Summary

BoKS' sshd allows logins authenticating with certificates and one option is to use certificates produced by BoKS' internal CA, but you can also use certificates from an external CA and this article describes how to set that up from the command line.

Note: You need to use BoKS SSH Client for Windows for certificate login.

Procedure

1. Transfer the external CA certificate chain files to the Master and register them one by one using the command cacreds set.

cacreds set -f CAfile.cer -c VERIFY

2. Transfer the user certificate file to the Master.

3. In order to connect the certificate with a user, you need to have a string that is unique to this certificate and this can be obtained using the command mapcert keys:

mapcert keys -c usercert.cer

example output:

MD5 mapkey = "g0WiZAN/8aBoOol/4EPcyw=="
uuid = "foo@suppad.support.top"

4. Now the certificate can be mapped to a BoKS user either using the MD5 mapkey or the uuid.

For example:

mapcert set -u HOSTGROUP:user -k "g0WiZAN/8aBoOol/4EPcyw=="

or

mapcert set -u HOSTGROUP:user -K "foo@suppad.support.top"

Mappings can be listed using:

mapcert list

Notes:

  • Mapcert can use a certificate file directly to map to a user; in this case the MD5 key will always be used. See the mapcert manual page.
  • User Access Routes must have either the ssh_cert, hard_ssh_cert or optional_ssh_cert modifier. See the routeadm manual page for more information.
    • Example: routeadm -a -u userclass -z 'SSH,SSH_SH:WINHOSTS/*->HOSTGROUP' -b0 -e0 -w1234567 -m ssh_cert
  • Each user must have an ssh authenticator set up in BoKS. See the authadm manual page for more information.
    • Example: authadm set -u user -t ssh_cert


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018