login about faq

Hi,

Suppose we wrap a Java application which uses Tectia ConnectSecure API, as a NT service. I wanted to get an idea if the service will run without problems(settings will be "Log on as:"=> Local System Account). How will the User/Server authentication work in this case ?. I mean what settings should be changed in broker so that it can store/view the keys?.

Thanks

asked Sep 20 '11 at 15:22

nitin's gravatar image

nitin
11557


Tectia clients were not designed to be used in special system accounts, but in general it is possible to use them there, I believe including the APIs. It will not be as easy to setup as for normal user, but it is possible. LocalSystem account (sometimes called as SYSTEM) does not allow for any interaction, that is where the difficulty comes from.

  • First the broker probably needs to be started separately as a service running in system account. See good instruction e.g. here.
  • Then you will have to setup manually the hostkeys of servers where the service will be connecting to in the SYTEM account’s %USERPROFILE% directory, or you can also use broker’s configuration option <auth-server-publickey policy="tofu"/>, which will make broker to automatically accept the hostkeys on new servers on first use. If the host key changes later (for example by man inserting in the middle attack) the connection would fail (which is desired). For more see this link in manual. Hostkeys of SYSTEM account are stored here:

    C:\Windows\System32\config\systemprofile\AppData\Roaming\SSH\hostkeys

  • And you will have to manually generate and store the keys for public key authentication in to appropriate location:

C:\Windows\System32\config\systemprofile\AppData\Roaming\SSH\UserKeys

Broker configuration file location of SYSTEM account is:

C:\Windows\System32\config\systemprofile\AppData\Roaming\SSH\ssh-broker-config.xml

In case you use 64 bit Windows all the above locations are actually starting with:

C:\Windows\SysWOW64\config\systemprofile

Note: the path to SYSTEM account's profile directory above are valid for Windows Vista and onwards (including the server versions 2008 and onwards). See the first link for paths on older systems.

link

answered Sep 20 '11 at 22:27

Martin%20Dobsik's gravatar image

Martin Dobsik ♦
599126

edited Sep 21 '11 at 10:39

Thanks very much for your details.

(Sep 21 '11 at 11:39) nitin nitin's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×3
×3
×2
×2

Asked: Sep 20 '11 at 15:22

Seen: 3,303 times

Last updated: Sep 21 '11 at 12:25

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.