Generate and use an SSH key pair to use RSA-based private key authentication for passwordless SSH logins to any of the IBM®
StoredIQ® nodes in your environment.
Before you begin
Complete this preparatory work:
- Make a list of the home directories of all users that you want to authenticate with SSH keys.
- If you want to add an extra layer of security, you can set a passphrase for the SSH key. Determine this passphrase beforehand.
About this task
In the following instructions, the sample user myibmuser is used. The respective home directory is /home/myibmuser.Complete the procedure on each IBM
StoredIQ server where you want to set up SSH key authentication.
Procedure
-
Log in to the IBM
StoredIQ server, for example, the IBM
StoredIQ
AppStack.
- Create SSH key pairs for each user that you want to have SSH access to this server.
An SSH key pair consists of a
private and a
public key. To generate the key pair, issue the following command:
sudo -u myibmuser ssh-keygen -t rsa -b 4096 -C "myibmuser@example.local" -f /home/myibmuser/.ssh/id_rsa
Messages similar to the following ones are written to the console:
Generating public/private rsa key pair.
Created directory '/home/myibmuser/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/myibmuser/.ssh/id_rsa.
Your public key has been saved in /home/myibmuser/.ssh/id_rsa.pub.
The key fingerprint is:
c3:6b:19:da:75:a0:4a:ca:e0:0e:ba:c3:79:2c:6c:1a myibmuser@example.local
The key's randomart image is:
+--[ RSA 4096]----+
| |
| |
| . |
| . . . |
| . . S . . |
| . o o + * . |
|E + o o = |
|oX o . |
|*o+ |
+-----------------+
The first time that you create keys, the following files are created in the
/home/myibmuser/.ssh/ directory:
- The id_rsa file, which is the private key. That is the key file that you distribute to those users that will be allowed to log in to the IBM
StoredIQ server via SSH.
The private key allows access to the system. Therefore, keep this key file protected from unauthorized access.
- The id_rsa.pub file, which is the public key. This key file remains on the IBM
StoredIQ server.
Consider to save a copy of the key files because in each subsequent run of the ssh-keygen tool you are asked whether you want to overwrite the files. In this case, any previously generated key file is replaced so that the previous key can no longer be used for authentication.
- Add the public key to the IBM
StoredIQ server.
The authorized keys for each account are stored in their respective home directories. With this configuration, anyone with the private key can connect to this
IBM
StoredIQ host as
myibmuser:
cat /home/myibmuser/.ssh/id_rsa.pub >> /home/myibmuser/.ssh/authorized_keys
- Transfer the private key (the id_rsa file) to a host that needs SSH access to the IBM
StoredIQ server by using a secure copy tool such as scp.
- On the remote host, verify that key-based authentication works.
For example, on OS X, you can use the
-i flag to specify the key:
ssh -i id_rsa myibmuser@storediqmachine.example.local
As a result, the prompt should change to something like this one:
[myibmuser@storediq ˜]
- Disable password-based authentication in the SSH configuration.
- Display the default configuration for IBM
StoredIQ by entering the following command:
grep -E '^PasswordAuthentication' /etc/ssh/sshd_config
This command should return PasswordAuthentication yes.
- Change the setting to
no. Enter the following command:
sed -i '/^PasswordAuthentication/s/yes/no/g' /etc/ssh/sshd_config
- To verify the new setting, display the configuration once again:
grep -E '^PasswordAuthentication' /etc/ssh/sshd_config
This command should now return PasswordAuthentication no.
- Restart the OpenSSH daemon:
Now the IBM
StoredIQ server does no longer not accept passwords for SSH logins.