Tectia External Keys
Tectia clients can use external key providers that distribute keys, somewhat like authentication agents. These are typically part of a more general solution for PKI (Public Key Infrastructure). The ssh -E command-line option identifies the name of the provider, and Tectia currently supports two of them:
entrustEntrust products, such as the Entrust Authority Security Manager; see http://www.entrust.com/authority.
pkcs11PKCS#11-compliant dynamic libraries.
An initialization string must be sent to the external key provider using the -I option. The format of this string depends on the provider. It typically includes authentication information and identifies the desired key. Sometimes you also need a DLL supplied by the provider. Consult the documentation for specific providers, and the ssh-externalkeys manpage, for details about the initialization string.
# Tectia
$ ENTRUST_INIT="dll(libentrust.so)"
$ ENTRUST_INIT="$ENTRUST_INIT password(blartz)"
$ ENTRUST_INIT="$ENTRUST_INIT ini-file($HOME/solo.ini)"
$ ENTRUST_INIT="$ENTRUST_INIT profile-file($HOME/solo_user.epf)"
$ ENTRUST_INIT="$ENTRUST_INIT login-options(entrust)""
$ ssh -E entrust -I "$ENTRUST_INIT"The external key provider and initialization string can also be
specified in the client configuration file, using the keywords EkProvider and EkInitString, respectively:
# Tectia
EkProvider pkcs11
EkInitString "lib=libpcks11.so password=blurfl key=laptop"The keywords are usually more convenient than the command-line ...
Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
