Creation and Management of SSH Key Authentication and Mapping Definitions

An SSH key authentication and mapping definition specifies how Sterling External Authentication Server authenticates an SSH user when a client application sends a request for authentication.

A client application such as Sterling Secure Proxy sends a request to Sterling External Authentication Server. The request contains a profile name, user ID, and SSH public key. Sterling External Authentication Server uses information in the profile to bind to an LDAP directory, look up the SSH keys assigned to the user, and perform an attribute assertion to match the key provided by the user to the list of keys stored at the LDAP server. Sterling External Authentication Server notifies the client if the key sent by the client matches a key stored in the LDAP server.

• The credentials of the principal used to bind to the directory are defined in the SSH key authentication. Unlike regular user authentication requests, the userid from the SSH key authentication request cannot be used to bind to the directory because the password for the user is not available in the key authentication. The credentials to bind to the directory are the directory administrator and are configured in a global LDAP connection definition.
• The query to look up SSH keys assigned to a user is defined in the profile according to your directory layout. If you use the openssh schema provided with Sterling External Authentication Server, the query returns all sshPublicKey attributes for the user. If you use a customized schema, be sure to modify the query to ensure that the query returns the attributes associated with the customized schema.
• An assertion definition matches the public key from the request against the keys returned by the SSH public key lookup query. A pre-configured assertion is included with Sterling External Authentication Server. It uses the openssh schema to store the public keys. If you do not use this schema, edit the assertion definition to use the appropriate schema.
• To use SSH key mapping, define another query to return a reference to the mapped key. The existing MapSSHCredentials query provided with Sterling External Authentication Server returns the new routingKeyName attribute of the loginCredentials record, and assigns it to the mappedRoutingKeyName application output. The application uses the value of the mappedRoutingKeyName output to locate a public/private key pair to use as the mapped key for the user.