Environment
Reflection for Secure IT Client or Server for UNIX
Situation
A remote sftp server is configured with user keys authentication. When Reflection for Secure IT (RSIT) sftp applies the "–o IdentificationFile" switch, connection fails.
(For additional details on how to configure public key authentication, please review the on-line documentation:
https://www.attachmate.com/documentation/rsit-unix-802/rsit-unix-guide/data/rsit_unix_clien_key_auth_pr.htm)
By default, RSIT UNIX sftp client reads the “identification” file from the .ssh2 folder under the user’s home folder. The identification files points to a private key name or a list of private key names:
Example of identification’s content:
IdKey PrivateKey1
If key authentication is configured correctly, and it was configured without a passphrase, the following syntax command should automatically connects the client:
Sftp <RemoteUserId>@<RemoteSftpHost>
Additionally, the sftp client can specifically points to another “identification” file by using the “-o IdentificationFile” switch.
Using the above example, the command will look something like this:
Sftp –o IdentificationFile=/Home/user1/.ssh2/identification <RemoteUserId>@<RemoteSftpHost>
If the default identification file contains more than one key, the client has to present each key until it finds the correct one. The “-o IdentificationFile” switch provides the ability to only check one specific key. In the following example, a second file is added in the .ssh2 folder and called it IdentFile1:
Example of IdentFile1:
IdKey PrivateKey2
(For additional details on how to configure public key authentication, please review the on-line documentation:
https://www.attachmate.com/documentation/rsit-unix-802/rsit-unix-guide/data/rsit_unix_clien_key_auth_pr.htm)
By default, RSIT UNIX sftp client reads the “identification” file from the .ssh2 folder under the user’s home folder. The identification files points to a private key name or a list of private key names:
Example of file location :
/home/user1/.ssh2/identification
/home/user1/.ssh2/identification
IdKey PrivateKey1
If key authentication is configured correctly, and it was configured without a passphrase, the following syntax command should automatically connects the client:
Sftp <RemoteUserId>@<RemoteSftpHost>
Additionally, the sftp client can specifically points to another “identification” file by using the “-o IdentificationFile” switch.
Using the above example, the command will look something like this:
Sftp –o IdentificationFile=/Home/user1/.ssh2/identification <RemoteUserId>@<RemoteSftpHost>
If the default identification file contains more than one key, the client has to present each key until it finds the correct one. The “-o IdentificationFile” switch provides the ability to only check one specific key. In the following example, a second file is added in the .ssh2 folder and called it IdentFile1:
Example of IdentFile1:
IdKey PrivateKey2
Example sftp command line syntax:
Sftp –o IdentificationFile=/Home/user1/.ssh2/IdentFile1 <RemoteUserId>@<RemoteSftpHost>
If key pair was generated by RSIT, no additional configuration is
required. However, if the client was given an OpenSSH private key to be used
to connect to a remote server, the OpenSSH key will need to be
converted, and the public key extracted. Create an Identification file
and point it to the converted private key. Permissions will also need
to be set on the files.
Resolution
To convert an OpenSSH private key:
On UNIX, cd to the folder where Reflection is installed. Look for an utility called ssh-keygen. Use it to convert the private key to a RFC 4716 compliant format.
In this example, we will use an OpenSSH private key named PrivateKey2. (The "renaming" steps are optional.)
1. ssh-keygen –O PrivateKey2
2. Rename the PrivateKey2 to PrivateKey2.openssh
3. Rename PrivateKey2.ssh2 to PrivateKey2
4. Run ssh-keygen -D to extract the public key:
ssh-keygen –D PrivateKey2
5. Create an identification file in the .ssh2 folder that points to a key. It is called IdentFile1 in this example:
Echo IdKey PrivateKey2>> IdentFile1
6. Change permission to 600 for both PrivateKey2 and IdentFile1:
Chmod 600 PrivateKey2
Chmod 600 IdentFile1