SAP SSO 3.0 and SSH: Select your keys
SAP SSO and Secure Login Client offers an SSH Key Agent since version 2.0. However, when you have a lot of local X.509 certificates (we do not support those short-lived ones from Secure Login Server), SSH connections may fail. In most cases, this happens because of a small value in the SSH server´s MaxAuthTrials property: As an SSH agent tries all available certificates until the SSH daemon is happy with it, each non-fitting one is counted as failed authentication. So login success depends on the order of your certificates during SSH authentication, which cannot be configured.
With Secure Login Client 3.0 we now allow to set favorites in the list of X.509 certificates:
- Open the main window > File > Options > SSH Agent.
- Double click any certificates you want to use.
- Double click again to unselect one.
If no favorite is selected, all certificates are used, which is also the default.
Hello Stephan,
Why are those " short-lived certificates from Secure Login Server" not supported?
BR,
Raul
Well, standard SSH is not PKI aware. Instead, only the pure key pair (private and public key) is used. Every new public needs to be added to the user´s $HOME/.ssh/authorized_keys file.
Secure Login Client replaces the key pair for each new short-lived certificate.
A PKI aware SSH would - just like TLS - perform a certificate chain verification based on trusted CAs, and take the user certificate subject names or subject alternative names instead of the public key to identify the user.
Without such SSH protocol, SLC or SLS would have to propagate the new public keys to the backends, which is not that easy.
Best, Stephan
Ok, got it, makes sense 🙂
Thanks!
One additional question....
I see you are also involved in cloud security topics. Is there some plan to enroll Certificate collections (HANA/Cloud) in certificate lifecycle management of Secure Login Server?
Thanks in advance and best regards!
Raul