The Tectia SSH service allows users to logon remotely using a SSH client. It supports authentication with a Windows account and its password. Users can logon with a local user account or a domain account. Access to data is controlled by NTFS permissions set on files and folders. To migrate between two Windows systems running the Tectia SSH service, a migration of users, groups and data is required. Additionally you may also want to migrate the user profiles just like you would with a RDP application server to migrate the user environments to the target server.
Before the migration users can remotely logon with a SSH client by providing their local or domain user account along with their password. There is a DNS record "ssh.domaine.com" defined that points to the source server.
Ssh Tectia Client
The BMC Discovery appliance can be configured to use Tectia SSH and x.509 certificates. You cannot configure the BMC Discovery Outpost to use the Tectia SSH client. SSH connections from the BMC Discovery Outpost are API-based, rather than client-based.
After you have installed and configured the client for the tideway user, you should be able to access remote servers using sshg3 from the command line, though you might need to add /opt/tectia/bin to the PATH. You should test servers that require X.509 certificates and those that do not, if possible.
First, let's understand how publickey user authentication works ingeneral. In the SSH protocol, a client may make two different requestswith regard to publickey authentication. The first is a probe request: itsimply asks whether a given public key is authorized to access a givenaccount. The second is an actual authentication attempt: it includes adigital signature generated by the client, which should convince theserver that the client possesses the private component of the given publickey. The first form exists because generating a digital signature is acomputationally expensive operation, so if a client has several differentkeys available, it is better to test them first and only attemptauthentication for those keys which are authorized for login on theserver.
From this description, we can see that the client needs the privatekey, while the server needs the corresponding public key. While thepublic and private keys are usually written to a pair of files whengenerating a key, these files need not always be copied as a pairtogether, and in fact often should not be. For instance, there is no needto have a copy of your private key on a remote host, and you may not wantit exposed there if that host is less trusted than the local one.
This generates a new RSA private key and places it in the defaultlocation, /.ssh/id_rsa. ssh-keygen saves the corresponding public key in/.ssh/id_rsa.pub; you can recover this at any time from the private keywith ssh-keygen -y -f private-key-file. OpenSSH trieskeys in this and the other default location (/.ssh/id_dsa) automaticallyduring client authentication. You can change this using the IdentityFileoption in /.ssh/config.
One source of occasional confusion, is that two different kinds ofauthentication take place with each SSH connection: server, and client.Here we are dealing with client (or user) authentication, but theclient also authenticates the server first, and this usually also entailssome keys called the server's hostkeys. In client authenticationwe have seen that the private key is on the client and the public key onthe server. With server authentication, then, the roles are reversed: theserver's private hostkeys are on the server (usually in /etc/ssh/), andthe user needs copies of the public hostkeys in order to authenticate theserver; these are kept in /.ssh/known_hosts. Be careful to distinguishbetween these: the hostkeys and known_hosts file have nothing to do withpublickey client authentication..
If you don't have an SSH client program installed on your home computer yet, you may download a non-commercial free version by following the instructions below. With limited functionality, but sufficient in this case.
Customers who have kerberos available on their client machine and can obtain a valid ECE ticket can use that ticket to authenticate for a secure ftp session, provide that their client supports this method.
The newly announced SSH Tectia client/server solution 5.0 and SSH Tectia Manager 2.0 will work in UNIX, Linux, Windows and IBM mainframe environments and enables secure file transfer, application connectivity and system administration capabilities.
SSH Tectia client/server solution 5.0 is based on the latest SSH G3 protocol, which is the third generation of SSH and boasts of faster encryption throughput than its predecessors. SSH G3 is actually a re-write of the SSH Tectia codebase and is supposed to reduce latency and put less burden on the overall system. SSH Tectia with G3 technology has incorporated the Cryptico Crypicore algorithm based on the Rabbit Stream Cipher. Overall, SSH Tectia claims the speed is two to eight times faster than its predecessors depending on the OS and file size when using SFTP.
The solution is the software framework called GSSAPI (Generic Security Services Application Programming Interface). The idea is that you authenticate on the client - typically the machine you are sitting at, and then SSH (or SFTP, SCP, SMB mount or other GSSAPI-enabled service) will pass your credential to the remote system, where it is checked and then used to log you in. There are two features which must be enabled in any client program - which may be command line options, configuration file settings or preference menu settings, depending on the software. They usually have the same names as the directives used in OpenSSH, described below.
Note that if a client private key exists, it will be checked first, before considering GSSAPI or prompting for a password. It may be necessary to use SSH client options to prevent use of keys with servers which cannot use them, while retaining them for other servers.
Remote servers must also be prepared to use GSSAPI, by registering with the authentication server and storing a key which can be used to validate the credentials passed to them. For services using active directory tickets (Dartmouth NetID), the common term for this is 'joining to the domain'. For Windows clients to work, an Active Directory property must also be set for the server.
The SSH client supplied with MacOS (at least through MacOS 12.6) strips the 'renewable' property from your credential before passing it to the remote server. This means that it will expire at the same time as the original credential on your Mac, and cannot be extended by running krenew. This limits the usefulness to short jobs, and in particular it cannot be used to submit jobs to the Discovery scheduler.
In several cases below, the terms "Linux" and "BSD" (two Unix variations)are used interchangeably; please consult the individual vendor's literaturefor the exact list of platforms supported. Likewise, "Windows" generallycovers Microsoft's 32-bit operating systems from Windows 98 through Windows 7,but the exact list of supported operating systems should be obtained from theindividual client vendor.
Note: ISD recommends the use of a FTP SSH client such as FileZilla, or a FTP SSL client from IPSwitch such as WS_FTP LE.IPSwitch also offers two free, scriptable command-line clients,MOVEit Freely (FTP) andMOVEit Xfer (HTTPS)both of which support file integrity checking. Ipswitch also offers WS_FTP Professional, a Windows file transfer client with a robust feature set, which also supports file integrity checking.
Note: Two of the clients above, (OpenSSH for Windows & SSH Communications), are capableof uploading files using multiple independent threadswhich may send blocks of data non-sequentially. This mode is not supported by FTP SSH and should bedisabled using the "-R1" command-line option.
A Managed File Transfer solution we deployed with full auditing capabilities meant we could give the client full control and visibility of their data. Meanwhile our comprehensive training package enabled our client to get the most from their new solution. 2ff7e9595c
Comments