Authentication

Click on Authentication in the Pragma Fortress Manager dialog to configure Authentication settings.

Limit Authentication Attempts

Enable the check box to configure the number of times a user my try to authenticate. Enter your preferred number in the edit box for authentication attempt limits. This value can be overridden by the client.

Authentication Methods Allowed:

Password: Click on this check box to connect with a valid username and password. Both the username and the password are encrypted as they are passed from the client to the server using the SSH protocol.

Certificate: Click on this check box to log in with certificate authentication. Certificate authentication uses public/private key pairs to gain access to the server. A password is not required. If certificate authentication fails and password authentication is allowed, the user will be prompted for a password. For more information on certificate authentication, click here.

Automatically Store Public Keys: The first time a user connects with a new key, the server will prompt for a password. The key and password will be securely cached for later access with full user context. The certificate must be fully authenticated prior to the password prompt so that invalid keys are not saved.

Store keys in registry: Turn this option on when allowing certificate access to automatically save keys in the registry.

Store keys in authorized file: Turn this option on when allowing certificate access to automatically save keys in the authorized_keys2 file under the user profile directory.

Generic Security Service Application Programming Interface (GSSAPI)

GSSAPI is an industry wide standard to access various security authentication mechanisms in an environment without knowing how it is implemented in an operating system. GSSAPI is the accepted standard in SSH world to use Kerberos or NTLM for user authentication. This allows users to login to a system securely without having to provide a password. All SSH related standard documents, including GSSAPI use in SSH, can be found at the web site http://www.ietf.org/html.charters/secsh-charter.html

Kerberos: Click on this check box to use Kerberos authentication. It is a highly secured authentication method that uses secret-key cryptography. During Kerberos authentication, the client proves its identity to the server and vice versa. A SSH user’s identity is authenticated cryptographically by a Kerberos server without the user having to provide a password. GSSAPI (Kerberos) supported SSH client must be used to connect with this authentication method.

Kerberos supports authentication across a wide variety of platforms like Microsoft Windows, Linux, HP-UX, Solaris and AIX using credentials obtained from the operating system. Starting with Windows 2000, all Microsoft Windows (2000, XP, 2003) uses Kerberos as the standard authentication method and Microsoft Active Directory is built with Kerberos and fully supports it.

Token Delegation for Kerberos: This is a Kerberos specific option. Check this box to allow the Kerberos authenticated user to have access to other network resources on the server. If this box is off, the authenticated user may not have full access to all resources using Kerberos delegated permissions/privileges. This option needs to be on if a user needs to access any network resources, such as mapped drives or the ability to ssh or telnet to another server.

For this option to work, the system must be able to generate a delegate-level token. To do this, the following conditions must be met:

The user logging in cannot be marked as sensitive and cannot be delegated in Microsoft Active Directory directory service.
The FortressSSH server must be marked as trusted for delegation in Active Directory. If the service logon properties have been changed under the Configure InetD Service page, that user must be marked as trusted for delegation in Active Directory.

GSSAPI NTLM: Click on this check box to use GSSAPI NTLM authentication. NTLM is an authentication protocol used in various Microsoft network protocol implementations. NTLM is used throughout Microsoft's systems as an integrated single sign-on mechanism. In both GSSAPI (NTLM and Kerberos) methods, the interactive user information will be sent as the remote user context. You will not be prompted for username or password. GSSAPI authentication cannot be used to log on a user other than the client interactive user. GSSAPI (NTLM) supported SSH client must be used to connect with this authentication method.

NTLM should be used to access Windows NT 4.0 server as Kerberos is not supported in NT 4.0. For Windows 2000, XP, 2003 or Vista, NTLM can also be chosen as these platforms supports both Kerberos and NTLM. Note that Unix/Linux clients do not support NTLM, so NTLM option is only available to SSH clients which are on Windows platforms. NTLM is an older authentication protocol used in various Microsoft network protocol implementations like Windows NT 4.0, 95, 98 and Me.

Authenticate without Message Integrity Check (MIC): Use this drop down menu to set a preferred MIC (Message Integrity Check) setting. Selecting “Allow” will authenticate connection from a client with or without MIC support. Selecting “Deny” will NOT authenticate connection from a client without MIC support. Selecting “Force” will make the server authenticate ONLY without MIC, meaning SSH clients will see this server not supporting MIC.

Pragma Legacy NTLM: Turn his option on to allow older versions of Pragma Fortress clients to authenticate using NTLM authentication. This method used a Microsoft Proprietary NTLM algorithm, so is not compatible with the GSSAPI NTLM method. Support of GSSAPI NTLM deprecates the need of Pragma Legacy NTLM.

NOTE: The ordering of authentication is GSSAPI (Kerberos/NTLM), Certificate, Password. If either GSSAPI or certificate authentication fails, password authentication will be used. If any of the options are disabled, then that method will be skipped. If password is disabled and one of the advanced options fails, the user will be disconnected.