User Authentication
Authentication is the process of reliably determining the identity of a communicating party. Identity can be proven by something you know (such as a password), something you have (such as a private key or token), or something intrinsic about you (such as a fingerprint).
Secure Shell connections require both server and client authentication.
Several methods of client authentication are available, and both the client and server can be configured to determine which method, or methods, are used. The server can be configured to allow, require, or deny client authentication methods. During Secure Shell connection negotiations, the server presents a list of allowed and required methods from which the client and server negotiate one or more authentication methods.
Authentication attempts follow the order of preference set by the client. The connection uses the first authentication technique highest in the client order of preference that is also allowed by the server. If the server is configured to require more than one method, multiple authentication methods are needed to establish a connection.
Authentication pane
From the server console, click Configuration > Authentication
The options are:
-
Login grace time
Grace time for completion of authentication process (seconds). Sets the number of seconds allowed for client authentication. If the client fails to authenticate the user within the specified number of seconds, the server disconnects and exits. Use zero (0) to set no limit. Specifying no limit (0) is not recommended. Unauthenticated connections use up system resources and can lead to a denial-of-service condition.
-
IP blocking
You can use the IP blocking settings to temporarily block connections from any client IP address that has exceeded a specified number of failed attempts. If a particular IP address exceeds the value set for Failed attempts , within the time period specified by Failure time-out , that IP address is blocked for the duration specified by Lockout duration .
Note
- IP blocking applies only to password authentication (both traditional password and password over Keyboard Interactive).
- You can disable the IP Blocking feature by setting Failed Attempts to 0 (zero).
- IP blocking information is stored in memory, and is cleared if the server is restarted.
- You can lock out offending addresses permanently from the Client Host Access Control pane.
| Value | Description |
|---|---|
| Failed attempts | Sets a maximum number of failed login attempts. To disable IP blocking, set this value to zero (0). The default is 20. |
| Failure time-out (seconds) | Sets a duration of time, in seconds, during which an IP address is monitored for failed login attempts. The default is 300 seconds (5 minutes). |
| Lockout duration (seconds) | Sets the number of seconds an IP address remains blocked after the value set for Failed attempts is exceeded. The default is 3600 seconds (one hour). |
Authentication failures
You can use the Authentication failures settings to modify how the server handles client authentication failures.
Caution
Enabling the settings in the Authentication failures group increases your security risk by providing potential attackers with information about which client accounts are valid.
| This option | Does this |
|---|---|
| Immediately disconnect invalid, locked or denied users | By default, this option is not selected, and the server responds identically to all failed authentication attempts. When this setting is selected, blocked accounts disconnect immediately. |
| Provide informative messages to clients for authentication failures | By default, no information about authentication failures is sent to the client. This complies with SSH convention. When this setting is selected, the client is told when an authentication fails because of an invalid, locked, or denied user account. |
Keyboard interactive
Send keyboard interactive title - This setting affects whether or not title text is displayed during keyboard interactive authentication. When it is selected (the default), the authentication prompts sent to the client include the title text. When it is not selected, the title text is not included.
More information