Tectia clients can use external key providers that distribute keys, somewhat like authentication agents. These are typically part of a more general solution for PKI (Public Key Infrastructure). The ssh -E command-line option identifies the name of the provider, and Tectia currently supports two of them:
entrustEntrust products, such as the Entrust Authority Security Manager; see http://www.entrust.com/authority.
pkcs11PKCS#11-compliant dynamic libraries.
An initialization string must be sent to the external key provider using the -I option. The format of this string depends on the provider. It typically includes authentication information and identifies the desired key. Sometimes you also need a DLL supplied by the provider. Consult the documentation for specific providers, and the ssh-externalkeys manpage, for details about the initialization string.
# Tectia
$ ENTRUST_INIT="dll(libentrust.so)"
$ ENTRUST_INIT="$ENTRUST_INIT password(blartz)"
$ ENTRUST_INIT="$ENTRUST_INIT ini-file($HOME/solo.ini)"
$ ENTRUST_INIT="$ENTRUST_INIT profile-file($HOME/solo_user.epf)"
$ ENTRUST_INIT="$ENTRUST_INIT login-options(entrust)""
$ ssh -E entrust -I "$ENTRUST_INIT"The external key provider and initialization string can also be
specified in the client configuration file, using the keywords EkProvider and EkInitString, respectively:
# Tectia
EkProvider pkcs11
EkInitString "lib=libpcks11.so password=blurfl key=laptop"The keywords are usually more convenient than the command-line options, especially for long initialization strings, but beware of storing sensitive authentication information in configuration files. Be sure to quote the initialization string if it contains characters with special meaning to the shell (e.g., wildcards) or to the configuration file itself.