Environment
Situation
This technical note provides detailed instructions for setting up Secure Shell (SSH) public key authentication.
Resolution
Two options are described:
- In the first option, you use Reflection X Advantage to generate keys and use command line options to configure the server.
- In the second option, you use the Reflection FTP Client to generate and upload a key. The server configuration is handled automatically, and then you configure Reflection X Advantage to use the key pair.
Using Reflection X Advantage to Generate Keys
Use the following procedures to generate a key pair using Reflection X Advantage and configure your server to authenticate using the public key.
Note: The required key format and configuration details are different for different Secure Shell server types. To determine the server type running on your host, you can use the following command from a terminal window:
ssh -V
For example, the following command sequence shows that a Reflection for Secure IT server is running:
[joe@myhost ~]$ ssh -V
ssh: Reflection for Secure IT 8.0.0.71 on x86_64-redhat-linux-gnu (64-bit).
Generate a Key Pair and Export the Public Key
This procedure generates a new key pair and stores it in the Reflection X Advantage database. You will also export the public key of the key pair to upload to the server.
- Launch X Manager or X Manager for Domains.
- From the Tools menu, select Secure Shell User Keys.
- Click Generate.
- Enter a name for the key pair to be created, and configure the type and length.
- Enter a passphrase, or check the No passphrase box to connect without one.
- Click OK to generate the key. The key will appear in the list of available user keys.
- Select the key you just created and click Export.
- Select the key format used by your Secure Shell server.
- For Reflection, F-Secure, and SSH Corporation servers: Export to SecSH format.
- For OpenSSH servers: Export to OpenSSH format (the default).
- Click Export.
- Click Close to close the Secure Shell User Keys dialog box.
Note: By default X Manager and X Manager for Domains store user keys in the Reflection X Advantage Store. The database used for this key store is different in standalone and domain mode. If you use both applications and want to use the same key pair for both applications, you can configure an additional, shared key store on the local file system. To do this, open the Secure Shell User Keys dialog box, click the plus sign (+) next to User Key Sources, select Add Local Directory, and browse to select a local directory. Keys are saved to this location using OpenSSH format. If you need SecSH format you can generate the key first in the Reflection X Advantage store, then export it to the local directory. (This feature is available with Reflection X Advantage 4.0 and later.)
Review Your Secure Shell Authentication Settings
By default, Secure Shell connections first attempt to authenticate to your host using public key authentication. If public key authentication fails, Reflection X Advantage attempts keyboard interactive, then password authentication. (Both of these typically prompt you for your username and password.) These Secure Shell authentication settings are saved as part of your client definition. Use the following optional procedure to review or edit these settings.
- In X Manager or X Manager for Domains, under X Clients, select (or create) a definition to connect to your host. Confirm that "Connection method" is set to "Secure Shell."
- Click the Advanced button.
- Select the Authentication tab and review or edit the settings under User Authentication.
Note: If you have multiple keys configured, you will see the Select User Key dialog box when you connect using your client definition. Until your host is correctly configured, you need to click Cancel to reject all keys and move on to a password login. If some of your hosts use only password authentication, you may want to use the Authentication tab to disable public key authentication for these hosts to avoid seeing the Select User Key dialog box when you connect to these hosts.
Upload the Key to the Server
Before you can authenticate using a public key, you need to upload your public key to the server and configure the server to authenticate using that key. The steps for doing this depend on your server type.
Configure Connections to a Reflection for Secure IT, F-Secure, or SSH Corporation Server
- Open a command window on the system running the X Manager or X Manager for Domains. (Start > All Programs > Accessories > Command Prompt)
- Navigate to the folder location where you exported your public key. (The default is your Windows home folder. For example, c:\Users\joe.) Use a dir command to confirm that your public key is present, for example:
C:\Users\joe>dir *.pub
- Enter the command “sftp user@host” to connect to the your host, replacing user and host with your values. For example:
C:\Users\joe>sftp joe@demohost
Enter your password on this host in response to the prompt.
- Enter “binary” to set the transfer format correctly. For example:
/home/joe> binary
Transfer mode set to binary
- Navigate to the .ssh2 directory. For example:
/home/joe> cd .ssh2
/home/joe/.ssh2>
(If the directory doesn’t already exist, enter “mkdir .ssh2” to create it, then navigate to it.)
- Enter “put filename.pub” to upload the new public key file, replacing filename with your key filename. For example.
/home/joe/.ssh2>put joeskey.pub
Transferring joeskey.pub
Uploaded C:\Users\joe\joeskey.pub to /home/joe/.ssh2/joeskey.pub
- Enter “quit” to exit the sftp connection. For example:
/homejoe>quit
Connection closed to demohost
C:\Users\joe>
- Enter “ssh user@host” to establish a terminal session, replacing user and host with your values. Enter your password to log on. For example:
C:\Users\joe>ssh joe@demohost
- Navigate to the .ssh2 directory, and use an ls command to confirm that your key is present. For example:
[joe@demohost ~]$ cd .ssh2
[joe@demohost .ssh2]$ ls *.pub
joeskey.pub
[joe@demohost ~]$
- Enter the command “echo Key filename.pub >> authorization”, replacing filename with your key file name. This adds a line to the server's authorization file authorizing you to authenticate using this key. For example:
[joe@demohost ~]$ echo Key joeskey.pub >> authorization
- Use the "cat" command to confirm the change to the authorization file. For example:
[joe@demohost ~]$ cat authorization
Key joeskey.pub
- Enter “exit” to terminate the terminal session.
Configure Connections to an OpenSSH Server
- Open a command window on the system running the X Manager or X Manager for Domains. (Start > All Programs > Accessories > Command Prompt)
- Navigate to the folder location where you exported your public key. (The default is your Windows home folder. For example, c:\Users\joe.) Use a dir command to confirm that your public key is present, for example:
C:\Users\joe>dir *.pub
- Enter the command “sftp user@host” to connect to the your host, replacing user and host with your values . For example:
C:\Users\joe>sftp joe@demohost
Enter your password on this host in response to the prompt.
- Enter “binary” to set the transfer format correctly. For example:
/home/joe> binary
Transfer mode set to binary
- Navigate to the .ssh directory. For example:
/home/joe> cd .ssh
/home/joe/.ssh>
(If the directory doesn’t already exist, enter “mkdir .ssh” to create it, then navigate to it.)
- Enter “put filename.pub” to upload the new public key file, replacing filename with your key filename. For example.
/home/joe/.ssh>put joeskey.pub
Transferring joeskey.pub
Uploaded C:\Users\joe\joeskey.pub to /home/joe/.ssh/joeskey.pub
- Enter “quit” to exit the sftp connection. For example:
/homejoe>quit
Connection closed to demohost
C:\Users\joe>
- Enter “ssh user@host” to establish a terminal session, replacing user and host with your values. Enter your password to log on. For example:
C:\Users\joe>ssh joe@demohost
- Navigate to the .ssh directory, and use an ls command to confirm that your key is present. For example:
[joe@demohost ~]$ cd .ssh
[joe@demohost .ssh]$ ls *.pub
joeskey.pub
[joe@demohost ~]$
- Enter the command “cat filename.pub >> authorized_keys”, replacing filename with your key file name. This adds a line to the server's authorized_keys file authorizing you to authenticate using this key. For example:
[joe@demohost ~]$ cat joeskey.pub >> authorized_keys
- Enter “exit” to terminate the terminal session.
Using the Reflection FTP Client to Generate and Upload Keys
An alternative approach to configuring public key authentication is to use the Reflection FTP Client. Attachmate products that include Reflection X Advantage on Windows also install the Reflection FTP Client by default. The FTP Client has the ability to generate key pairs, and also includes a key upload utility that automatically determines your server type, uploads the key to the correct location, and makes the necessary changes to the authorization file used by this server. Once this is done, you can configure Reflection X Advantage to authenticate using the key pair.
Generate a Key Pair and Upload the Public Key
- Start the Reflection FTP Client. (Start > All Programs > Attachmate Reflection > Reflection FTP Client)
- Click New to create a new site configuration.
- In the Add FTP Site panel, enter the host on which your run your X client, then click Next.
- In the Login Information pane, select User, then click Security.
- In the Security Properties dialog box, click the Secure Shell tab and select "Use Reflection Secure Shell."
- Click Configure to open the Reflection Secure Shell Settings dialog box.
- In the Reflection Secure Shell Settings dialog box, click the User Keys tab.
- Click the Generate button.
- In the User Key Generation dialog box, specify a key type and length and enter a passphrase, or check the No passphrase box to connect without one. Click Create.
- Specify a File name and location. (The private key is created using the name you specify. The public key is given the same name with a .pub extension.) Click Save. You should see a message saying that the key was successfully generated. Close this message box to return to the Reflection Secure Shell Settings dialog box.
- Click the Upload button. The "Upload to host" dialog box opens with your host name already entered. Click OK.
- Enter your user name and password on the host.
- Reflection determines the Secure Shell server running on your host and displays the folder and file edits that will be made. Click OK to accept these changes.
- Click OK to close the open dialog boxes. When you return to the Login information panel you can continue through the FTP Client site setup and test your connection. If you've connected successfully, you now have a key pair you can use in Reflection X Advantage.
Configure Reflection X Advantage to Use the Key Pair
Use this procedure to configure Reflection X Advantage to connect using a key pair you created and uploaded from the Reflection FTP Client.
- Launch the X Manager or X Manager for Domains.
- From the Tools menu, select Secure Shell User Keys.
- Next to the heading "User Key Sources" click the plus sign (+) and select "Add Local Directory."
- In the Directory field, enter or browse to the folder to which you saved the key pair from the FTP Client. (The default location is in your personal documents folder. For example: C:\Users\<username>\Documents\Attachmate\Reflection\.ssh.)
The User Keys list should update to show your private key name. The key pair is now available for use by Reflection X Advantage client connections. Click Close.
Note: If you prefer to store your keys in the Reflection X Advantage database, you can import keys created using the FTP Client (or any other application). To do this, in the Secure Shell User Keys dialog box, under User Key Sources select Reflection X Advantage Store. Click Import, then browse to the private key of your key pair.