Setting up Pragma FortressSSH for x509 certificate based server validation and CAC/Smartcard

x509 / CAC /Smart Card Support (Server side configuration):
To support x509 Certificate/CAC/SmartCard logons to SSH server, certicate authentication in the server configuration page needs to enabled as shown below. Other authentication methods like password and GSSAPI can be left enabled. For x509/CAC/SmartCard authentication, Pragma SSH server validates and enforces that fields of a Public Key/Certificate are proper, authentic and belongs to the subject user named in the certificate. Pragma SSH server checks that the public key has not expired, checks that the certificate has not been revoked using OCRL protocol and validates the certificate's signature using cryptography.

CAC/Smart Card Support (Client Side):
In addition to supporting password, Public key / Certificate and GSSAPI authentication methods, Pragma FortressCL now also supports smart card / PKCS authentication. FortressCL's smart card support meets US Department of Defense (DOD) and CACS standards as well as standards from Microsoft environment.

Support of this new FortressCL feature on Windows XP and 2003 machines require installation of smart card libraries, which are supplied by the smart card vendors. All smart card vendors are required to implement provider libraries for their cards that act as an interface between Microsoft Windows smart card support features and the smart card hardware layer. Once a smart card containing x.509 certificates is inserted in the card reader, the certificates therein are automatically made available in the certificate store of that machine. So a FortressCL user can use these certificates for x.509 validation via FortressCL authentication tab.


Figure 1: FortressCL Authentication Tab

Once Public Key/Certification authentication method is selected, the user can further specify usage of a certificate private key file or ax x.509 certificate file (.pfx file). Alternatively, the user can choose x.509 certificates, either from smart cards, or from any other CA sources, by clicking on the radio button User Personal Certificate Store, as shown below:


Figure 2: Using X.509 Certificates

Once the radio button is clicked, all available certificates that are in the store are displayed. The user can select one or more of the available certificates. If more than one is chosen, they will be tried in order, until one of them is successful in obtaining login access. Of none of the available certificates are chosen, all of the available certificates in the store will be tried in order until one of them is successful, or all of them fail. Please note that If a smart card x.509 certificate is PIN-protected, then the PIN will be required during login authentication.

Pragma's console ssh, sftp, scp clients support x509/CAC/Smart Card based authentication: In the ssh command line parameter, specify the .pfx file and provide the fully qualified server as shown below: