Enabling DSA key-based authentication on UNIX and Linux® operating systems
You can use DSA key-based authentication as an alternative to simple password authentication.
About this task
Depending upon the ssh-keygen availability on the machine where Security Directory Integrator is installed, perform this task on either
of the following machines.
- If ssh-keygen is not installed or unavailable on the machine where Security Directory Integrator is installed, perform this task on the managed resource.
- If ssh-keygen is installed or available, prefer to perform this task on the machine where Security Directory Integrator is installed.
Procedure
- Use the ssh-keygen tool to create a
key pair.
- Log in as the administrator user defined on the service form.
- Start the ssh-keygen tool. Issue the following command.
[root@ps2372 root]# ssh-keygen -t dsa
- At the following prompt, accept the default or enter
the file path where you want to save the key pair and press Enter.
Generating public/private dsa key pair. Enter the file in which to save the key (/root/.ssh/id_dsa):
- At the following prompt, accept the default or enter
the passphrase and press Enter.
Enter the passphrase (empty for no passphrase): passphrase
- At the following prompt, confirm your passphrase selection
and press Enter.
Enter the same passphrase again: passphrase
This is a sample of the system response:Your identification is saved in /root/.ssh/id_dsa. Your public key is saved in /root/.ssh/id_dsa.pub. The key fingerprint is this one: 9e:6c:0e:e3:d9:4f:37:f1:dd:34:fc:20:36:67:b2:94 root@ps2372.persistent.co.in
Note: Although the ssh-keygen tool accepts a blank passphrase, the passphrase is required on the service form.
- Validate that the keys were generated.
- Issue the following
commands.
A sample system response is this message:[root@ps2372 root]# cd root/.ssh [root@ps2372 .ssh]# ls –l
-rwxr-xr-x 1 root root 736 Dec 20 14:33 id_dsa -rw-r--r-- 1 root root 618 Dec 20 14:33 id_dsa.pub
- Issue the following
command.
A sample system response is this message:[root@ps2372 .ssh]# cat id_dsa
-----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,32242D3525AEDC64 MOZ0m/BCLFNS+ujlcnQR3gOIb5w5hwu1jByw8/kyvTMIHqAx1ANgqV1gFBGX7F0 vdfmNQKnjLcH8cGueUYnmx4vSu9FnKK91abNW9Nd67MDtJEztHckahXDYy7oX1t LNh3QtaZ32AgHro7QxxCGIHQeDaiGePg7WhVqH8EXo3c+/L/5sQpfx0eG30nrDjl +cmXgmzU2uQsPL2ckP9NQTgRU4QgWYDBle0YhUXTAG8eW9XG9iCm9iFO4WLWtWd24 Q799A1w6UJReHKQq+vdrN76PgK32NMNmindOqzKVzFL4TsjLyGyWofImpG65oO FSc4GXTsRkZ0OQxixakpKShRpJ5pW6V1PN4tR/RCRWmpW/yZTr4qtQzcw+AY6ONA QEVtJQeN69LJncuy9MY/K2F7hn5lCYy/TOnM1OOD6/a1R6U4xoH6qkasLGchiTIP /NIfrITQho49I7cIJ9HmW54Bmeqh2U9WiSD4aSyxL1Mm6vGoc81U2XjJmcUmQ9XHmhx R4iWaATaz6RTsxBksNhn7jVx34DDvRDJ4MSjLaNpjnvAdYTM7YislsBulDTr8ZF6P9 Fa7VyFP4TyCjUM1w== -----END DSA PRIVATE KEY-----
- Issue the following
command.
A sample system response is this message:[root@ps2372 .ssh]# cat id_dsa.pub
ssh-dsa AAAAB3NzaC1kc3MAAACBAIHozHi6CHwvGDt7uEYkEmn4STOj2neOo5mPOZFpBjs KzzWBqBuAxoMwMgHy3zZAIgmzMwIVQum4/uIHlhOx0Q4QDLJbveFShuXxBjm5BOU1 rCCSeqYCOPdub9hx3uzZaTNqfFIvO4/NTcjp7pgQqBdvWs0loyYViYVWpVQmMdif AAAAFQDhaD9m//n07C+R+X46g5iTYFA9/QAAAIBVbBXXL3/+cHfbyKgCCe2CqjRESQ i2nwiCPwyVzzwfHw4MyoYe5Nk8sfTiweY8Lus7YXXUZCPbnCMkashsbFVO9w /q3xmbrKfBTS+QOjs6nebftnxwk/RrwPmb9MS/kdWMEigdCoum9MmyJlOw5fwGl P1ufVHn+v9uTKWpPgr0egAAAIArKV4Yr3mFciTbzcGCicW+axekoCKq520Y68mQ 1xrI4HJVnTOb6J1SqvyK68eC2I5lo1kJ6aUixJt/D3d/GHnA+i5McbJgLsNuiDs RI3Q6v3ygKeQaPtgITKS7UY4S0FBQlw9q7qjHVphSOPvo2VUHkG6hYiyaLvLrX Jo7JPk6tQ== root@ps2372.persistent.co.in
- Issue the following
commands.
- Enable key-based authentication in the /etc/ssh directory on the SSH
server.
- Ensure that the following lines exist in the sshd_config file:
# Should we allow Identity (SSH version 1) authentication? DSAAuthentication yes # Should we allow Pubkey (SSH version 2) authentication? PubkeyAuthentication yes # Where do we look for authorized public keys? # If it doesn't start with a slash, then it is # relative to the user's home directory AuthorizedKeysFile .ssh/authorized_keys
- Restart the SSH server.
- Ensure that the following lines exist in the sshd_config file:
- Copy the dsa.pub file to the SSH server.
- If you have an existing authorized_keys file, edit it to remove any no-pty restrictions
- Add the public key to the authorized_keys file,
from the /.ssh directory. Issue the command:
[root@ps2372 .ssh]# cat id_dsa.pub >> authorized_keys
Note: This command concatenates the DSA public key to the authorized_keys file.For example, $HOME/.ssh/ authorized_keys. If this file does not exist, the command creates it. - Copy the id_dsa private key file to the client workstation where Security Directory Integrator is running.
- Set the private key ownership value. If the Security Directory Integrator server is either Unix or Linux, use
chmod to set the private key permissions value to 600. Note:
- Complete these steps. When you log in to the server from the client computer, you are prompted for a passphrase for the key instead of a user password.
- If the installed ssh uses the AES-128-CBC cipher, RXA cannot fetch the private key
from the file. RSA key-based authentication does not work. To support RSA key-based authentication,
take one of the following actions:
- Install an ssh that uses the DES-EDE3-CBC cipher.
- Install the RXA 2.3.0.9 package in your environment. RXA 2.3.0.9 supports the
AES-128-CBC cipher.
RXA 2.3.0.9 is included in the base release of Security Directory Integrator version 7.1.1, and is also available in Security Directory Integrator version 7.0 fix pack 8 and Security Directory Integrator version 7.1 fix pack 7.