User authentication methods and modes

User authentication methods

Before establishing connections with server, Fudo authorizes user using one of the following authorization method:

Note

External authentication servers CERB, RADIUS, LDAP and Active Directory require configuration. For more information, refer to the External authentication topic.

Authentication modes

After authenticating the user, Fudo proceeds with establishing connection with the target system using original user credentials or substituting them with values stored locally or fetched from a password vault.

Authentication with original login and password

In this authentication mode, Fudo uses login and password provided by the user upon logon to authenticate the user on the target system.

../../_images/connection_fwd.png

Authentication with login and password substitution

In this authentication mode, Fudo substitutes user login and password with previously defined ones.

Authentication with login and password substitution enables precise identification of the person who connected to the server, in case a number of users use the same credentials to access the server.

../../_images/connection_sub.png

Note

The password to the target system can be either explicitly defined in the account or can be obtained from internal or external password vault upon each access request. For more information, refer to the Password changers and External passwords repositories topics.

Note

In case of Oracle database, the user password and the privileged account password must be both either shorter than 16 characters or 16-32 characters long.

Two-fold authentication

In two-fold authentication mode user is asked for login and password twice. Once for authenticating against Fudo and once again to access the target system.

Authentication with password substitution

In this authentication mode, Fudo forwards login provided by user and substitutes the password when establishing connection with the target system.

../../_images/connection_sub_pswd.png

Note

The password to the target system can be either explicitly defined in the connection or can be obtained from the external passwords repository upon each access request. For more information, refer to the External passwords repositories topic.

Authentication by target server

In this mode, Wheel Fudo PAM forwards login credentials to the target host, which verifies whether the user is authorized to access it. Verification status is returned to Wheel Fudo PAM, which establishes monitored connection. Authentication by the target server is available only when monitoring SSH connections or RDP with TLS + NLA security option enabled.


Related topics: