|
includes Public Key, Certificate, X.509, CAC
Public Key authentication uses a public/private key pair. The keys can be RSA or DSA. In this authentication scheme, the user provides the server with the public part of the key, and shows that they have the corresponding private part of the key (by signing data with it). For authentication just involving the RSA/DSA key, a mechanism needs to exist to provide authorized mapping between the key and a user. The mapping is provided by the authorized_keys file or Pragma Fortress SSH Server registry mapping. Keys can be manually entered in a file or auto loaded using the "Automatically store keys in registry" or "Store keys in authorized file" options. Auto loading will allow a user to cache the key information in the selected authorized key stores upon successful password validation.
If the key is wrapped in an X.509v3 certificate, Pragma Fortress SSH Server may not need the authorized key mapping since the certificate contains account information. However, public certificates can still be placed in the authorized key stores. There are two ways that certificates can be mapped to users under Windows. The first is authorized key mapping, which is just an extension of the standard public key mapping. In this scheme, the base64 DER public certificate is placed in the authorized keys file or registry in the same manner as an RSA/DSA key. The second is implicit mapping. If the certificate contains a UPN alternative name that can be associated with a users Kerberos name, then that information can be used to identify the user to the computer. This option is on by default, but can be disabled on the X.509 Certificate Options page.
Public Key authentication can be problematic for users that have profiles on remote shares. The problem is that the logon token generated during the authentication does not have network credentials. In Windows, the only way to get network credentials is using a negotiated security context (GSSAPI - if delegation is configured by your system administrator) or by providing a password. To address this problem, Pragma Fortress SSH Server contains an option to cache the users password. The password is twice encrypted using AES-256. The first encryption is with a proprietary key, the second is with the Local System user key. If a password is cached, it will be used automatically to provide the user with a token that has access to network shares. The option to cache passwords can be set on the Password Options page. In order to remove passwords from the cache, the user entry in the registry(HKLM/Software/PragmaSystems/SSHD/PAD) or the entire PAD needs to be deleted. Permissions must be set to allow the current user the ability to read and delete the subkeys of the PAD key. Modifying the registry manually can cause damage to the system. Please be very careful when modifying the registry. Make a backup if necessary.
How to use a certificate (public key authentication) to make ssh connection to Pragma FortressSSH server.
Server Side Configuration:
1.Launch Local Fortress SSH Configuration dialog from the Windows Start menu > Pragma Server Management shortcut.
2.On the Authentication page de-select all GSSAPI authentication options.
3.On the Public Key Options page, following options are checked by default:
Allow authentication from registry
Allow authentication from file
Store keys in the authorized file.
The location of the authorized_keys2 file can be specified in the field labeled File location. The default location for the file is typically under the following sub directory of an user's home directory or user profile: \%APPDATA%\PragmaSSH.
The filename also needs to be configured in the same edit box. "Authorized_keys2" is the default file.
4.Select the check box labeled "Automatically store keys in the registry" to create a registry store and auto load authentication information there. If this option is selected, Pragma Fortress SSH Server will look for authentication information in the registry first.
5.The public key of the user must be stored on the server side for proper authentication. Since keys do not have a standard format, we recommend using one of the Auto Store features to pass the key to the server in a standard format for storage. To manually store a key, the public key must be written to the configured filename on the Public Key Options page. The key will need to follow the same syntax as the public keys generated by the Pragma sshkeygen program.
6.When using X.509 certificates from the client, the public part of the key pair should be written the same as any rsa/dsa public key or the auto-storage option should be used. The server does not require the certificate to be loaded in the Windows Certificate Store on the server.
Connect with the client:
When using a certificate to log on the syntax, location, and proper way to pass the certificate is dependent on the client. Check client documentation on how to use certificates. Since keys do not have a standard format, we recommend using one of the Auto Store features to pass the key to the server in a standard format for storage.
Logging on with DSA/RSA key pair:
With Pragma's Console SSH client the file is passed using the -i option. The id_dsa key pair if found in the %APPDATA%\PragmaSSH directory of the current user, then it is automatically passed to the server without additional parameters. If a different key pair should be used, or the key pair is in a different directory, the -i option should be used with the full path to the key pair.
If either of the "store key options, file or registry, are checked on the server side configuration, the public part of the public/private key pair will get automatically stored. Please note that the user making certificate connection to Pragma Fortress SSH Server for the first time will get prompted to enter password with a "partial success" message. From the second time and onwards, the user should be able to log on without having to enter a password.
Tip: If a user is prompted more than once with the "partial success" message when storing the same key, the server may be unable to authenticate the user with the cached password due to a library not loaded correctly. Reboot the server to set the library.
Logging on with X.509 certificate:
Using Pragma Console SSH Client, the certhash option is used. The thumbprint of the certificate is used to pass to the server. See Console SSH Client for more information on how to get the thumbprint. The thumbprint will need to be passed without spaces.
SFTP connection with certificate authentication
To make a SFTP connection with certificate authentication using Pragma console secure client, open up a DOS command prompt and type the following:
sftp -oIdentityFIle2=<key> username@host
or
sftp -ocerthash=<cert thumbprint without spaces> username@host
NOTE: SFTP uses SSH2 protocol only. Therefore, you need to use SSH2 keys to connect. SSH1 Keys will not work.
Troubleshooting tips:
If an user's certificate is failing to authenticate:
1.Check the server user profile list for another user with the same name. The authorized_keys2 file should be located in configured directory.
2.The configured directory will need to be unique to each user, since the file name is the same for stored keys.
3.Authentication of domain users using the cached password will require a reboot of Windows 2008 and later systems. A reboot is not required at time of installation since it is only required for certificate authentication, which may not be used by all program users.
|