Configuration > Authentication >

 

Public Key Options

 

 

Use the Public Key Options page to configure what kind of certificates can be used and the auto store feature of Pragma Fortress SSH Server. At least one of these options, or X.509 authentication, must be selected for public key authentication to be allowed.

For authentication just involving the RSA/DSA key, a mechanism needs to exist to provide authorized mapping between the key and a user. The mapping is provided by the authorized_keys file or registry mapping.

The two auto store features can be enabled on this page. The auto store features are designed to make storage of new keys simpler. There is no standard key format, so each client program generates keys in their own format. Even though many are compatible, they are not guaranteed to match the syntax required by Pragma Fortress SSH Server. The key negotiation by the protocol is part of the SSH standard, so formatting is not an issue. Instead of a user sending a public key to the system administrator, they log on with the certificate, enter their password when prompted, and the server will store the key in the correct syntax and location for Pragma Fortress SSH Server.

Registry - Registry mapping uses the registry based Pragma Fortress SSH Server PKI to associate keys and certificates with users.

An option is provided to cache the public key after the user has been verified. The key is cached in the registry in a double encrypted hash form with restrictive permissions.

Keys cannot be manually stored in the registry.

Allow authentication from registry

Use cached certificate information from the registry to authenticate an user.

Automatically store keys in registry 

Allow certificate access to automatically store/load keys in the registry, after a user has been successfully authenticated.

Authorized keys file

The authorized keys file is a single file unique to each user that contains client/key pairs that identify the user. The file can be manually created by storing the client public key in the correct syntax and location for authentication.

Authentication by file, without using the password caching, has a lower level of security. For that reason only local non-administrative users can be used when authenticating by file only. The session cannot set full user context without a password, so limited access is granted.

Allow authentication from file

Use stored certificate information from the authorized_keys2 file to authenticate an user.

Store keys in authorized file

Allow certificate access to be automatically written to the authorized_key file after a user has been successfully authenticated.

Key file

Path and file name to look for authorized keys. This file can be manually created or can be created by the server when using the "Store keys in authorized file" feature.

This directory must be unique for each user, since the file name is the same for all users. For that reason, this location should include an value based on the USERNAME and/or USERDOMAIN environment variables. The default location is  located in the PragmaSSH directory of the users Application Data directory defined by the %APPDATA% environment variable. The environment variable must exists on the system. It cannot be defined under the Fortress SSH Server User Environment Variables configuration.

The name configured here will be used for all users.

 

 

Copyright © 2023 Pragma Systems Inc