Environment
Privileged User Manager 2.3.0
Situation
Configuring Attachmate Reflection for Secure IT 6.x for use with
SSH Relay (Privileged User Manager)
SSH Relay is based on OpenSSH and therefore needs the
keys to be in OpenSSH format.
Attachmate Reflection for Secure IT 6.x uses the Secsh key
format.
Resolution
Configuring the SSH Relay Agent
1. On the SSH Relay Agent, create an RSA keypair using the
OpenSSH provided ssh-keygen
Example:
ssh-Relay:~ # ssh-keygen -t rsa -f
/root/.ssh/id_rsa_npum
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
/root/.ssh/id_rsa_npum.
Your public key has been saved in
/root/.ssh/id_rsa_npum.pub.
2. Copy and paste the contents of the newly generated private
key (~/.ssh/id_rsa_npum) into the Credential Manager for the Remote
'Attachmate' host.
3. Copy the SSH Relay Agent public key to the remote
Attachmate sshd host, into ~/.ssh2
Configuring the NPUM agentless Attachmate Reflection for
Secure IT 6.x host
1. On the NPUM agentless Attachmate hosts, convert the public
key sent from the SSH Relay Agent into the Attachmate Reflection
for Secure IT 6.x Secsh format with the following command:
attachmate:~ #ssh-keygen -e -f ~/.ssh2/id_rsa_npum.pub> ~/.ssh2/id_rsa_npum_secsh.pub
2. Add the converted public key file name to the authorization
file.
Example:
attachmate:~ #vi ~/.ssh2/authorization
Key id_rsa_npum_secsh.pub
3. Edit the Attachmate sshd config (/etc/ssh2/sshd2_config) and add the 'shell' keyword
enabled in the 'SessionRestricted' option.
Example:
SessionRestricted shell,exec,subsystem