VanDyke Software

Tips

Got a question or comment?   Send us a question or comment

Index

Accessing Network File Shares With VShell And Public-Key-Only Authentication

When the VShell server and shared resources are running in a properly configured Windows Active Directory domain, file shares can be made available to accounts that authenticate using public keys. This page includes all the steps necessary to configure the domain and VShell server. Access to file shares applies to all SSH2 clients, including SecureFX, SecureCRT, and the sfxcl.exe, vsftp.exe, and vcp.exe command-line utilities.

VShell supports a Windows capability called Kerberos Protocol Transition (KPT), which is part of the infrastructure created by Microsoft to support Kerberos. The VShell server takes advantage of Windows KPT to create the user's credentials, but does not use Kerberos authentication.

Configuration occurs largely on the domain controller, where the administrator sets up constrained delegation for the systems that will handle authentication requests.

VShell configuration simply consists of enabling the Kerberos Protocol Transition option.

System Requirements for File Share Access Using KPT

In order to support Windows file shares via Kerberos Protocol Transition, the Windows environment must meet the following conditions:

  • Systems use an Active Directory domain running at the Windows 2003 or higher compatibility level.
  • All machines involved (including the domain controller, the VShell host machine, and any machines that will provide network shares to VShell users) are running Windows 2003 or newer and are on domains with an appropriately configured trust relationship.
  • Note that a two-way transitive trust may be required for KPT/Constrained Delegation across domains.

Part 1: Configuring Constrained Delegation on the Domain Controller

In this procedure, the following example environment is used:

  • Windows domain controller named dc.example.com.
  • A network share named "fileshare" on fs.example.com.
  • Windows domain member called vshell.example.com, on which VShell has been installed.

To configure constrained delegation, log onto dc.example.com as a domain administrator and launch the Active Directory Users and Computers MMC interface (open the Start menu and select Administrative Tools):

  1. Under Active Directory Users and Computers, edit the properties of the Windows machine on which VShell is installed.
    2. Edit Computer Properties
  2. Click on the Delegation tab and enable the following options:
    • Trust this computer for delegation to specified services only
    • Use any authentication protocol.
  3. Add a cifs entry for the fully qualified domain name of the targeted file server (fs.example.com). This allows the VShell machine to be trusted for delegation of credentials, specifically for the purpose of authentication to the cifs server.

    4. Important: VShell virtual root paths to the network file share must use the fully qualified domain name (FQDN) of the targeted file server (fs.example.com), since that is what has been specified for delegation. Using the non-qualified hostname may not allow sufficient permissions for VShell users to access the file server.

  4. Apply your changes to the configuration of the VShell machine on the domain controller.
  5. Reboot the Windows machine on which VShell is installed so that the constrained delegation configuration will become active. The CIFS server may also need to be rebooted.

Part 2: Configuring VShell to Use Kerberos Protocol Transition


VShell Server 3.6 and later on vshell.example.com

  1. Start the VShell Control Panel
  2. Open the Authentication page under the SSH2 category
  3. Enable the "Use Kerberos protocol transition" checkbox option
  4. Select Apply and OK to close the Control Panel.

VShell Server 2.6.3 – 3.5.4 on vshell.example.com

WARNING: If you use the registry editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. There is no guarantee that you can solve problems that result from using the registry editor incorrectly. Use the registry editor at your own risk.

  1. Make sure the VShell Control Panel is closed.
  2. Start regedit and navigate to:

    HKEY_LOCAL_MACHINE\SOFTWARE\VanDyke\VShell\Server

  3. If a REG_DWORD value named "Use Kerberos Protocol Transition" does not already exist, create it.
  4. Set the "Use Kerberos Protocol Transition" REG_DWORD value to "1".
  5. Restart the VShell service.

With the VShell server and the Active Directory domain controller configured properly as described above, users should be able to authenticate to VShell on vshell.example.com using public-key-only authentication and gain access to the share "fileshare" on fs.example.com.

Related Links

VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.