Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Public Key Authentication for Reflection or F-Secure SSH UNIX Client and OpenSSH Server
Technical Note 1932
Last Reviewed 09-May-2005
Applies To
Reflection for Secure IT UNIX Client version 6.0 or higher
F-Secure SSH Client for UNIX version 5.x
OpenSSH Server
Summary

This technical note describes the steps you must follow to use public key authentication when connecting from a Reflection or F-Secure SSH UNIX Client to an OpenSSH server. You will use the key generation utility to generate a key pair. You will upload the public key to the server and then convert the public key to the proper format. Troubleshooting tips are also included.

This technical note is organized into the following sections:

Public Key Authentication Overview
Using the Key Generation Utility
Creating the identification file on the client
Uploading the Public Key to the Server
Converting the public key
Troubleshooting
Setting server permissions
Verify that public key authentication is enabled
Verify that the public key was uploaded and converted properly

Public Key Authentication Overview

Public key authentication is one way a server can authenticate a user. It requires a private and public key pair; the private key is located on the client, and the public key must be uploaded to the OpenSSH server and converted to the proper format. In addition to the keys, specific files must exist in the user's .ssh2 directory on the client and in the user's .ssh directory on the server. If the files don’t exist, you must create them.

The process of generating keys, converting keys, and creating files is outlined below.

Using the Key Generation Utility

Use the Reflection or F-Secure SSH key generation utility to generate a key pair.

  1. Open a terminal window on the UNIX system with the Reflection or F-Secure SSH client.
  2. Use the following command to create a key pair:
ssh-keygen2

Note: To get a list of available switches, use the command ssh-keygen2 -h, or check the man pages for more details.

The key generation utility will run for a few moments. Once the utility has generated the key pair, you are prompted to enter and confirm a passphrase.

After entering a passphrase, the location and names of the private and public keys are displayed. For example:

Private key saved to /home/username/.ssh2/id_dsa_2048_a
Public key saved to /home/username/.ssh2/id_dsa_2048_a.pub

Creating the identification file on the client

The identification file contains pointers to the private key files that may be used for public key authentication. Follow these steps to create the identification file for the private key on the client:

  1. Change directories to the .ssh2 directory in your home directory.
  2. Use the following command to create a file named identification with the IdKey information as its contents:
echo IdKey <keyname> >> identification

For example:

echo IdKey id_dsa_2048_a >> identification

This command writes the IdKey key word and the name of the file containing the private key to the identification file. If the identification file does not exist, it will be created.

Uploading the Public Key to the Server

Once the key pair is created, upload the public key to the server. When transferring the key, be sure to use binary mode.

  1. Use the command sftp2 user@host to connect to the OpenSSH server using password authentication (the default).
  2. Change directories to the .ssh directory in your home directory.
cd .ssh

Note: If the .ssh directory does not exist in the /$HOME directory, create it.

  1. Transfer the public key file you just created (using the Reflection or F-Secure SSH UNIX Client) to the OpenSSH Server by using this command:
put <keyname>.pub

Replace <keyname>.pub with the name of the public key you created, for example:

put id_dsa_2048_a.pub
  1. Use the quit command to close the sftp2 connection.

Converting the public key

The public key format supported by OpenSSH servers is OpenSSH, which is not compatible with Reflection's or F-Secure's default public key format.

Now that you have uploaded the public key to the OpenSSH server, you must convert the public key format from SecSH (the format generated by the Reflection or F-Secure SSH client) to OpenSSH (the format supported by OpenSSH servers) and write it to the authorized_keys file. To do this, follow these steps:

  1. Use the command ssh2 user@host to establish a terminal session using password authentication to connect to the OpenSSH server.
  2. On the command line, change to the .ssh directory in your user account.
cd .ssh
  1. Use the following command to convert the key to OpenSSH format and append the key to the authorized_keys file. Replace <keyname>.pub with the name of your public key:
ssh-keygen –i -f <keyname>.pub >> authorized_keys

For example:

ssh-keygen –i –f id_dsa_2048_a.pub >> authorized_keys

Note: Use the >> symbol to append to the authorized_keys file. The > symbol will overwrite the file contents. If the authorized_keys file does not exist, it will be created.

Command switches used:

    -i
    		Convert IETF SecSH to OpenSSH key file
    -f filename
    		Filename of the key file

You should now be able to connect with SSH, SFTP, or SCP from the UNIX system running the client to the UNIX system running the server without being prompted for a password.

Troubleshooting

If you have trouble connecting, check the troubleshooting suggestions listed below.

Setting server permissions

Verify that the file permissions on the server are configured properly. Setting the $HOME/.ssh directory to 744 and the authorized_keys file to 600 will allow key authentication to work. For more information about permissions, see Technical Note 1178: Understanding UNIX and NFS Permissions.

Verify that public key authentication is enabled

On the F-Secure SSH Client for UNIX:

Check the .ssh2 directory in the user's home directory for an ssh2_config file. If it exists, verify that the following entry is in the Authentication section:

AllowedAuthentications publickey

If the ssh2_config file does not exist in the user's home directory, check the /etc/.ssh2 directory for the ssh2_config file. Verify that the following entry is in the Authentication section:

AllowedAuthentications publickey

On the OpenSSH server:

Verify that the server configuration file, sshd_config, includes the following entries:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Verify that the public key was uploaded and converted properly

The public key should be uploaded to the user's .ssh directory on the OpenSSH server. Verify that the public key was converted into the authorized_keys file. The authorized_keys file should have an entry similar to the following:

ssh-dssAAAB3NzaC1kc3AABPQw3crMJVmbPycSrB2EMkg3UGdszKZZFugHO34u+oExY4G6
Related Technical Notes
1178 Understanding UNIX and NFS Permissions
1915 How to Configure Authentication that Does Not Require User Input in F-Secure SSH Client for Windows

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.