entrust Authors SSH Communications Security Cor
175. s The configuration file is read in top down order during connection setup If a connection is denied in one of the blocks the connection setup phase ends immediately and the rest of the configuration file is not read This section describes the options available in the SSH Tectia Server configuration file See Appendix B for more information on the syntax of the configuration file Selectors The connection settings can be changed based on selectors in the configuration file Using selectors it is possible for example to e allow deny connections from certain IP addresses require different authentication methods based on username or group restrict access based on a certificate field Selectors are used in the Connections Authentication Methods and Services elements Selectors match to blackboard fields The most commonly used selector parameters have their own element interface certificate host certificate ip user user group and user privileged 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual Wild Cards in Selectors 29 Uncommon parameters can be used with the generic blackboard element by giving the parameter as a value of the field attribute When a parent element contains multiple child elements with selectors the first functional child element matched is used and the rest are ignored For example if the connections element has multiple connection
176. s Security Corp 138 Server Configuration File Syntax lt l Derewibe Conine aCtion gt lt ENTITY default command action Leer Default rekey interval in seconds gt lt ENTITY default rekey interval seconds 3600 i Derio eX aromates dem gt SIENTES cletaulttrcekeycumienwvalbyles 1000000000 Default login grace time seconds gt Let y cleneenbllic Iho alia Cee ic se sccomels VU x KI Derewvibe etica sia Clee ioa serions gt SENTIDA Sr ail te berti ome eiseiro ne OT as NO vo Password authentication failure delay gt lt ENTITY default auth password failure delay 2 Kd eeneg clica cai eet merim as gt lt ENTITY default auth password max tries 3 gt SI DNS mat cha notm sequined by deran ti nhos thas cdi es lt ENTITY default auth hostbased require dns match no A Rey oatnczsmsenastavesaurh entbecatroengeasimm e deliay gt lt ENTITY default auth kbdint failure delay 2 Keyboard interactive authentication maximum tries gt lt ENTITY default auth kbdint max tries 3 EMILE ISO dames Mee ADITUS Sen erae quilt cT lt ENTITY default radius server port WAALS Ai Us Sy Doa rd nbc rac tine mRADMUoms cm came faul c e UDP ecv e meote gt Lat e cereal sevrertimeoue UE ts GSS API default ticket forwarding policy gt lt ENTI
177. s document contains instructions on the basic administrative tasks of SSH Tectia Server A Server F and Server T The document is intended for system administrators responsible for the configuration of the SSH Tectia Server software To fully use the information presented in this document you should be familiar also with other system admin istration tasks To edit the configuration files manually without SSH Tectia Server Windows GUI or SSH Tectia Manager you should have basic knowledge of XML This document contains the following information Installing SSH Tectia Server Getting started e Configuring SSH Tectia Server e Authentication settings System administration File transfer e Application tunneling Troubleshooting e Appendices including command line tool and audit message references SSH Tectia Client Server Product Description contains important background information on the SSH Tectia client server solution and we recommend that you read it before installing and starting SSH Tectia Server If you are familiar with SSH Tectia Server 4 x or older we recommend that you read SSH Tectia Client Server Migration Guide It contains information on new and changed configuration options of SSH Tectia 5 0 and instructions for migrating existing installations of SSH Tectia 4 x to 5 0 1 1 Component Terminology The following terms are used throughout the documentation client computer The computer typically a
178. s generated and stored in the etc ssh2 directory on Unix and inthe c Program Files SSH Communications Secur ity SSH Tectia SSH Tectia Server directory on Windows By default this key pair is used for server authentication Each SSH Tectia Server can have multiple host keys You could have for example the following set of parameters in your ssh server config xml file lt params gt lt hostkey gt lt private file etc ssh2 hostkey_dsa gt lt public file etc ssh2 hostkey_dsa pub gt hostkey hostkey private file etc ssh2 hostkey rsa public file etc ssh2 hostkey rsa pub lt hostkey gt lt params gt Both keys are stored in memory when the ssh server g3 process is started which means that either one of them can be used to authenticate the server We recommend that you use a maximum of one DSA and one RSA key pair If also certificates are used in server authentication an additional two host key pairs DSA with certificate and RSA with certificate can be used for a total of four host keys On Windows the host keys can be configured with the SSH Tectia Server Configuration tool on the Identity page See Section 4 1 3 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 5 1 1 Generating the Host Key 81 5 1 1 Generating the Host Key The host public key pair 1536 bit RSA is generated during the installation of SSH Tectia Server
179. s generated during the installation Key generation may take several minutes on slower machines 4 The installation should re start the server automatically If the server does not start because of a missing license for example you can start it after correcting the problem by issuing the command opt tectia sbin rc ssh server g3 start 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 2 2 2 Installing on HP UX 17 2 2 2 Installing on HP UX SSH Tectia Server is available for HP UX 11 x on PA RISC 11 00 and for HP UX 11 x on Itanium 11 22 SSH Tectia Server includes support for Entrust certificates on HP UX 11 0 The necessary libraries are auto matically included in the installation On the CD ROM the installation packages for HP UX platforms are located in the insta11 hp ux directory Two packages are required one for the common components of SSH Tectia Client and Server and another for the specific components of SSH Tectia Server To install SSH Tectia Server on HP UX do the following 1 Not necessary in third digit maintenance updates Copy the license file to the etc ssh2 licenses directory See Section 2 1 3 If this is the initial installation of SSH Tectia Server 5 x the directory does not yet exist You can either create it manually or copy the license after the installation In the latter case you have to start the server manually after cop
180. s login name Textual description of the error Session identifier Something abnormal happened during authentication but authentication can still continue Default log facility auth Argument Username Text Session Id 707 Publickey auth success Level informational Origin SSH Tectia Server Description User s login name Textual description of the error Session identifier The user successfully completed the publickey authentication method Default log facility auth Argument Username Algorithm Text Description User s login name publickey Acceptance description 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 165 Argument Session Id Description Session identifier 708 Publickey auth error Level warning Origin SSH Tectia Server Error in the publickey authentication method This means that the current user authentication attempt with the publickey method has failed Default log facility auth Argument Description Username User s login name Algorithm publickey Text Error description Session Id Session identifier 709 Publickey auth warning Level informational Origin SSH Tectia Server Warning during the publickey authentication method This means that something abnormal happened during the publickey method but the method may still complete successfully Default log facility auth Argument Description Userna
181. sages are not sent sessions may hang indefinitely on the server leaving ghost users and consuming server resources The value must be yes or no The default is no do not send keepalives SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 38 Configuring SSH Tectia Server The connection element can include one or more selectors a rekey setting and cipher and MAC definitions selector The selectors define to which connections this connection rule applies to Only the interface and ip selectors can be used in the connections element Other blackboard fields for example the username are not yet available at this stage of the connection See the section called Selectors interface This selector matches to the listener interface id or address and or port At least one attribute must be given If the ia is defined the others MUST NOT be given If the ia is not defined either or both of address and port may be given This selector matches to an IP address or fqan fully qualified domain name of the client Either address or fqdn can be given not both The address can be in one of the following formats e an IP address range of the form x x x x y y y y e anIP mask of the form x x x x y asingle IP address x x x x The fqan attribute matches to an FQDN pattern case insensitive The attribute can include a comma separated list of allowed FQDN patterns rekey
182. se the LDAP servers specified here are used To add an LDAP server click Add and enter the Address and Port of the server The default port is 389 To delete an LDAP server select a server from the list and click Delete OCSP Responders On the OCSP Responders tab you can define OCSP responder servers that are used for Online Certificate Status Protocol queries If the certificate has a valid Authority Info Access extension with an OCSP Responder URL it is used instead of this setting Note that for the OCSP validation to succeed both the end entity certificate and the OCSP Responder certificate must be issued by the same CA To add an OCSP responder click Add and enter the URL of the server Optionally you can also enter a Validity period in seconds for the OCSP data During this time new OCSP queries for the same certi ficate are not made but the old result is used To delete an OCSP responder select a responder from the list and click Delete CRL Prefetch On the CRL Prefetch tab you can define addresses from which CRLs are periodically downloaded To add a CRL prefetch address click Add and enter the URL of the CRL distribution point and the In terval how often the CRL is downloaded The default interval is 3600 seconds SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 64 Configuring SSH Tectia Server To delete CRL prefetch address select an address from the list an
183. se insensitively Alternatively the variables can be spe cified in the Allowed case sensitive field Subsystems On the Subsystems tab you can define the allowed and denied subsystems 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual TI To add a subsystem click Add Enter the subsystem Type and select whether the subsystem is Al lowed Define also the Application To remove a subsystem click Delete The subsystem can contain several Attributes Attributes To add an attribute click Add Enter the Name and Value of the attribute To remove an attribute click Delete Commands On the Commands tab you can define shell commands as allowed denied or forced To add a command rule click Add To delete a command rule select a rule form the list and click Delete e If the Deny action is set all shell commands are denied and no further attributes should be spe cified Forthe Allow and Force actions the Application must be given If the application is not given for the Allow action all commands are allowed e If the Force action is set the specified application is run automatically when the user logs in Applications are normally matched case insensitively Alternatively the application can be specified using the Application case sensitive field Local Tunnels On the Local Tunnels tab you can define rules for local TCP tunnels port forwarding To add a tunnel
184. securid auth success 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 103 log events lt log events facility auth severity warning gt Hostbased_auth_error Publickey_auth_error GSSAPI_auth_error Keyboard_interactive_pam_auth_error Keyboard_interactive_radius_auth_error Keyboard_interactive_password_auth_error Keyboard_interactive_securid_auth_error lt log events gt lt log events facility daemon Server_start_failed lt log events gt lt log events facility daemon Server_listener_failed lt log events gt lt log events facility daemon Server_listener_started severi severi severi ty error gt ty warning gt ty notice gt Server_listener_stopped Server_reconfig_finished ServerEstopeing serve EEN Server_starting log events lt log events facility daemon Servant_exited Servant_error lt log events gt lt log events facility daemon Server_reconfig_started lt log events gt lt log events facility normal Algorithm_negotiation_success Certificate_validation_success severi severi severi ty warning gt ty informational gt ty informational gt Certificate_validation_failure Key_store_create Key_store_destroy Key_store_add_provider Key_store_decrypt Key_store_sign Key_store_sign_digest Logout Disconnect Channel_op
185. server computer It is recommended to have users log in first to their non privileged user accounts and once logged in elevate their rights using sudo or su especially if the root account is used instead of individual administrator accounts The following configuration setup prevents logging directly in to the privileged accounts SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 100 System Administration authentication methods authentication action deny celeron lt user privileged value yes gt lt selector gt lt authentication gt lt authentication methods gt 6 1 2 Restricting Connections SSH Tectia Server can be configured to reject connection attempts from unknown hosts For example the following allows connections only from the internal network 10 1 0 0 8 IP addresses and from an external host with the IP address 195 20 116 1 lt connections gt connection action allow selle om upaccdness NURSE lt ip address Ior 20r Re lt selector gt lt connection gt lt connection action deny gt lt connections gt Please see the section called Selectors for information on the selectors On systems with several network interfaces SSH Tectia Server can also be bound to a specific network interface so that the server can be only accessed from the intended network For example the following will bind the listener to address 10 1
186. sion of the software on top of the older version SSH Tectia Server 4 0 and earlier use a different type of installation package and must be uninstalled before installing the new version The configuration file format and file locations have changed in SSH Tectia Server 5 0 The old configuration files form 4 x will not be used with 5 0 but they must be converted manually to the new format A separate document SSH Tectia Client Server Migration Guide gives detailed instructions on upgrading from SSH Tectia client server solution 4 x to SSH Tectia client server solution 5 0 including information on migrating the configuration files e Note Back up all your configuration files before starting the upgrade 2 1 5 Upgrading from Version 5 0 SSH Tectia Server can be upgraded from a previous 5 0 x installation to a later 5 0 x simply by installing the newer version of the software on top of the older version If installed on the same machine SSH Tectia Client and SSH Tectia Server 5 0 should be always upgraded at the same time because there are dependencies between the common components i Note Back up all your configuration files before starting the upgrade SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 16 Installing SSH Tectia Server 2 2 Installing the SSH Tectia Server Software This section gives instructions on installing SSH Tectia Server locally on the suppo
187. ssh com and port 1080 are used as your SOCKS server for connections outside of networks 203 123 0 0 16 bit domain and 198 74 23 0 8 bit domain Those networks are connected directly The cert validation element can contain multiple 1dap server and ocsp responder elements a cert cache file and crl auto update element multiple cr1 prefetch elements a aoa pki element and multiple ca certificate elements The validity of a received certificate is checked separately using each of the defined ca certificate elements in turn until they are exhausted in which case the authentication fails or a positive result is achieved If the certificate is valid the connections and authentication methods elements determine whether the certificate allows the user to log in of course the correct signature generated by a matching private key is always required in addition to everything else Idap server This element specifies an LDAP server address and port used for fetching CRLs Several LDAP servers can be specified by using several 1dap server elements CRLs are automatically retrieved from the CRL distribution point defined in the certificate to be checked if the point exists Otherwise the LDAP servers specified by these elements are used The default value for port is 389 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 36 Configuring SSH Tectia Server ocsp responder This eleme
188. stener socket Description Address of the listener socket Port of the listener socket Description Process ID of the servant Success or error code Exit value of the servant process Description Process ID of the servant Textual error message The crypto library FIPS status was changed in reconfiguration SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 154 Audit Messages Default log facility daemon Argument Text 113 Server warning Level warning Origin SSH Tectia Server The server encountered a non fatal error Default log facility daemon Argument Text 114 Servant warning Level warning Origin SSH Tectia Server The server encountered a non fatal error condition Default log facility daemon Argument Text 115 Servant info Level informational Origin SSH Tectia Server Description Verbose description of the error Description Description of the error Description Verbose warning message The server encountered a non error condition of interest Default log facility daemon Argument Text 116 Servant client verbose Level notice Origin SSH Tectia Server The Client sent a high priority debug message Default log facility daemon Argument Text Description Verbose informational message Description Client debug message 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5
189. strator Manual 65 R Edit Selector Name connection Selector 1 Add address 192 168 0 42 192 168 0 82 Figure 4 7 The Edit Selector dialog box To add a selector to the element click the topmost Add button The selector is initially empty To add items to the selector choose a selector from the list and click the lowermost Add button The Edit dialog box opens Figure 4 8 CT aa Type IP ca list z Address 192 168 0 42 192 168 0 82 F DN ID gt Cancel Figure 4 8 Editing a selector Edit Select the Type of the selector item from the drop down list The attributes of the selector depend on the type Interface The Interface selector matches to the listener interface ID or Address and or Port At least one at tribute must be given If the ID is defined the others MUST NOT be given If the ID is not defined either or both of Address and Port may be given SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 66 Configuring SSH Tectia Server IP The IP selector matches to an IP Address or FQDN fully qualified domain name of the client Either Address or FQDN can be given not both The Address can be in one of the following formats e an IP address range of the form x x x x y y y y e anIP mask of the form x x x x y asingle IP address x x x x The FQDN attribute matches to an FQDN pattern case insensitive The form of the
190. t is only used to back up the disk drive gt command application dd if dev hda action forced tunnel local action deny gt tunnel remote action deny gt lt rule gt lt This rule is used to force password change gt lt rule group passwd change gt lt terminal action deny gt lt command application usr bin passwd action forced gt tunnel local action deny gt tunnel remote action deny gt lt rule gt lt Derewllo mss eil am eos rule lt io ALL orasi maL os Cenie Mee e aa WESE SEE Eh environment allowed TERM PATH TZ LANG LC_ terminal action deny subsystem type sftp application sft server g3 LO Sena ormmanscsawu sNibexdenm ec gt gt command application date action allow gt lt U else local cumacils mall ige cdenuiec gt lt tunnel local action allow gt dst fqdn imap example com port 143 dst fqdn imap example com port 993 dst fadn example com port 260 gt tunnel local Other remote tunnels will be denied gt tunnel remote action allow listen port 6881 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 52 Configuring SSH Tectia Server src fadn example com port 220 gt tunnel remote rule Authors SSH Communications Security Corp For more information s
191. t validation lt ca certificate name myca file etc ssh2 ca certificate crt gt lt cert validation gt 2 In the ssh server config xml file under the authentication methods element add an auth hostbased element lt authentication methods gt authentication name hostbased block gt auth hostbased require dns match no authentication action allow name hostbased cert allow celles certificate field ca list pattern exa cal selector lt authentication gt lt authentication action deny gt lt authentication gt lt authentication methods gt In addition to being signed by the required CA the certificate must pass the endpoint identity check described in detail in Section 5 7 2 If you want to allow multiple authentication methods place the least interactive method first this means usually the host based method On Windows using the SSH Tectia Server Configuration tool host based authentication can be con figured on the Authentication page See Section 4 1 9 3 Run ssh server config too1 to take the new configuration in use See ssh server config tool 8 On Windows click Save to take the new settings in use 5 8 User Authentication with Keyboard Interactive Keyboard interactive is a generic authentication method that can be used to implement different types of au thentication mechanisms Any currently supported authentication method that requires only
192. te savetype passphrase keytype size save file prefix file passphrase absolute key file path file absolute key file path file relative key file path Zany KOy NO pachy ihe key generation savetype Can be ssh2 secsh2 sshl secshl se csh Secure Shell 2 key type legacy Secure Shell 1 key type pies PKCS spi exit pkcs8s passphrase protected PKCS 8 shrouded PKCS 8 pkcs8 plain text PKCS 8 x509 SSH proprietary X 509 library key type h Prints usage message SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 130 Command Line Tools F Prints key usage extension and keytype instructions e Prints command line examples Description The ssh cmpclient g3 command line tool ssh cmpclient g3 exe on Windows is a certificate enrollment client that uses the CMP protocol It can generate an RSA or DSA public key pair and get certificates for their public components CMP is specified by the IETF PKIX Working Group for certificate life cycle management and is supported by some CA platforms such as Entrust PKI and RSA Keon Commands The ssh cmpclient g3 command line command keywords are listed below Shorthands longer than three letters can be used to identify the command The commands are case insensitive The user must specify the CA address URL for each command Here the term user refers to a user program or hardware device
193. the Keyboard interactive Radius authentication method but the method may still complete successfully Default log facility auth Argument Description Username User s login name Algorithm Authentication method name Text Warning description Session Id Session identifier 722 Keyboard interactive password auth success Level informational Origin SSH Tectia Server The user successfully completed the Keyboard interactive Password authentication method 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 169 Default log facility auth Argument Description Username User s login name Algorithm Keyboard interactive Password Text Acceptance description Session Id Session identifier 723 Keyboard interactive password auth error Level warning Origin SSH Tectia Server Error in the Keyboard interactive password authentication method This means that the current user authen tication attempt with the Keyboard interactive password method has failed Default log facility auth Argument Description Username User s login name Algorithm Authentication method name Text Error description Session Id Session identifier 725 Keyboard interactive securid auth success Level informational Origin SSH Tectia Server The user successfully completed the Keyboard interactive SecurID authentication method Default log facility auth Argument Description Username User s login
194. the cert validation element in the client config uration file to no 4 The client verifies that the server has a valid private key by checking the signature in the initial packet During authentication the system checks that the certificate has not been revoked This can be done either by using the Online Certificate Status Protocol OCSP or a Certificate Revocation List CRL which can be published either in an LDAP or HTTP repository OCSP is automatically used if the certificate contains a valid Authority Info Access extension or an OCSP responder has been separately configured If no OCSP responder is available or the OCSP validation produces a negative result the CRLs are automatically used If LDAP is used as the CRL publishing method the LDAP 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 5 2 1 Certificate Enrollment Using ssh cmpclient 83 repository location can also be defined in the ssh broker config xml file See SSH Tectia Client User Manual for more information 5 2 1 Certificate Enrollment Using ssh cmpclient Certificates can be enrolled using the ssh cmpclient command line tool ssh cmpclient exe on Windows To configure SSH Tectia Server to authenticate itself using X 509 certificates perform the following tasks 1 Enroll a certificate for the server This can be done with the ssh cmpclient command line tool for example ssh cmpclient INITIALIZE
195. ther means than Secure Shell To deny shell access on the operating system level you can set the user s shell to bin false or use a script that can also inform the user of the situation For example you could have the following saved to name bin no shell bin sh echo Shell access to this account has been disabled exit 1 8 1 2 Restricting Services In this example the user tunnel is restricted to tunneling services while other users have terminal access All users are denied file transfer service and X11 and agent forwarding Note that the users with terminal shell access are restricted only in the SSH Tectia Server configuration and can for example set up their own port forwardings Please see Section 6 1 for more information 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 113 Tunneling SSH Tectia Connector will use only outgoing tunnels The tunnels are established based on the configuration of the application being tunneled Please see Section 8 2 for details on the tunneling principles The following configuration options of SSH Tectia Server will deny incoming tunnels remote port forwarding and allow outgoing tunnels local port forwarding for all users for example to nttp webserver ex ample com Or https webserver example com lt services gt lt rule gt lt tunnel local action allow gt dst fadn example com port 80
196. ther terminal access is allowed or denied for the user group The word allow Or deny can be given as the value of the action attribute By default terminal access is allowed On Unix systems the chroot attribute can be optionally used to define a directory where the user is chrooted during the terminal session If terminal access is denied also shell commands are denied unless the commands are specifically allowed by the command element subsystem This element defines a subsystem The subsystem t ype must be given as an attribute The use of the subsystem can be allowed or denied by giving the word a11ow or deny as the value of the action attribute The default action is allow Optionally also the application can be given This is not necessary with the SFTP subsystem if the SFTP binary is in the default location On Unix systems the chroot attribute can be optionally used to define a directory where the user is chrooted when running the subsystem The element can contain multiple attribute child elements attribute This element defines an attribute of a subsystem The name must be given as an attribute The value can be optionally given This can be used for example on Windows platforms to set the user home directory and virtual folders for SFTP 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 49 subsystem type sftp application sft server g3 exe a
197. tia Server directory The XML DTD can be found in the C Program Files VSSH Com munications Security SSH Tectia SSH Tectia AUX ssh server ng directory SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 28 Configuring SSH Tectia Server If the configuration file cannot be found or some of the elements are missing hardcoded default values are used The default values are specified in the ssh server config default xml file in the same directory with the configuration file However this default configuration file is not actually read It only shows the hardcoded system defaults In addition an example configuration file ssh server config example xml can be found in the same dir ectory with the configuration file This file contains useful examples of the various configuring options The configuration file is divided in four blocks general server parameters params connection rules connections authentication methods authentication methods allowed services services In the connections and authentication methods blocks different selectors can be used to set access rules to users based on the user parameters such as username or location Users can be divided to groups dynamically for example based on the authentication method they used to log in In the services block each group can then be allowed or denied services such as tunneling file transfer and terminal acces
198. tion argument racerts In RA mode the RA key and certificate for authentication K url URL specifying the private key location This is an external key URL whose format is specified in Section the section called Synopsis R file Path to the file that contains the RA certificate issued to the public key given in the x option argument keypair The subject key pair to be certified P url URL specifying the private key location This is an external key URL whose format is specified in Section the section called Synopsis id Polling ID used if the PKI action is left pending I number Polling transaction ID number given by the RA or CA if the action is left pending template The subject name and flags to be certified 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual Examples 133 ST fire The file containing the certificate used as the template for the operation Values used to identify the subject are read from this but the user can overwrite the key key usage flags or subject names s subject ldap type value A subject name in reverse LDAP format that is the most general component first and alternative subject names The name subject 1dap will be copied into the request verbatim A typical choice would be a DN in the format c uS 0 SSH CN Some Body but in principle this can be anything that is usable for the resulting certificate
199. to the PAM DLL can be given in an attribute The path must point to the operating system specific PAM module for example 1ib libpam so 1 on Red Hat Linux submethod password This element sets the keyboard interactive password submethod in use submethod securid This element sets the keyboard interactive SecurID submethod in use The 411 path to the SecurID DLL can be given in an attribute The path must point to the op erating system specific SecurID module for example usr 1ib libaceclnt so on Solaris submethod radius This element sets the keyboard interactive RADIUS submethod in use The element can contain multiple radius server child elements radius server This element defines a RADIUS server The element has four attributes address port timeout and client nas identifier The address is the IP address of the RADIUS server The port is the RADIUS server port The default port is 1812 The timeout is the time in seconds after which the RADIUS query is terminated if no re sponse is gained The default is 10 seconds The client nas identifier defines the default NAS identifier to be used when talking to the RADIUS server The element must contain one radius shared secret child element radius shared secret This element defines the RADIUS shared secret file The path to the secret file can be given as a value of the file attribute Alternatively the secret can be included as the contents of the ra
200. ttribute name home value SUSERPROFILES gt attribute name virtual folder value c c lt subsystem gt command This element defines a shell command as allowed denied or forced The element can have four at tributes however all of them are not used at the same time action application application case sensitive and chroot The value of the action attribute can be either allow deny or forced The default is allow If the deny action is set all shell commands are denied and no further attributes should be specified For the allow and forced actions the application must be given as an attribute If the application is not given for the allow action all commands are allowed If the forced action is set the specified application is run automatically when the user logs in Applications are normally matched case insensitively Alternatively the application can be specified using the application case sensitive attribute On Unix systems the chroot attribute can be optionally used to define a directory where the user is chrooted when running the command tunnel agent This element defines whether agent tunneling forwarding is allowed or denied by the server The word allow or deny can be given as the value of the act ion attribute By default agent forward ing is allowed For more information see Section 8 5 tunnel x11 This element defines whether X11 tunneling forwarding is allowed or denied by
201. tunneling 111 access control 112 restricting 111 U uninstalling from AIX 20 uninstalling from HP UX 21 uninstalling from Linux 21 uninstalling from Solaris 22 uninstalling from Windows 22 upgrading to 5 0 from 4 x 15 from 5 0 15 use cases 23 user account domain 85 local 85 shared 112 user authentication based on host 89 92 user authentication methods 39 69 79 user authentication with certificates 86 87 user authentication with GSSAPI 96 user authentication with keyboard interactive 93 user authentication with password 84 user authentication with public key 85 user configuration directory 32 56 user group 85 User Manager 85 user profile directory 86 SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 186 Index V viewing event log 53 virtual directories 108 W well known port 111 Windows installation 19 uninstallation 22 Windows Event Log 53 60 101 Windows password 84 85 Windows user group 85 Windows User Manager 85 X X 509 certificate 83 87 X11 forwarding 117 XAuth path 32 XML attribute allow ticket forwarding 45 client nas identifier 44 disable crls 36 dll path 44 45 failure delay 43 idle timeout 47 ignore aix rlogin 31 login grace time 39 max connections 34 max processes 34 max tries 43 print motd 47 proxy scheme 31 require dns match 43 set group 41 tcp keepalive
202. ty Corp SSH Tectia Server A F T 5 0 Administrator Manual 181 Index A account local 85 ACE Agent 95 ACE Server 95 address listen 33 59 administrators 99 agent forwarding 118 AIX installation 16 uninstallation 20 allowed hosts 100 allowing commands 49 77 allowing subsystems 48 76 allowing terminal access 48 78 allowing tunneling 49 50 77 78 application tunneling 111 audit message reference 151 auditing 101 authentication 69 79 certificate 82 86 87 GSSAPI 96 host based 89 host based with certificates 92 Kerberos 96 keyboard interactive 93 96 PAM 93 94 password 84 93 public key 79 85 RADIUS 93 96 SecurID 93 95 authentication chains 40 70 authentication methods 39 71 79 authority info access 82 87 automated file transfer 109 B banner message 40 55 102 base 64 126 basic configuration 27 C CA certificate 36 64 87 certificate enrolling 83 revoked 82 certificate authentication server 33 56 82 user 35 61 86 87 certificate cache file 36 62 certificate revocation list CRL 82 87 certificate validation 35 61 certificate viewer 125 certificates in host based authentication 92 certification FIPS 140 2 31 55 certification authority CA 35 61 82 changing host key 81 channel 111 chroot 86 ciphers 38 69 CMP client 128 command line tools 119 commands 49 77 Compatibility Notes 26 configuration file server
203. unications Security Corp 56 User configuration directory Configuring SSH Tectia Server Specify a path to user specific configuration data With this the administrator can control those options that are usually controlled by the user This is given as a pattern string which is expanded by SSH Tectia Server In the string D is the user s home directory uid and 16 is user s group ID gid The server has to be restarted to use the changed setting 4 1 3 Identity U is the user s login name 31U is the user s user ID The Identity page of the SSH Tectia Server Configuration tool is used to specify the host keys and host certificates that identify the server to the clients R SSH Tectia Server Configuration SSH Tectia Server General Configure host keys Bl dentity Keys Network Logging hostkey Add Certificate Validation Connections and Encryption Delete Authentication Services Key Type Public key C Certificate C External key Host Key or Certificate Private key He hostkey El Generate Public key file P 7 E View Import PKES12 r Extermal Key Type Init info m m DK Cancel Figure 4 3 SSH Tectia Server Configuration Identity page 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 57 Keys To add a host key pair click Add To delete a host key pair select
204. uration tool public key authentication can be allowed on the Authentication page See Section 4 1 9 5 5 1 Special Considerations on Windows On Windows please note that public key authentication works only with local user accounts Local accounts are unable to access the network resources such as computers or printers of any domain To use public key authentication the public key must be first created on the client and uploaded to the server On the server the user s public keys must be located under the user s profile directory use the D pattern string when specifying the user key directory The recommended location is the USERPROFILE N ssh2Nau thorized keys directory This location reflects the standard Unix usage and works with the default settings of SSH Tectia Client and the user s profile directory has the appropriate access permissions set by the oper ating system during the account creation e Note If the root directory for SFTP has been changed chrooted to some other location than the user profile directory using public key authentication will require changing the user key directory setting accordingly Uploading the public key will not succeed if SFTP is set to use some other directory than the specified location for public keys 5 6 User Authentication with Certificates Certificate authentication is technically a part of the the public key authentication method The signature created with the private key and t
205. ver The server reconfiguration has finished Default log facility daemon Argument Success Error Text 107 Server listener started Level notice Origin SSH Tectia Server The server successfully established a listener socket Default log facility daemon Argument Listener Listener Port 108 Server listener stopped Level notice Origin SSH Tectia Server The server closed a listener socket Description The name of the configuration file Description Success or error code Textual description of the error Description Address of the listener socket Port of the listener socket 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 153 Default log facility daemon Argument Listener Listener Port 109 Server listener failed Level warning Origin SSH Tectia Server The server failed to open a listener socket Default log facility daemon Argument Listener Listener Port 110 Servant exited Level warning Origin SSH Tectia Server A servant has exited possibly because of an error Default log facility daemon Argument Pid Success Error Exit Value 111 Servant error Level warning Origin SSH Tectia Server A servant reported an unrecoverable error Default log facility daemon Argument Pid Text 112 Server error Level warning Origin SSH Tectia Server Description Address of the listener socket Port of the li
206. xternal Host Keys 84 5 4 User Authentication with Passwords se 84 5 4 1 Special Considerations on Windows ss 85 5 5 User Authentication with Public Keys ss 85 5 5 1 Special Considerations on Windows ss 86 5 6 User Authentication with Certificates ss 86 5 6 1 Certificate Configuration ses 87 5 7 Host Based User Authentication eod ertet scoisadpscdonca ess FI ERR EES ERROR MEET 89 5 7 1 Using Traditional Public Keys ss 90 5 7 2 Using COEfCates iiit tid etes e bett lese Deeg AA NEANS 92 5 8 User Authentication with Keyboard Interactive e 93 5 8 1 Password AAA ENEE EEEE ERES EEEE EEE EESTE 94 5 8 2 Pluggable Authentication Module PAM Submethod ses 94 5 8 3 RSA SecurID Submcthod vse pee ese e ave weds oes lio 95 5 8 4 RADIUS Subimethod 21 tete er EEE EE oE EEES 96 5 9 User Authentication with GSSAPT sesse essit erana is a a GEE ten tpi TE 96 6 System Administration oe E eee dd eboney PEENES 99 6 1 SSH Tectia Client Privileged User eost e ore epe One teen Eden dek 99 6 1 1 Disabling Root Login noe det rrr rrr ENEE EROR ERE RR ERES ERR Red ERR 99 6 1 2 Restricting Connections sise 100 6 1 3 Forced Commands eite ote tbe ee edet et eee nids ent lat ins 100 6 2 E 101 6 251 Notification siinses tes papis 102 6 2 2 Custonmzing E EE 102 1995 2005 SSH Communications Security Corp SSH Tectia Server A F T 5 0 Administrator Manual 7 File K
207. y 86 proxy scheme 31 55 proxy server 87 public key host 33 57 user 85 public key authentication server 32 56 79 user 43 85 R RADIUS authentication 44 72 93 96 Red Hat Linux 18 rekeying interval 38 69 related documents 8 remote administration 99 remote port forwarding 116 remote tunnel 116 removing from AIX 20 removing from HP UX 21 removing from Linux 21 removing from Solaris 22 removing from Windows 22 restoring default settings 53 restricting services 47 75 107 112 restricting tunneling 49 50 77 78 111 112 revoked certificate 82 rights log on locally 85 root directory 86 RPM packages 18 RSA ACE Agent 95 RSA ACE Server 95 RSA key pair 80 RSA SecurID 95 S secure application connectivity 111 secure file transfer 105 Secure File Transfer Protocol SFTP 86 Secure Shell server starting 24 stopping 24 secure system administration 99 SecurID authentication 44 72 93 95 selector blackboard 42 67 certificate 41 66 host certificate 42 66 interface 38 42 65 IP 38 42 66 public key passed 43 67 user 42 67 user group 42 67 user password change needed 43 user privileged 42 67 selector handling rules 29 selectors 28 64 server starting 24 stopping 24 server authentication methods 32 56 79 server authentication with certificates 82 server authentication with external key 84 server authentication with public key 79 server
208. ying allowed addresses with the src and dst elements If any addresses are specified as allowed local tunnels to all other addresses are implicitly denied For example the following setting allows tunneling to the e mail server but denies all other tunnels lt services gt lt rule gt SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 116 Tunneling tunnel local action allow gt lt l MINA gt lt dst fadn imap example com port 143 gt dst fqdn imap example com port 993 lt l POP gt dst fqdn imap example com port 109 dst fqdn imap example com port 110 gt dst fqdn imap example com port 995 lt tunnel local gt lt rule gt lt services gt In the SSH Tectia Server Configuration GUI on Windows tunneling settings are made on the Services page under Rules See Section 4 1 10 8 3 Remote Tunnels A remote incoming tunnel it forwards traffic coming to a remote port to a specified local port Setting up remote tunneling allocates a listener port on the remote server Whenever a connection is made to this listener the connection is tunneled over Secure Shell to the local client and another connection is made from the client to a specified host and port The connection from the client onwards will not be secure as it is a normal TCP connection For example if you issue the following command all traffic
209. ying the license file 2 Unpack the packages with gunzip In order to be installable the created packages must have the correct long file name gunzip ssh tectia common ver sd hpuxver depot gz gunzip ssh tectia server ver sd hpuxver depot gz In the package name vex is the current package version of SSH Tectia Server for example 5 0 0 777 and lt hpuxver gt is the version of the HP UX operating system 11 00 or 11 22 3 Install the packages by running the following command with root privileges swinstall s path ssh tectia common ver sd hpuxver depot SSHG3common swinstall s path ssh tectia server ver sd hpuxver depot SSHG3server In the command lt path gt is the full path to the installation package HP UX requires this even when the command is run in the same directory The server host key is generated during the installation Key generation may take several minutes on slower machines 4 The installation should re start the server automatically If the server does not start because of a missing license for example you can start it after correcting the problem by issuing the command sbin init d ssh server g3 start SSH Tectia Server A F T 5 0 Administrator Manual 1995 2005 SSH Communications Security Corp 18 Installing SSH Tectia Server 2 2 3 Installing on Linux SSH Tectia Server for Linux platforms is supplied in RPM Red Hat Pack
Download Pdf Manuals
Related Search