|
|
|
Public Key Authentication for UNIX OpenSSH Client and Reflection SSH Server for Windows or UNIX
Technical Note 1927
Last Reviewed 10-Mar-2008
Applies To
Reflection for Secure IT Windows Server version 6.0 or higher
Reflection for Secure IT UNIX Server version 6.0 or higher
OpenSSH Client for UNIX
Summary
Technical Note 1927
Last Reviewed 10-Mar-2008
Applies To
Reflection for Secure IT Windows Server version 6.0 or higher
Reflection for Secure IT UNIX Server version 6.0 or higher
OpenSSH Client for UNIX
Summary
This technical note describes the steps you must follow to use public key authentication when connecting from a UNIX OpenSSH Client to a Reflection SSH Server for Windows or UNIX. You will use the key generation utility to generate a key pair, convert the public key to the proper format, and upload the public key to the server. Troubleshooting tips are also included.
This technical note is organized into the following sections:
Public key authentication overview
Use the OpenSSH client key generation utility
Upload the converted public key to the server
Troubleshooting
Use the OpenSSH client key generation utility
Generate a key pair with a default name and location
Generate a key pair with a non-default name or in a non-default location
Convert the public key to the proper format - version 6.x only
Create the authorization file on the serverGenerate a key pair with a non-default name or in a non-default location
Convert the public key to the proper format - version 6.x only
Upload the converted public key to the server
Troubleshooting
Verify that public key authentication is enabled
Verify that the public key was uploaded, converted, and entered into the authorization file
Working with multiple hosts and key pairs—an exampleVerify that the public key was uploaded, converted, and entered into the authorization file
Public key authentication overview
Public key authentication is one way a server can authenticate a user. It requires a private and public key pair; the private key is located on the client, and the public key must be uploaded to the SSH server.
Note: If you are using the Reflection SSH Windows Server, you must have a local user account on the Windows server.
Key Formats
When a key pair is created on an SSH client, each key of the key pair—public and private—is written to a separate file in a particular format. The format generated by the OpenSSH client is not compatible with the format required by the Reflection SSH Windows Server. So, you must convert the public key to the proper format prior to uploading it to the SSH server.
Use the OpenSSH client key generation utility
Use the OpenSSH key generation utility to generate a key pair and convert the public key to the proper format. The steps vary depending on whether you use a default name (id_dsa or id_rsa) and location, or you use a non-default name or location when you generate a key pair:
Generate a key pair with a default name and location
Generate a key pair with a non-default name or in a non-default location
Generate a key pair with a non-default name or in a non-default location
Generate a key pair with a default name and location
When using public key authentication, the OpenSSH client by default looks for a private key named id_dsa or id_rsa in the $HOME/.ssh directory.
- On the system running the OpenSSH client, change directories to .ssh. If the .ssh directory does not exist, create it.
- Use the following command to create a key pair:
ssh-keygen –t <rsa or dsa>Note: You must use the –t switch and specify a type, rsa or dsa. To see a list of available switches, use the command ssh-keygen -h, or check the man pages for more details.
The key generation utility will run for a few moments.
- Once the utility has generated the key pair, you are prompted to enter a file and the path in which to save the key. Accept the default file name and path.
- You are then prompted to enter and confirm a passphrase. (For information about "Public Key Authentication with Empty Passphrases," see Technical Note 1915.)
- After entering a passphrase, the location and names of the private and public keys are displayed. For example:
Your identification has been saved in /export/home/user/.ssh/id_dsa.Your public key has been saved in /export/home/user/.ssh/id_dsa.pub.- Now that you have created the key pair, proceed to the section that describes how to Convert the public key to the proper format - version 6.x only.
Generate a key pair with a non-default name or in a non-default location
If you create a key pair with a name other than id_dsa or id_rsa, or if you save a key pair to a non-default location you must create an entry in the user-specific config file or in the global ssh_config file that points to your private key. Follow these steps:
- On the system running the OpenSSH client, change directories to .ssh. If the .ssh directory does not exist, create it.
- Use the following command to create a key pair:
ssh-keygen –t <rsa or dsa>Note: You must use the –t switch and specify a type, rsa or dsa. To see a list of available switches, use the command ssh-keygen -h, or check the man pages for more details.
The key generation utility will run for a few moments.
- Once the utility has generated the key pair, you are prompted to enter a file and the path in which to save the key. Enter the file name and path you want.
- You are then prompted to enter and confirm a passphrase. (For information about "Public Key Authentication with Empty Passphrases," see Technical Note 1915.)
- After entering a passphrase, the location and names of the private and public keys are displayed. For example:
Your identification has been saved in /export/home/user/.ssh/mykey.Your public key has been saved in /export/home/user/.ssh/mykey.pub.Note: If you store your keys in a non-default location, make sure that the directory is not accessible to anyone else. Use a command like the following:
chmod 744 <path to directory containing keys>- Once the key is generated, you must create an IdentityFile entry in either the user-specific config file or in the global ssh_config fie.
In the user-specific config file: Typically, you will create the entry for the private key in the $HOME/.ssh/config file. Use the following command to create a file named config with the IdentityFile information as its content:
echo IdentityFile <full path to keyname> >> configFor example:
echo IdentityFile /export/home/user/.ssh/mykey >> configThis command will write the IdentityFile key word and the full path to the private key to the config file. If the config file does not exist, it will be created.
In the global ssh_config file: The global ssh_config file is typically located in the etc/ssh directory. If you must create the IdentityFile entry in the global ssh_config file, use the following command:
echo IdentityFile <full path to keyname> >> ssh_configConvert the public key to the proper format - version 6.x only
In Reflection for Secure IT version 6.x, after you generate the key pair, you must convert the public key to the proper format prior to uploading it to the SSH server. Starting in version 7.0, this step is no longer needed.
Use the following command to convert the OpenSSH public key to IETF SECSH format, the format required by the Reflection SSH Windows or UNIX Server:
ssh-keygen -e -f <keyname>.pub > <keyname2>.pubNote: It is advisable to give <keyname2>.pub a unique name to distinguish it from <keyname>.pub. For example:
ssh-keygen -e -f id_dsa.pub > id_dsa_secsh.pubCreate the authorization file on the server
An authorization file containing the converted key name must exist on the server. If it does not exist, you must create it. Follow these steps to create an authorization file:
- Using password authentication, make an SSH connection from the OpenSSH client to the Reflection SSH Windows or UNIX Server:
ssh <user>@<servername>- From your home directory, change to the .ssh2 directory:
cd .ssh2If the .ssh2 directory does not exist, create it:
mkdir .ssh2- Use the following command to create a file named authorization with the Key information as its content:
echo Key <converted keyname>.pub >> authorization- Disconnect your SSH connection.
Upload the converted public key to the server
- Make an SFTP connection using password authentication from the OpenSSH client to the system running Reflection SSH Windows or UNIX Server:
sftp <user>@<servername>- From your home directory, change to the .ssh2 directory:
cd .ssh2- Upload the converted public key:
put <converted keyname>.pub- Disconnect.
Now, when you reconnect, key authentication should work.
Troubleshooting
If you have trouble connecting, check the troubleshooting suggestions listed below.
Verify that public key authentication is enabled
Public key authentication must be enabled on both the client and the server.
On the OpenSSH client for UNIX:
To verify that public key authentication is enabled on the client, you need to find the value for the PubkeyAuthentication setting. This setting can exist in two locations: the user's config file and the system-wide ssh_config file. An entry in the user's config file will override the same entry in the system-wide ssh_config file.
- In the client's /$HOME/.ssh/config file, verify that PubkeyAuthentication Yes is an entry. If the file or the setting does not exist, you can create them. Or you can default to the value set in the system-wide ssh_config file.
- The location of the system-wide ssh_config file depends on the operating system and installation preferences. It may be located, for example, in the /etc/ssh directory. Once you locate the file, verify that the entry PubkeyAuthentication Yes exists.
On the Reflection SSH Windows Server:
Follow these steps to verify that public key authentication is enabled on the server:
- Click Start > Programs > WRQ Reflection > SSH Server Configuration.
- In the left pane under Server Settings, click User Authentication > Public Key.
- Verify that "Public key authentication" is set to Allow.
On the Reflection SSH UNIX Server:
The server configuration file, sshd2_config, generally located in /etc/ssh2/, should include the following entries:
AllowedAuthentications publickeyVerify that the public key was uploaded, converted, and entered into the authorization file
The public key should be present in the .ssh2 folder in the user's home directory or USERPROFILE directory. Verify that you transferred the converted public key, <converted keyname>.pub, to the server. Also, verify that the authorization file exists in this directory and contains a Key entry pointing to the converted public key file. The file name must match exactly.
Working with multiple hosts and key pairs—an example
If you are working with multiple hosts and key pairs, each key requires a separate entry line in the appropriate file—config or authorization. The following example shows the required entries for Host A to connect to Hosts C or D, or for Host B to connect to Host C:
| Host A config file (client) |
Host B config file (client) |
| IdentityFile /export/home/user/.ssh /id_dsa_1024_a |
IdentityFile /export/home/user/.ssh /id_dsa_2048_a |
| IdentityFile /export/home/user/.ssh /id_dsa_1024_b |
|
| Host C authorization file (server) |
Host D authorization file (server) |
| Key id_dsa_1024_a.pub |
Key id_dsa_1024_b.pub |
| Key id_dsa_2048_a.pub |
|
