Tectia 5 Certificate Authentication - SSH

This is a discussion on Tectia 5 Certificate Authentication - SSH ; Has anyone been able to configure the tectia 5 server to accept password, or keyboard-interactive or certificate authentication so as a client could do one of the accepted three? So far I can only configure it to accept just certificates, ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Tectia 5 Certificate Authentication

  1. Tectia 5 Certificate Authentication

    Has anyone been able to configure the tectia 5 server to accept
    password, or keyboard-interactive or certificate authentication so as a
    client could do one of the accepted three?

    So far I can only configure it to accept just certificates, or just
    password/keyboard interactive, or a combination where both password
    and certificate must be presented by the client.


  2. Re: Tectia 5 Certificate Authentication

    >>>>> "support" == support writes:

    support> Has anyone been able to configure the tectia 5 server to
    support> accept password, or keyboard-interactive or certificate
    support> authentication so as a client could do one of the accepted
    support> three?

    support> So far I can only configure it to accept just certificates,
    support> or just password/keyboard interactive, or a combination where
    support> both password and certificate must be presented by the
    support> client.

    AllowedAuthentications publickey,keyboard-interactive,password

    --
    Richard Silverman
    res@qoxp.net


  3. Re: Tectia 5 Certificate Authentication

    Richard

    Yes, I have publickey enabled, with the associated certificate
    selectors in the ssh-server-config.xml file, however I cannot get it to
    work.

    I can have:
    publickey or keyboard-interactive or password or gssapi but not or
    certificate

    or I can have

    publickey with certificate selectors

    but not

    publickey or keyboard-interactive or gssapi or certificate/with
    selectors


  4. Re: Tectia 5 Certificate Authentication

    >>>>> "support" == support writes:

    support> Richard Yes, I have publickey enabled, with the associated
    support> certificate selectors in the ssh-server-config.xml file,
    support> however I cannot get it to work.

    support> I can have: publickey or keyboard-interactive or password or
    support> gssapi but not or certificate

    support> or I can have

    support> publickey with certificate selectors

    support> but not

    support> publickey or keyboard-interactive or gssapi or
    support> certificate/with selectors


    http://www.snailbook.com/faq/general...ging.auto.html

    --
    Richard Silverman
    res@qoxp.net


  5. Re: Tectia 5 Certificate Authentication

    Duh! Have you ever used the SSH Data Communications tectia 5.x
    server/client ? They cannot be placed into debug mode!
    And the server log is useless.


  6. Re: Tectia 5 Certificate Authentication

    >>>>> "support" == support writes:

    support> Duh! Have you ever used the SSH Data Communications tectia
    support> 5.x server/client ? They cannot be placed into debug mode!
    support> And the server log is useless.

    If you want free expert advice, you could try being polite.

    The link I gave you suggests you provide complete information, including
    the platform and OS on which you're running both client and server. It's
    a little difficult to answer a question when you don't say what software
    you're using.

    --
    Richard Silverman
    res@qoxp.net


  7. Re: Tectia 5 Certificate Authentication

    >>>>> "support" == support writes:

    support> Richard Yes, I have publickey enabled, with the associated
    support> certificate selectors in the ssh-server-config.xml file,
    support> however I cannot get it to work.

    support> I can have: publickey or keyboard-interactive or password or
    support> gssapi but not or certificate

    support> or I can have

    support> publickey with certificate selectors

    support> but not

    support> publickey or keyboard-interactive or gssapi or
    support> certificate/with selectors

    Since you mention an XML file, I'm going to assume you're using a Windows
    server. Your problem might be that passwords are always required for
    access to domain accounts, since Windows needs the password to
    authenticate the user to the domain controller. You can only have
    publickey-only authentication with local accounts.

    --
    Richard Silverman
    res@qoxp.net


  8. Re: Tectia 5 Certificate Authentication

    I was just hoping someone on this list had really used the Tectia 5.x
    server (not the Tectia 4.x server), and had tried using certificate
    authentication at the same time that password, keyboard-interactive and
    gssapi was also allowed, in a "OR" type relationship. That is, only
    one method has to be presented by the tectia client.

    The tectia server is running on Redhat Enterprise 3 and the tectia
    client is running on Windows XP/SP2. Both the Redhat Enterprise 3 OS
    and the Windows XP/SP2 systems are at the latest revision level. Both
    the tectia server and client are running in FIPS mode, and both are at
    latest release, 5.0.1.79

    As I stated, if I setup the server ssh-server-config.xml file to just
    allow publickey/certificate combination, I can login using the tectia
    client using either a certificate or normal publickey. If I setup the
    server to accept just password, publickey,keyboard-interactive or
    gssapi, then I can login using any of those methods, but the publickey
    method is limited to the normal publickey key concept, not
    certificates.

    I understand that perhaps those that desire to use certificates only
    may not have a need for this, but during a transition, it is necessary.
    So what I want to do is setup the server to allow authentication by
    one of the following methods.

    User A - password only
    User B - publickey only
    User C - keyboard interactive only
    User D - gssapi only

    User E - publickey, Certificate only, where the certificate method is
    qualified by selectors requiring a correct pattern match on the user
    certificate subject and required to have been issued by the CA
    certificate located in the ssh-server-config.xml file, and that the
    user certificate pass the normal revocation checks.

    User F - publickey, including both the normal publickey method and the
    certificate method, with the user certificate qualified the same as the
    User E criteria.

    I do not want to limit any given user to a specific method, or to
    require users to have more than one method.

    We know that the tectia client is capable of doing this, since we first
    tested that against a specially modified OpenSSH based server (gssapi
    by mechglue, and X509 support by the excellent package from Roumen
    Petrov).


  9. Re: Tectia 5 Certificate Authentication

    >>>>> "SS" == support writes:

    SS> The tectia server is running on Redhat Enterprise 3 and the tectia
    SS> client is running on Windows XP/SP2. Both the Redhat Enterprise 3
    SS> OS and the Windows XP/SP2 systems are at the latest revision
    SS> level. Both the tectia server and client are running in FIPS
    SS> mode, and both are at latest release, 5.0.1.79

    OK, this is the information you needed to provide at the outset.

    I don't have a copy of of the latest release of Tectia; what you want
    certainly works in version 4. I've requested a copy of the software from
    ssh.com and will give it a try when I have a chance.

    --
    Richard Silverman
    res@qoxp.net


  10. Re: Tectia 5 Certificate Authentication

    > So what I want to do is setup the server to allow authentication by
    > one of the following methods.
    >
    > User A - password only
    > User B - publickey only
    > User C - keyboard interactive only
    > User D - gssapi only
    >
    > User E - publickey, Certificate only, where the certificate method is
    > qualified by selectors requiring a correct pattern match on the user
    > certificate subject and required to have been issued by the CA
    > certificate located in the ssh-server-config.xml file, and that the
    > user certificate pass the normal revocation checks.
    >
    > User F - publickey, including both the normal publickey method and the
    > certificate method, with the user certificate qualified the same as the
    > User E criteria.
    >
    > I do not want to limit any given user to a specific method,
    > require users to have more than one method.


    I don't understand; you have requirements which say various users be
    allowed to use specific authentication methods "only." How is that
    compatible with the last statement above?

    --
    Richard Silverman
    res@qoxp.net


  11. Re: Tectia 5 Certificate Authentication

    The "only" was an attempt to indicate that only one method is required
    for a user, and that all methods should be available. Perhaps that is
    confusing.

    We know that we can get the server to work if we require a "AND"
    condition. That is, more than one authentication method per user.
    It was also an attempt to make clear that we had no intent to use a
    selector to limit any given method to a specific user (which is
    possible in tectia 5.x).

    So perhaps saying, "we have a need for all possible authentication
    methods to be available, and that only one of those methods needs to be
    presented by a user" will clarify.

    BTW, the other alternative we thought of was to run an instance of the
    server using the normal password, publickey, keyboard-interactive and
    gssapi methods, and another instance of the server supporting
    publickey/Certificates, with a unique port for each instance. But
    alas, there is a problem in that case also. There is a bug (or perhaps
    on purpose) preventing that from being done.

    Ken


+ Reply to Thread