|
|
|
Public Key Authentication for Reflection or F-Secure SSH UNIX Client and Server for UNIX or Windows
Technical Note 1926
Last Reviewed 30-Nov-2007
Applies To
Reflection for Secure IT UNIX Client version 6.0 or higher
Reflection for Secure IT UNIX Server version 6.0 or higher
Reflection for Secure IT Windows Server version 6.0 or higher
F-Secure SSH Client for UNIX version 5.x
F-Secure SSH Server for UNIX version 5.x
F-Secure SSH Server for Windows version 5.x
Summary
Technical Note 1926
Last Reviewed 30-Nov-2007
Applies To
Reflection for Secure IT UNIX Client version 6.0 or higher
Reflection for Secure IT UNIX Server version 6.0 or higher
Reflection for Secure IT Windows Server version 6.0 or higher
F-Secure SSH Client for UNIX version 5.x
F-Secure SSH Server for UNIX version 5.x
F-Secure SSH Server for Windows version 5.x
Summary
This technical note describes the steps you must follow to use public key authentication when connecting from a Reflection or F-Secure SSH UNIX client to a Reflection or F-Secure SSH server for UNIX or Windows. You will use the Key Generation utility to generate a key pair and upload the public key to the server. Troubleshooting tips are also included.
Note: Beginning with version 6.0, the F-Secure SSH product line has a new name: Reflection for Secure IT.
Public Key Authentication Overview
Public key authentication is one way a server can authenticate a user. It requires a private and public key pair; the private key is located on the client, and the public key must be uploaded to the Reflection or F-Secure SSH UNIX server.
In addition to the keys, specific files must exist in the user's .ssh2 directory on both the SSH client and server. If the files don’t exist, you must create them.
The process of generating keys and creating files is outlined below. Troubleshooting tips are also included:
Using the Key Generation Utility
Uploading the Public Key to the Server
Troubleshooting
Uploading the Public Key to the Server
Troubleshooting
Setting Server Permissions
Verify that public key authentication is enabled
Verify that the public key was uploaded and converted properly
Working with Multiple Hosts and Key Pairs—An ExampleVerify that public key authentication is enabled
Verify that the public key was uploaded and converted properly
Using the Key Generation Utility
Use the Reflection or F-Secure Key Generation utility to generate a keypair.
- Open a terminal window on the UNIX system with the Reflection or F-Secure SSH UNIX client.
- Use the following command to create a key pair:
ssh-keygen2Note: To get a list of available switches, use the command ssh-keygen2 -h, or check the man pages for more details.
The key generation utility will run for a few moments. Once the utility has generated the key pair, you are prompted to enter a passphrase and then confirm it.
After entering a passphrase, the location and names of the private and public keys are displayed. For example:
Private key saved to /home/username/.ssh2/id_dsa_2048_aPublic key saved to /home/username/.ssh2/id_dsa_2048_a.pubCreating the identification file on the Client
Follow these steps to create the identification file on the client:
- Change directories to the .ssh2 directory in your home directory.
- Using a text editor, such as vi or gedit, create a file and name it identification. You will need to type the following line into the file:
IdKey <keyname>Replace <keyname> with the name of the private key you generated using the key generation utility, for example, IdKey id_dsa_2048_a.
Uploading the Public Key to the Server
- Use the command sftp2 user@host to connect to the Reflection or F-Secure SSH UNIX server using password authentication (the default).
- If you are not in the /$HOME/.ssh2 directory on the SSH UNIX server, change to that directory.
Note: If the .ssh2 directory does not exist in the /$HOME directory, you must create it.
- Transfer the public key file you just created from the SSHUNIX client to the SSH UNIX server by using this command:
put <keyname>.pubReplace <keyname>.pub with the name of the public key you created, for example, put id_dsa_2048_a.pub.
- Use the quit command to close the sftp2 connection.
Creating the authorization file on the Server
- Use the command ssh user@host to establish a terminal session using password authentication to connect to the Reflection or F-Secure SSH UNIX server.
- In the SSHUNIX Server terminal window, change to the /$HOME/.ssh2 directory.
- Enter the following command to create (or append to) the authorization file:
echo Key [keyname.pub]>>authorizationReplace [keyname].pub with the name of the public key you created using the key generation utility above, for example, Key id_dsa_2048_a.pub.
- Confirm that the authorization file is correct.
On a Windows server, enter the command type authorization.
On a UNIX/Linux server, enter the command cat authorization.
You should now be able to connect with SSH, SFTP, or SCP from the UNIX system running the client to the UNIX system running the server without being prompted for a password.
Troubleshooting
If you have trouble connecting, check the troubleshooting suggestions listed below.
Setting Server Permissions
Verify that the file permissions on the server are configured properly. Setting the /$HOME/.ssh2 directory to 744 and the authorization file to 600 will allow key authentication to work. For more information about permissions, see Technical Note 1178: Understanding UNIX and NFS Permissions.
Verify that public key authentication is enabled
On the Reflection or F-Secure SSH UNIX client:
Check the .ssh2 directory in the user's home directory for an ssh2_config file. If it exists, verify that the following entry is in the Authentication section:
AllowedAuthentications publickey If it does not exist, check the /etc/ssh2 directory for the ssh2_config file. Verify that the following entry is in the Authentication section:
AllowedAuthentications publickeyOn the Reflection or F-Secure SSH UNIX server:
The server configuration file, sshd2_config, generally located in /etc/ssh2/, should include the following entries:
AllowedAuthentications publickey RequiredAuthentications publickeyVerify that the public key was uploaded and converted properly
The public key should be uploaded to the /$HOME/.ssh2 directory on the server. Verify that you transferred the public key, <keyname>.pub, to the server. Also, verify that the authorization file exists in this directory and contains a Key entry pointing to the public key file.
Working with Multiple Hosts and Key Pairs—An Example
If you are working with multiple hosts and key pairs, each key requires a separate entry line in the appropriate file, identification or authorization. The following example shows the required entries for Host A to connect to Hosts C or D, or for Host B to connect to Host C:
| Host A identification file (client) |
Host B identification file (client) |
| IdKey id_dsa_1024_a |
IdKey id_dsa_2048_a |
| IdKey id_dsa_1024_b |
|
| Host C authorization file (server) |
Host D authorization file (server) |
| Key id_dsa_1024_a.pub |
Key id_dsa_1024_b.pub |
| Key id_dsa_2048_a.pub |
|
