Enabling DSA key-based authentication on UNIX and Linux® operating systems

You can use DSA key-based authentication as an alternative to simple password authentication.

About this task

Depending upon the ssh-keygen availability on the machine where Security Directory Integrator is installed, perform this task on either of the following machines.
  • If ssh-keygen is not installed or unavailable on the machine where Security Directory Integrator is installed, perform this task on the managed resource.
  • If ssh-keygen is installed or available, prefer to perform this task on the machine where Security Directory Integrator is installed.

Procedure

  1. Use the ssh-keygen tool to create a key pair.
    1. Log in as the administrator user defined on the service form.
    2. Start the ssh-keygen tool.
      Issue the following command.
      [root@ps2372 root]# ssh-keygen -t dsa
    3. At the following prompt, accept the default or enter the file path where you want to save the key pair and press Enter. 
      Generating public/private dsa key pair.
Enter the file in which to save the key (/root/.ssh/id_dsa):
    4. At the following prompt, accept the default or enter the passphrase and press Enter. 
      Enter the passphrase (empty for no passphrase): passphrase
    5. At the following prompt, confirm your passphrase selection and press Enter. 
      Enter the same passphrase again: passphrase
      This is a sample of the system response: 
      Your identification is saved in /root/.ssh/id_dsa.
Your public key is saved in /root/.ssh/id_dsa.pub. 
The key fingerprint is this one:
9e:6c:0e:e3:d9:4f:37:f1:dd:34:fc:20:36:67:b2:94 root@ps2372.persistent.co.in
      Note: Although the ssh-keygen tool accepts a blank passphrase, the passphrase is required on the service form.
  2. Validate that the keys were generated.
    1. Issue the following commands. 
       [root@ps2372 root]# cd root/.ssh
  
 [root@ps2372 .ssh]# ls –l
      A sample system response is this message: 
       -rwxr-xr-x 1 root root 736 Dec 20 14:33 id_dsa 
 -rw-r--r-- 1 root root 618 Dec 20 14:33 id_dsa.pub
    2. Issue the following command. 
      [root@ps2372 .ssh]# cat id_dsa
      A sample system response is this message: 
      -----BEGIN DSA PRIVATE KEY----- 
Proc-Type: 4,ENCRYPTED 
DEK-Info: DES-EDE3-CBC,32242D3525AEDC64 
MOZ0m/BCLFNS+ujlcnQR3gOIb5w5hwu1jByw8/kyvTMIHqAx1ANgqV1gFBGX7F0
vdfmNQKnjLcH8cGueUYnmx4vSu9FnKK91abNW9Nd67MDtJEztHckahXDYy7oX1t
LNh3QtaZ32AgHro7QxxCGIHQeDaiGePg7WhVqH8EXo3c+/L/5sQpfx0eG30nrDjl
+cmXgmzU2uQsPL2ckP9NQTgRU4QgWYDBle0YhUXTAG8eW9XG9iCm9iFO4WLWtWd24
Q799A1w6UJReHKQq+vdrN76PgK32NMNmindOqzKVzFL4TsjLyGyWofImpG65oO
FSc4GXTsRkZ0OQxixakpKShRpJ5pW6V1PN4tR/RCRWmpW/yZTr4qtQzcw+AY6ONA
QEVtJQeN69LJncuy9MY/K2F7hn5lCYy/TOnM1OOD6/a1R6U4xoH6qkasLGchiTIP
/NIfrITQho49I7cIJ9HmW54Bmeqh2U9WiSD4aSyxL1Mm6vGoc81U2XjJmcUmQ9XHmhx
R4iWaATaz6RTsxBksNhn7jVx34DDvRDJ4MSjLaNpjnvAdYTM7YislsBulDTr8ZF6P9
Fa7VyFP4TyCjUM1w== 
                  -----END DSA PRIVATE KEY-----
    3. Issue the following command. 
       [root@ps2372 .ssh]# cat id_dsa.pub
      A sample system response is this message: 
            ssh-dsa   
AAAAB3NzaC1kc3MAAACBAIHozHi6CHwvGDt7uEYkEmn4STOj2neOo5mPOZFpBjs
KzzWBqBuAxoMwMgHy3zZAIgmzMwIVQum4/uIHlhOx0Q4QDLJbveFShuXxBjm5BOU1
rCCSeqYCOPdub9hx3uzZaTNqfFIvO4/NTcjp7pgQqBdvWs0loyYViYVWpVQmMdif
AAAAFQDhaD9m//n07C+R+X46g5iTYFA9/QAAAIBVbBXXL3/+cHfbyKgCCe2CqjRESQ
i2nwiCPwyVzzwfHw4MyoYe5Nk8sfTiweY8Lus7YXXUZCPbnCMkashsbFVO9w
/q3xmbrKfBTS+QOjs6nebftnxwk/RrwPmb9MS/kdWMEigdCoum9MmyJlOw5fwGl
P1ufVHn+v9uTKWpPgr0egAAAIArKV4Yr3mFciTbzcGCicW+axekoCKq520Y68mQ
1xrI4HJVnTOb6J1SqvyK68eC2I5lo1kJ6aUixJt/D3d/GHnA+i5McbJgLsNuiDs
RI3Q6v3ygKeQaPtgITKS7UY4S0FBQlw9q7qjHVphSOPvo2VUHkG6hYiyaLvLrX
Jo7JPk6tQ== root@ps2372.persistent.co.in
  3. Enable key-based authentication in the /etc/ssh directory on the SSH server.
    1. Ensure that the following lines exist in the sshd_config file: 
      # Should we allow Identity (SSH version 1) authentication?
	DSAAuthentication yes
  
	# Should we allow Pubkey (SSH version 2) authentication?
	PubkeyAuthentication yes
        
	# Where do we look for authorized public keys?
# If it doesn't start with a slash, then it is
# relative to the user's home directory
AuthorizedKeysFile .ssh/authorized_keys
    2. Restart the SSH server.
  4. Copy the dsa.pub file to the SSH server.
  5. If you have an existing authorized_keys file, edit it to remove any no-pty restrictions
  6. Add the public key to the authorized_keys file, from the /.ssh directory.
    Issue the command:
    [root@ps2372 .ssh]# cat id_dsa.pub >> authorized_keys
    Note: This command concatenates the DSA public key to the authorized_keys file.
    For example, $HOME/.ssh/ authorized_keys. If this file does not exist, the command creates it.
  7. Copy the id_dsa private key file to the client workstation where Security Directory Integrator is running.
  8. Set the private key ownership value. If the Security Directory Integrator server is either Unix or Linux, use chmod to set the private key permissions value to 600.
    Note:
    • Complete these steps. When you log in to the server from the client computer, you are prompted for a passphrase for the key instead of a user password.
    • If the installed ssh uses the AES-128-CBC cipher, RXA cannot fetch the private key from the file. RSA key-based authentication does not work. To support RSA key-based authentication, take one of the following actions:
      • Install an ssh that uses the DES-EDE3-CBC cipher.
      • Install the RXA 2.3.0.9 package in your environment. RXA 2.3.0.9 supports the AES-128-CBC cipher.

        RXA 2.3.0.9 is included in the base release of Security Directory Integrator version 7.1.1, and is also available in Security Directory Integrator version 7.0 fix pack 8 and Security Directory Integrator version 7.1 fix pack 7.