Enabling RSA key-based authentication on UNIX and Linux® operating systems
You can use RSA key-based authentication as an alternative to simple password authentication.
About this task
Depending upon the ssh-keygen availability on the machine where Security Directory Integrator is installed, perform this task on either
of the following machines.
- If ssh-keygen is not installed or unavailable on the machine where Security Directory Integrator is installed, perform this task on the managed resource.
- If ssh-keygen is installed or available, prefer to perform this task on the machine where Security Directory Integrator is installed.
Procedure
- Use the ssh-keygen tool to create a
key pair.
- Log in as the administrator user defined on the service form.
- Start the ssh-keygen tool. Issue the following command.
mydesktop$# ssh-keygen -t rsa
- At the following prompt, accept the default or enter
the file path where you want to save the key pair and press Enter.
Generating public/private dsa key pair. Enter the file in which to save the key (home/root/.ssh/id_rsa):
- At the following prompt, accept the default or enter
the passphrase and press Enter.
Enter the passphrase (empty for no passphrase): passphrase
- At the following prompt, confirm your passphrase selection
and press Enter.
Enter the same passphrase again: passphrase
This example is a sample of the system response:Your identification was saved in /home/root/.ssh/id_rsa. Your public key was saved in /home/root/.ssh/id_rsa.pub. The key fingerprint is this value: 2c:3f:a4:be:46:23:47:19:f7:dc:74:9b:69:24:4a:44 root@ps701
Note: Although the ssh-keygen tool accepts a blank passphrase, the passphrase is required on the service form.
- Validate that the keys were generated.
- Issue the following
commands.
A sample system response is:mydesktop$ cd $HOME/.ssh mydesktop$ ls -l
-rw------- 1 root root 883 Jan 21 11:52 id_rsa -rw-r--r-- 1 root root 223 Jan 21 11:52 id_rsa.pub
- Issue the following command.
A sample system response is:mydesktop$ cat id_rsa
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,7F4CF1E209817BA0 GuIQh4EdIp2DY1KfgB3eHic1InCG5VC9/dumHd7AqEnlo241fRuIo8zgO87GV+tk cvKd/pPCGhmyCZy/are0wZt3KLYWUyoN7i+8H2Khk8LmaspD6Tx309VHTfCyoJsu jtuR5c4HbcRtOYhMByHEqllEst1azzlIrO75Qj5cUG01K1MbdTeXq1xUGjo97s+V gEOokMQ+JmaJD9lrbiMz4wjWRtREjHfc1VYTA+ZE1W3HT3PfrjCnHm9RKKFaA6kM fPInefQgdzhCa0mCz+HOKJfkpfPh8ufGM9Jfb99VjZdI77LHeNN4VqeQ/VyPH7pn wp7GbEJ8g6iX4BWUWpXUVStfYNQTV8Dis7ayZtr3g/o+AKnh/dGnk1SHHNFgUUFf/ +E0EXMokHSqqOzwf4t8xp4upnnS/7ag5MIVcU5/iWGW4sDEw7xfB25zD4lbvVK5 kSZeWLgm79wMipKP90iEELPqO6cS2yPXd+ADfHs7FWPQW0UYGFeMnHa/ tlglO5Pxo7ek2iR57mazmx33cofIX6E/ZI9XLysp5TR6Npq1x8KCv2Dk2x3QSH8F54EQmQ2+ 5uDsPA9Hg1B+agkBh/1g3tfevT01cCtUkQGl2ubhrNGB2SiiyKgw9Ks0AL3TO0ul D69D18r6Y6s3pHQ9LYAs6EIq3/5dqNYW8eLQ5eINUIlHBp9ep8+quyqSfB3qPCBW Db+qI09pYhkTrGBD8l5eQqs1T1h2gJsY2yyYV/Cp2m4fI+uHItCgSlkPROnj27Xh p6HAPaFA0zWOz1lmVNYhTbJZlbbwYyf/OKmYuOklSuQ= -----END RSA PRIVATE KEY-----
- Issue the following
command.
A sample system response is this message:mydesktop$ cat id_rsa.pub
ssh-rsaAAB3NzaC1yc2EAAAABIwAAAIEA9xjGJ+8DLrxSQfVxXYUx4lc9copCG4HwD3TLO5i fezBQx0e9UnIWNFi4Xan3S8mYd6L+TfCJkVZ+YplLAe367/vhc1nDzfNRPJ95YnATefj YEa48lElu7uq1uofM+sZ/b0p7fIWvIRRbuEDWHHUmneoX8U/ptKFZzRpb/ vTE6nE= root@ps0701
- Issue the following
commands.
- Enable key-based authentication in the /etc/ssh directory on the SSH
server.
- Ensure that the following lines exist in the sshd_config file:
# Should we allow Identity (SSH version 1) authentication? RSAAuthentication yes # Should we allow Pubkey (SSH version 2) authentication? PubkeyAuthentication yes # Where do we look for authorized public keys? # If it doesn't start with a slash, then it is # relative to the user's home directory AuthorizedKeysFile .ssh/authorized_keys
- Restart the SSH server.
- Ensure that the following lines exist in the sshd_config file:
- Copy the rsa.pub file to the SSH server.
- If you have an existing authorized_keys file, edit it to remove any no-pty restrictions.
- Add the public key to the authorized_keys file, from the
/.ssh directory. Issue the following command.
ssh-server$ cat ../id_rsa.pub >> authorized_keys
Note: This command concatenates the RSA public key to the authorized_keys file.For example, $HOME/.ssh/authorized_keys. If this file does not exist, the command creates it. - Copy the id_rsa private key file to the client workstation where Security Directory Integrator is running.
- Set the private key ownership value. If the Security Directory Integrator server is either Unix or Linux, use
chmod to set the private key permissions value to 600. Note:
- Complete these steps. When you log in to the server from the client computer, you are prompted for a passphrase for the key instead of a user password.
- If the installed ssh uses the AES-128-CBC cipher, RXA cannot fetch the private key
from the file. RSA key-based authentication does not work. To support RSA key-based authentication,
take one of the following actions:
- Install an ssh that uses the DES-EDE3-CBC cipher.
- Install the RXA 2.3.0.9 package in your environment. RXA 2.3.0.9 supports the
AES-128-CBC cipher.
RXA 2.3.0.9 is included in the base release of Security Directory Integrator version 7.1.1, and is also available in Security Directory Integrator version 7.0 fix pack 8 and Security Directory Integrator version 7.1 fix pack 7.