User authentication methods and modes

User authentication methods

Before establishing connections with server, Fudo authorizes user using one of the following authorization method:

• Static password,
• Public key,
• CERB,
• RADIUS,
• LDAP,
• Active Directory,
• OATH.

Note

• External authentication servers CERB, RADIUS, LDAP and Active Directory require configuration. For more information, refer to the External authentication topic.
• RDP, SSH and VNC protocols support user authentication over RADIUS in challenge-response mode.

Authentication modes

After authenticating the user, Fudo proceeds with establishing connection with the target system using original user credentials or substituting them with values stored locally or fetched from a password vault.

Note

Due to specifics of VNC protocol, which authenticates the user using password only, the login entered on the logon screen is ignored when establishing a VNC connection.

Authentication with original login and password

In this authentication mode, Fudo uses login and password provided by the user upon logon to authenticate the user on the target system.

Authentication with login and password substitution

In this authentication mode, Fudo substitutes user login and password with previously defined ones.

Authentication with login and password substitution enables precise identification of the person who connected to the server, in case a number of users use the same credentials to access the server.

Note

• The password to the target system can be either explicitly defined in the account or can be obtained from internal or external password vault upon each access request. For more information, refer to the Password changers and External passwords repositories topics.
• Due to specifics of VNC protocol, which authenticates the user using password only, the login entered as the substitution string is ignored when establishing a VNC connection.

Note

In case of Oracle database, the user password and the privileged account password must be both either shorter than 16 characters or 16-32 characters long.

Two-fold authentication

In two-fold authentication mode user is asked for login and password twice. Once for authenticating against Fudo and once again to access the target system.

Authentication with password substitution

In this authentication mode, Fudo forwards login provided by user and substitutes the password when establishing connection with the target system.

Note

• The password to the target system can be either explicitly defined in the connection or can be obtained from the external passwords repository upon each access request. For more information, refer to the External passwords repositories topic.
• Due to specifics of VNC protocol, which authenticates the user using password only, the login entered on the logon screen is ignored when establishing a VNC connection.

Authentication by target server

In this mode, Fudo PAM forwards login credentials to the target host, which verifies whether the user is authorized to access it. Verification status is returned to Fudo PAM, which establishes monitored connection. Authentication by the target server is available only when monitoring SSH connections or RDP with TLS + NLA security option enabled.

Administrator approved access

Fudo PAM can be configured so each connection to a monitored server will require approval from the administrator using the Fudo Mobile application or the administration interface.

• Adding a mobile device
• Removing paired mobile device
• Proxy servers configuration
• Creating a safe
• Approving pending connections
• Declining pending connections

Related topics:

• System overview
• External authentication servers configuration
• Security measures