Any securely generated key can be used for identification purposes to allow local users to logon without entering a password. Sharing the public part of the key with the server, allows the server to confirm identification based on the key. Each user has a unique location under their %USERPROFILE% to save public keys, so that multiple keys are available depending on the client used for connection. A %USERPROFILE% will be setup for the user when they first logon, either through the desktop or a ssh session. The user is allowed their assigned access to the server and network, just as if they had logged on using a password. Certificate support is not available for domain users. Domain users will be prompted for a password if Password authentication allowed, otherwise they will be rejected.
How to use a certificate to logon:
1. Generate a key using any accepted key generator. Pragma ships a command line key generation program to generate client keys. See sshkeygen for more information. Keys can also be generated by other client software, or by a secure certificate server. The key saved in the authorized keys file must be in ssh-com format. Note that some keys are formatted with linefeeds within the key. These linefeeds will need to be removed before the keys are saved to the server.
2. Copy the key to the user's authorized key file on the server. This file is %USERPROFILE%\Application Data\PragmaSSH\authorized_keys for ssh1 keys, and %USERPROFILE\Application Data\PragmaSSH\authorized_keys2 for ssh2 keys. If there are multiple users with the same name, meaning that domain users have a profile on the system, copy the files to the first user listed.
3. From the client, logon to the server choosing the appropriate identity file to use for logon. Pragma's clients automatically try the appropriate protocol defined key files at connection, so that designation is not required.
Syntax for SSH & SFTP connection with certificate authentication
To connect to a Fortress server using certificate authentication using Pragma console secure client, open up a DOS command prompt and type the following:
ssh -i <key> username@host
To make a SFTP connection with certificate authentication using Pragma console secure client, open up a DOS command prompt and type the following:
sftp -oIdentityFIle2=<key> username@host
NOTE: SFTP uses SSH2 protocol only. Therefore, you need to use SSH2 keys to connect. SSH1 Keys will not work.
Troubleshooting tip:
If a users certificate is failing to authenticate, check the server user profile list for another user with the same name. The authorized key file should be in the first directory listed with that user name.