Generate/VShellIcon.gif  Authentication Category


The Authentication category allows you to configure your authentication options.

Note: Only valid users created by an administrator using Windows User Manager or User Manager for Domains will be able to log on to your system through VShell.

Authentication group

Limit failed attempts to [n]

Enter the number of times that a client can attempt to connect to a port and fail before VShell disconnects the client. The default value is five (5) attempts.

Timeout authentication after [n] seconds

Set the number of seconds that you want VShell to wait for authentication to take place before disconnecting. You can set the timeout value from a minimum of 30 seconds to the maximum (and default value) of 600 seconds. If you leave this box unchecked, VShell will not timeout the authentication.

Method window

VShell allows you to choose between public-key, password, GSSAPI, or RADIUS (keyboard-interactive) authentication to establish a connection . In this window, you can set which of the available authentication methods are allowed for making connections and which methods are required. If you set a method as required, it will also automatically be set as allowed. If no boxes are checked, no users will be able to connect. The available methods are as follows:

Password

This method uses the user's Windows, domain, or local password.

Public key

This method allows user authentication with a public key or X.509 certificate. If this method is checked, the Public key folder group below will be active. VShell supports the standard public-key file format (used by VanDyke Software products) and the OpenSSH public-key file format.

The options below can be specified in the header of a public key to restrict the user of that public key to a specific command or subsystem.

To restrict the user to the specified subsystem, use the following:

X-Subsystem: <subsystem name>

To restrict the user to the specified command, use the following:

X-Command: <command name>

GSSAPI

This enables users to authenticate using the Generic Security Services Application Program Interface, a generic API for performing client/server authentication.

For information on GSSAPI/ Kerberos authentication, see Integrate with Windows Domain Authentication.

RADIUS (keyboard-interactive)

This enables users to authenticate via a RADIUS server.

Public key folder group

Enter the folder in which you want to store your public key file. This edit box must contain the variable %user% such as in the default value:

C:\Program Files\VShell\PublicKey\%User%

Another example would be the following:

C:\Users\%User%\SSH2

When you create or change the public key folder, the following permissions are recommended for the new folder:

Generate/BULLET1.gif    Administrators -- Full Control

Generate/BULLET1.gif    Authenticated Users -- Create Folders/Append Data (for this folder only) in Windows 2000 and XP

Note: This setting allows Authenticated Users to create new folders within this folder, but they will not have access to folders owned by other users.

Generate/BULLET1.gif    Creator Owner -- Full Control (for subfolders and files only in Windows 2000 and XP)

Generate/BULLET1.gif    System -- Full Control

Note: To find an acceptable public key match, the VShell server for Windows will look at all files in the Publickey directory regardless of their extension. The only exception is that VShell will not check those files with names that begin with a period (.). For example, file.pub, key.exe, and xx.cer would be checked to see if they contain a valid key; however, .x.pub would not.

Use Kerberos protocol transition

Check this option to use Kerberos protocol transition.

Allow [n] password attempts

VShell supports the Secure Shell public-key assistant which allows a user with no public key file on the server to upload a public key for use in authentication. Check this option to allow users with no public key present in their public-key folder to logon a limited number of times using only a password. As soon as a public key is present in the user's public key folder on the server, public-key authentication will be required.

To enable the VShell server to recognize the public keys generated by the users, follow these steps:

1. Acquire the public key files from each user that you want to give access to.

2. Create new folders for each user under the PublicKey folder under your VShell folder. For example:

\Program Files\VShell\PublicKey\<Username>

3. Copy the user's public key files to the folder corresponding with their username.