Re: Tectia 5 Certificate Authentication

I was just hoping someone on this list had really used the Tectia 5.x
server (not the Tectia 4.x server), and had tried using certificate
authentication at the same time that password, keyboard-interactive and
gssapi was also allowed, in a "OR" type relationship. That is, only
one method has to be presented by the tectia client.

The tectia server is running on Redhat Enterprise 3 and the tectia
client is running on Windows XP/SP2. Both the Redhat Enterprise 3 OS
and the Windows XP/SP2 systems are at the latest revision level. Both
the tectia server and client are running in FIPS mode, and both are at
latest release, 5.0.1.79

As I stated, if I setup the server ssh-server-config.xml file to just
allow publickey/certificate combination, I can login using the tectia
client using either a certificate or normal publickey. If I setup the
server to accept just password, publickey,keyboard-interactive or
gssapi, then I can login using any of those methods, but the publickey
method is limited to the normal publickey key concept, not
certificates.

I understand that perhaps those that desire to use certificates only
may not have a need for this, but during a transition, it is necessary.
So what I want to do is setup the server to allow authentication by
one of the following methods.

User A - password only
User B - publickey only
User C - keyboard interactive only
User D - gssapi only

User E - publickey, Certificate only, where the certificate method is
qualified by selectors requiring a correct pattern match on the user
certificate subject and required to have been issued by the CA
certificate located in the ssh-server-config.xml file, and that the
user certificate pass the normal revocation checks.

User F - publickey, including both the normal publickey method and the
certificate method, with the user certificate qualified the same as the
User E criteria.

I do not want to limit any given user to a specific method, or to
require users to have more than one method.

We know that the tectia client is capable of doing this, since we first
tested that against a specially modified OpenSSH based server (gssapi
by mechglue, and X509 support by the excellent package from Roumen
Petrov).

.

Relevant Pages

  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: Configuring LDAP on Entourage 2004 OS X
    ... Microsoft CSS Online Newsgroup Support ... does not work with a self signed SSL certificate OR with the SSL ... configure the System to allow OMA and "Server ActiveSync" access from the ... Configuring Exchange Server 2003 for Client Access. ...
    (microsoft.public.windows.server.sbs)
  • Re: Configuring SBS2003 for OWA and RWW
    ... And make sure certificate will not be ... On the Connection Type page, click Broadband, and then click Next. ... next to Preferred DNS server and next to ... If you are using ISA, please go to ISA management console, and navigate ...
    (microsoft.public.windows.server.sbs)
  • Re: Which shell / terminaltype for SSH Tectia for Windows?
    ... Client: XP running Putty ... Server: Windows 2003 Server running SSH.COM Tectia 4.05 sshd server ... Tectia, and see a shell, provided by the CMD.EXE program on the Windows 2003 ...
    (comp.security.ssh)