Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

How to Configure F-Secure SSH for Token/Smartcard Authentication
Technical Note 1913
Last Reviewed 20-Jan-2004
Applies To
F-Secure SSH Client for Windows version 5.1 through 5.4
Summary

This technical note provides steps for configuring the F-Secure SSH Client to use token/smartcard authentication.

Set Up the Certificate

Follow the steps below to set up the certificate.

  1. Create or obtain a certificate.
  2. Import and configure the certificate into the F-Secure client using the Import or Enroll features. (Edit > Settings > Global Settings > PKI > Certificates.)
  3. Create the certificate on the token/smartcard.

Configure the F-Secure SSH Client

Use one of the following methods to configure the F-Secure SSH Client for Windows to use the token/smartcard.

PKCS 11 (Public-Key Cryptography Standards)

If the token/smartcard supports PKCS #11, follow the steps below to configure F-Secure SSH Client for Windows to use PKCS #11.

  1. Open the F-Secure SSH Windows Client, click Edit > Settings.
  2. Expand Global settings > PKCS #11, click Configuration, and then click Add.
  3. Fill in the PKCS #11 Provider dialog box and click OK.

Microsoft Crypto API

If the token/smartcard supports Microsoft Crypto API, follow the steps below to configure the F-Secure SSH Windows Client to use the Microsoft Crypto API.

  1. Open the F-Secure SSH Client for Windows, click Edit > Settings.
  2. Expand Profiles > Connection, and then click Authentication.
  3. In the Public-Key Authentication Methods list-box, if System-Provided Certificates is not listed, click the new method button (to the left of the red X), select System-Provided Certificates, and then click OK.
Figure 1: Adding System-Provided Certificates Figure 1: Adding System-Provided Certificates

Note: The certificate must be in the system store for this option to work. To verify that the certificate is in the system store, look in Microsoft Internet Explorer > Tools > Internet Options > Content > Certificates.

Configure the UNIX SSH Server

If you are connecting to a UNIX SSH Server, follow these general steps to configure the server product to use certificates for authentication. For further details, see the F-Secure SSH manual or your host's man pages.

  1. Copy the CA certificate to the server using a binary file transfer method (PEM or BASE64 encoding).
  2. Create the map file.
  3. Edit the sshd2_config file and add an entry for the CA certificate, CRL checking, and the map file.
  4. Verify that Public Key is the allowed authentication method.

Note: If you want to use e-mail address as the identifier in the map file, then the e-mail address must be in the Subject Alternative Name field of the Distinguished Name of the certificate.

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.