For the server-side connection (between One Identity Safeguard for Privileged Sessions (SPS) and the target server), the following authentication methods are available.
NOTE: Even though these settings refer to the server-side connection, the client must support the selected authentication method and have it enabled. For example, to use publickey authentication on the server side, the client must support publickey authentication as well as provide a fake publickey, even if a different authentication method is used on the client side.
The Connection Policy will ignore the settings for server-side authentication (set under Relayed authentication methods for SSH protocol) if a Credential Store is used in the Connection Policy.
Figure 236: SSH Control > Authentication Policies — Configuring relayed authentication methods
-
Password: Authentication based on username and password. The server will request a password from the user, even if a password-based authentication was already successful on the client-side.
-
Keyboard-Interactive: Authentication based on exchanging messages between the user and the server. This method includes authentication schemes like S/Key or TIS authentication. Note that depending on the configuration of the SSH server, password-based authentication can also require using the keyboard-interactive authentication method.
-
Public Key: Authentication based on public-private encryption keypairs. SPS supports the following public-key authentication scenarios:
-
Publish to LDAP: SPS generates a keypair, and uses this keypair in the server-side connection. The public key of this keypair is also uploaded to the LDAP database set in the LDAP Server of the connection policy. That way the server can authenticate the client to the generated public key stored under the user's username in the LDAP database.
-
Fix: Uses the specified private key in the server-side connection.
-
Agent: Allow the client to use agent-forwarding, and use its own keypair on the server-side.
During agent-forwarding, the following keys are accepted:
- rsa
-
ed25519
-
ecdsa-sha2-nistp256
-
ecdsa-sha2-nistp384
-
ecdsa-sha2-nistp521
If this option is used, SPS requests the client to use its SSH agent to authenticate on the target server. Therefore, you must configure your clients to enable agent forwarding, otherwise authentication will fail. For details on enabling agent forwarding in your SSH application, see the documentation of the application.
TIP: Some clients may override agent forwarding requests for SFTP and SCP by default. For further information about ensuring access to the server in this case, see Using SCP with agent-forwarding.
TIP: One Identity recommends using 2048-bit RSA keys (or stronger).
-
-
Kerberos: Authentication based on Kerberos. Only available if you selected Kerberos as the gateway authentication method. For more information, see Kerberos authentication settings.